Beep — HackTheBox Write-up (L-E)

05-10 Archivist
3 min readMar 26, 2021


Lots of open ports = big attack surface. The quickest one we could check is the webpage via port 80.

Gaining Access

Since we have no information about the credential it’s not practical to blindly brute force it.

Searching around, we could see that there are lots of exploits available for Elastix

Since I don’t know the exact Elastix version for this one, I could just try all these and see what sticks. The most straightforward here if the LFI exploit.


Just append the exploit on the URL

And you will see this

After viewing the page source to format this wall of text, we will see these credentials

Maybe we could use this credential for SSH connection

This is an issue with key exchange but you resolve this temporarily using this command:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1

So admin is not working using the AMPDBPASS/AMBMGRPASS. Maybe we could try root as username using the same password.

Finding the Flags

Now that we have root access, finding the flags is trivial.