HackTheBox Writeup — Beep

Pic Credits — Ippsec

Hello Guys , I am Faisal Husaini. My username on HTB is “faisalelino” .

Since I got VIP Connection few days ago , I am going to solve as many retired boxes as possible and create writeups for each one of them. I hope you enjoy them and dont boast me for it :)

The IP of this box is

So we run NMAP against the target and get

We run the IP in the browser , but it redirects us to HTTPS websites

We see that its running Elastix , running Gobuster on it , we get

Running searchsploit for elastix , we get

We get few exploits , the one which looks interesting is the LFI and Remote Code Execution one , let’s try the LFI one

We see it gave us the location of the LFI , which is the /vtigercrm directory , which we saw in the gobuster results too , let’s copy it and see the result

We get something , but its hard to read this rendered file , so we view the source code

We get many things like users and password for FreePBX which can be accessed through the /admin

We get prompted for username and password , so we will enter the creds for admin as we got before and hit OK

We got successfully logged in and see that its running FreePBX version

I tried many exploits for this , but it didnt worked for me , so as we saw that ssh is open and we have password for admin from the config file we got , let’s try to connect to root through it

So we got it as root , it was a proper guess work here , coz I have encountered same thing on some other boxes too as well

Let’s get the user flag which is located at home folder of the user as user.txt

The root flag is located at the root folder as root.txt

That’s the box , really very CTF type from the perspective I solved this

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store