Using Beep from HTB I exploit Elastix 2.2.0 using a local file inclusion (LFI). I then attempted to password spray SSH and run into issues with ciphers. Running AutoRecon scan shows Port 80 running. Arriving at the page I see a Web UI running.

Elastix search login screen running on Port 80.

A short Google later I use an LFI exploit to find a config file with a list of passwords. One of the passwords provides me SSH access and with a specific SSH command allowing the use of outdated ciphers I am able to connect and root the box.

Passwords within the config file.

Outdated ciphers making the box more difficult.

HTB Beep rooted with fancy proof.