Hack The Box — Beep Walkthrough

Barry Malone
3 min readApr 18, 2021

Like a lot of people I am starting off my OSCP prep by running through TJnull’s OSCP HTB/Vulnhub VM list and doing each box without Metasploit, the second box on the list is Beep.

This box was super easy, and the only real difficult thing about it was avoiding going down rabbit holes and chasing your tail!

Recon

I started with my usual recon process, running AutoRecon, looking at the output we can see there is a good number of ports open.. yay!

Straight off the bat I took a look at the ports running web servers, 80 and 10000.

On port 80 we find the Elastix software running (this is a UC / pbx kind of software)

On port 10000 it looks like there is a webmin interface running:

At this point I tried the usual Google for default creds -> try creds on both login pages -> fail!

After some searching I found the Elastix software was vulnerable to a couple of different exploits, none seemed really applicable (the SQL one did not work for me) bar the LFI vulnerability:

Exploitation

Checking out the LFI exploit code/script, I took the commented out line and gave it a test on the target:

We validate the the target is vulnerable to the LFI :D :

A bit messy so view-source cleans it up somewhat, and we can see if we can find anything juicy:

Bingo — always good to see creds :) from here I was able to log in to the web app and have a look around:

At this point I spent about 2 to 3 hours poking around the application and looking for web upload vulns and RCE issues but couldn’t find anything, there were a couple of crafty rabbit holes that I went down — like a built in cms system that looked super shaky.

After scratching my head for while I decided to just try log in via the sql service running on 3306, no dice.. then I tried SSH.. Bingo!

Conclusion

This box was super simple, I made it slightly more complex by not trying something obvious first!

If you are here, thanks for reading! on to the next box :)

--

--