Hack the Box: Beep

Today we will be taking a look at Beep on Hack the Box:

Seems like there are a lot of ports to check, lets look at the web server and see if we find anything on port 80.

We see something called elastix, doing a quick google search we find the following:

GitHub - infosecjunky/FreePBX-2.10.0---Elastix-2.2.0---Remote-Code-Execution: Modified version of…

Nothing states that this is the version, however seeing if this works may be something to try. Also the first thing that pops up is a RCE and it has been modified for this exact box. I didn’t realize that until I started to read through the code:

We get a call back, lets start to look through this and see if we find anything for priv esc:

Looks like a field day, we can pretty much do whatever we want. I decided to change /bin/bash to have an suid bit set, then we can run bash -p and become root.