Beep-Hackthebox Walkthrough

Enumeration – Nmap

We start by enumerating the box by running a nmap scan.

Lets take a look at the webservices, the following is running:

1) :80 redirects to the :443 SSL instance running Elastix

2) :10000 has an instance of Webmin running

Our nmap scan earlier revealed it is MiniServ 1.570.

After searching for a while, I couldn’t find anything that was very useful.

I then went to enumerate further.

Enumeration – Directory Fuzzing

A couple interesting directories showed up:

/admin/ dir shows us FreePBX is installed.

/recordings/ shows us FreePBX 2.5 is installed.

/vtigercrm/ dir shows us vtiger CRM 5.1.0 is installed.

/mail/ shows us an unkown version of roundcude is installed.

/static/ shows us the following:

This tells us some fax/voip/messaging software might be installed

/modules/ shows us that many PBX Modules are installed.


As you can tell, there are a lot of vectors to attack. I started at the top, and executed a searchsploit for ‘Elastix’, because we don’t know the version.

I didn’t want to try all of these one by one, so i resorted to searching for FreePBX exploits.

I had found a couple exploits, but not anything useful.

I then resorted to TigerCSM and found an LFI for 5.1.0.

Exploitation – Tiger CSM LFI

Local File Inclusion – sortfieldsjson.php

After a quick Google search, I’ve found out Tiger CSM is vulnerable to LFI (Local File Inclusion)

Local File Inclusion – graph.php

Now that we know TigerCSM has a LFI vulnerability, I remembered the searchsploit result having a ‘graph’ LFI.

This gives us the following:

I tried to ssh into the box and the password gave me root user.

Tags :


Leave a Comment