Beep is an easy Linux box that can be exploited by properly enumerating all ports and services. You will find an Elastix login portal. This Elastix version is vulnerable to a local file inclusion. This gives you root credentials which you can use to open a SSH shell. It is worth mentioning that there were other methods of exploiting this host.


Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn

22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp?
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to
110/tcp   open  pop3?
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            939/udp   status
|_  100024  1            942/tcp   status
143/tcp   open  imap?
443/tcp   open  ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
|_ssl-date: 2020-10-26T10:54:32+00:00; +1h01m55s from scanner time.
993/tcp   open  imaps?
995/tcp   open  pop3s?
3306/tcp  open  mysql?
|_mysql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Host:

The first thing I checked was the webserver. The user is presented with a login page with an elastix logo.


By searching for Elastix in Google you will find several exploits. One of which is a local file inclusion. This exploit was used. In the code it already says the url you have to enter which is:


So, there is no need to run this exploit. You can just copy this into the browser and you will get a bunch of information in return. Searching for the string password results in several matches. One of which is the AMPDBPASS. This password was used to open a SSH shell as root. First I was getting the following error message: Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1.
The solution is the following command:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@

Enter the password you obtained from the LFI and you have a root shell:

[root@beep fanis]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

[root@beep fanis]# cat /root/root.txt

[root@beep fanis]# cat /home/fanis/user.txt

It is worth mentioning that there are other, (more complicated), ways to exploit this box. They are pretty cool! Check IppSec out for the other ways :)