Beep HTB Writeup
Hi Everyone, happy Sunday. I solved the easy level machine on HTB and by far I feel it was the easiest one.
Started by scanning all TCP ports and services using nmap.
Following points taken from the scanning output:
- The OpenSSH version that is running on port 22 is pretty old so checking searchsploit to see if any critical vulnerabilities are associated with this version.
- Ports 25, 110, 143, 995 are running mail protocols for that finding a valid email address to further enumerate these services will be a good starting point. Port 4190 running Cyrus timsieved 2.3.7 seems to be associated to imapd.
- Port 111 is running RPCbind. The port 878 running the status service is associated to this.
- Ports 80, 443 and 10000 are running web servers. Port 80 seems to redirect to port 443.
- Port 3306 is running MySQL database. There is a lot of enumeration potential for this service.
- Port 4559 is running HylaFAX 4.3.10.
- Port 5038 is running running Asterisk Call Manager 1.1. Again, we’ll have to check the version number to see if it is associated with any critical exploits.
- I’m not sure what the upnotifyp service on port 4445 does.
Although the machine was easy but there were too many rabbit holes.
Started by browsing the port 80 where elastix service was running.
The searchsploit showed two interesting exploits : remote code execution and local file inclusion.
Browsed through the below path which was found in the ‘graph.php’ local file inclusion exploit where interesting sensitive credentials combinations were found.
As port 22 SSH was open so tried by accessing with admin user but the password combination didn't work.
Then decided to traverse to /etc/passwd which showed different users on the target server.
Tried the root password combination and glad it did work.
Let’s do a root dance and thanks for reading.