Skip to content

Beep // Linux // Beginner //

created by ch4p // 10.10.10.7

// Enumeration //

Beep is the first machine we’ve encountered that is just going to throw a whole lot of spaghetti at you, and force you to dig through it. Go ahead and kick a nmap, and watch those ports add up. At the same time, get dirb running against the web server, and go ahead and browse to the primary web page.

nmap -Pn -A -p- -v 10.10.10.7 -oG /home/rp/Desktop/Beep/nmap
dirb http://10.10.10.7 -f

We get a whole mess of ports thrown at us, with several vulnerabilities amongst them. However, I think the intended path is via the elastix page, and a quick google search turns up a well documented vulnerability. This vulnerability exploits a misconfiguration, that allows users to conduct unauthenticated directory traversal. To exploit is, simple append the following path to the target IP.

// Exploitation //

/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

And in return, we get a whole bunch of information, including what appears to be clear text credentials and passwords. Let’s give them a go in an ssh session. It is running a legacy key exchange, so if you get an error with your standard SSH, try the sytax below:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@10.10.10.7

And just like that, we’re in, as root, and we have our flags. Very simple machine, but a good look at how directory traversal can be exploited if not properly secured and sanitized.