Introduction
Using Beep from HTB I exploit Elastix 2.2.0 using a local file inclusion (LFI). I then attempted to password spray SSH
and run into issues with ciphers. Running AutoRecon scan shows Port 80
running. Arriving at the page I see a Web UI running.

Elastix search login screen running on Port 80.
A short Google later I use an LFI
exploit to find a config file with a list of passwords. One of the passwords provides me SSH
access and with a specific SSH
command allowing the use of outdated ciphers I am able to connect and root the box.
Copy

Passwords within the config file.
ALWAYS check
cipher
support when connecting to SSH
or HTTPS
as curl
and OpenSSL give issues forming a connection.
Outdated ciphers making the box more difficult.
Copy

HTB Beep rooted with fancy proof.
Copy