Introduction

Using Beep from HTB I exploit Elastix 2.2.0 using a local file inclusion (LFI). I then attempted to password spray SSH and run into issues with ciphers. Running AutoRecon scan shows Port 80 running. Arriving at the page I see a Web UI running.

Elastix search login screen running on Port 80.

Elastix search login screen running on Port 80.

A short Google later I use an LFI exploit to find a config file with a list of passwords. One of the passwords provides me SSH access and with a specific SSH command allowing the use of outdated ciphers I am able to connect and root the box.

Copy
Passwords within the config file.

Passwords within the config file.

ALWAYS check cipher support when connecting to SSH or HTTPS as curl and OpenSSL give issues forming a connection.
Outdated ciphers making the box more difficult.

Outdated ciphers making the box more difficult.

Copy
HTB Beep rooted with fancy proof.

HTB Beep rooted with fancy proof.

Copy

Rooted

Published On: October 9th, 2020 / Categories: HTB, Technology / Tags: , , , /

Leave A Comment