Using Beep from HTB I exploit Elastix 2.2.0 using a local file inclusion (LFI). I then attempted to password spray
SSH and run into issues with ciphers. Running AutoRecon scan shows
Port 80 running. Arriving at the page I see a Web UI running.
Elastix search login screen running on Port 80.
A short Google later I use an
LFI exploit to find a config file with a list of passwords. One of the passwords provides me
SSH access and with a specific
SSH command allowing the use of outdated ciphers I am able to connect and root the box.
Passwords within the config file.
Outdated ciphers making the box more difficult.
HTB Beep rooted with fancy proof.