BEEP – HackTheBox Walkthrough

Hello Friends, Today I am here with a new HTB machine.

This machine was pretty easy. The main goal is to get root flag.

Here we will be learning about a specific vulnerability called Local File Inclusion.

I didn’t use much of the tools to pwn this machine.

#nmap -sSV -T5 -p- –allports

There are a lot of service running on the host


22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)

25/tcp    open  smtp       Postfix smtpd

80/tcp    open  http       Apache httpd 2.2.3

110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4

111/tcp   open  rpcbind    2 (RPC #100000)

143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4

443/tcp   open  ssl/https?

878/tcp   open  status     1 (RPC #100024)

993/tcp   open  ssl/imap   Cyrus imapd

995/tcp   open  pop3       Cyrus pop3d

3306/tcp  open  mysql      MySQL (unauthorized)

4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)

4445/tcp  open  upnotifyp?

4559/tcp  open  hylafax    HylaFAX 4.3.10

5038/tcp  open  asterisk   Asterisk Call Manager 1.1

10000/tcp open  http       MiniServ 1.570 (Webmin httpd)


I did a dirb scan to find the directories but before checking the ports and services, I did a quick google search about Elastix and its vulnerabilities. Then I came across this Local File inclusion in Elastix 2.2.0

So, what is a Local File Inclusion (LFI) vulnerability?

LFI is often found in poorly written web applications. These vulnerabilities occur when a web application allows the user to submit input into files or upload files to the server.

You can find more about  LFI here

I opened the exploit from Exploit DB and was going through the code. I found that it affects Vtiger CRM.

Here I checked whether this page has Vtiger CRM

Okay, now I probably found something interesting without using dirbuster. Here I can see the Vtiger CRM 5.1.0. Again, google is a savior here, I checked for Vtiger CRM exploit.

Before trying the Vtiger CRM SOAP exploit, I decided to use the Elastix LFI Exploit and see what result we get. I used the LFI exploit. I always wished not to use the Metasploit and pwn a vulnerable machine. So, this was my right chance.

After taking a glance at the page source  I found ,



# AMPDBNAME=asterisk


# AMPDBPASS=amp109







Now digging more at the source, I found something interesting “ jEhdIekWmdjE “

As you can see in the below screenshot, this password is mentioned in multiple places.

I didn’t want to spend any more time attempting to brute force usernames and passwords. Instead, I just picked up the password and tried my luck whether I would get SSH using this password.

#ssh root@

But it threw an error                       

Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

So, I used the key exchange to resolve the issue

#ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@

Finally, I got the root access…! Now, all I have to do is  finding the flag

94812bd3b0622f1228481fdd9ea7054b- that’s the flag.

This was the first machine I pwned without using Metasploit.

 Hint: You can still use Metasploit and do privilege escalation with Nmap

Leave a Reply

%d bloggers like this: