Hackthebox - Beep

From nmap, there are lots of ports opened.

It is the web page on port 80, and it runs Elastix.

I tried to use one of the exploit in searchsploit. It is a LFI for Elastix 2.2.0.

It actually works, and I got the credential.

I successfully login to Elastix with the credential.

And I found that I can also access ssh as root with the credential.