Beep — HackTheBox Write-up (L-E)

05-10 Archivist
3 min readMar 26, 2021

--

Reconnaissance

Lots of open ports = big attack surface. The quickest one we could check is the webpage via port 80.

Gaining Access

Since we have no information about the credential it’s not practical to blindly brute force it.

Searching around, we could see that there are lots of exploits available for Elastix

Since I don’t know the exact Elastix version for this one, I could just try all these and see what sticks. The most straightforward here if the LFI exploit.

Source

Just append the exploit on the URL

And you will see this

After viewing the page source to format this wall of text, we will see these credentials

Maybe we could use this credential for SSH connection

This is an issue with key exchange but you resolve this temporarily using this command:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123

So admin is not working using the AMPDBPASS/AMBMGRPASS. Maybe we could try root as username using the same password.

Finding the Flags

Now that we have root access, finding the flags is trivial.

Hackthebox
Hackthebox Writeup
Local File Inclusion

--

--

05-10 Archivist

Written by 05-10 Archivist

16 Followers

Noob crypto boi

More from 05-10 Archivist

See all from 05-10 Archivist

Recommended from Medium

Lists

An organic petal-like pattern of three dimensional shapes.

Staff Picks

463 stories317 saves

Stories to Help You Level-Up at Work

19 stories235 saves

Self-Improvement 101

20 stories643 saves

Productivity 101

20 stories596 saves
See more recommendations

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams