# Flatline ## Nmap ``` nmap 10.10.39.143 -Pn -p- -sS -sV PORT STATE SERVICE VERSION 3389/tcp open ms-wbt-server Microsoft Terminal Services 8021/tcp open freeswitch-event FreeSWITCH mod_event_socket Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` Starting out with only two ports of which, we can disregard `RDP` for the moment and focus on 8021 which `Nmap` has detected as being "FreeSWITCH mod\_event\_socket". `mod_event_socket` is a TCP-based interface to control FreeSWITCH, and it operates in two modes, **inbound** and **outbound**. By default, connections are only allowed from localhost, but this can be changed via configuration files **Freeswitch:** With this in mind and when researching exploits on Google we find the following python script on **exploit-db**: . ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FL7WvOWI9qSkAb3IyNUNP%2Fimage.png?alt=media\&token=ef90ce6f-5e89-4348-a25d-14345a52593c) The syntax to be used for the script for command execution: ```python python exploit.py ``` **Note:** When using the script I found I was not seeing any return feedback from the script. I was not sure at the time if this was the script or the target system. Looking at other walk through's after rooting the box I noticed this behaviour is unexpected. However, I have detailed my steps around the issue below as I thought originally, it was intentional. Going with the above in mind I started sending some basic commands to the box. Without being able to see the results of the command I fired up WireShark and used this to record the command output. As shown below the current user is an Administrator on the machine. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FwpbnEXKJTO7SwDleWzz6%2Fimage.png?alt=media\&token=8d74ea7c-ff96-44fd-b696-f5c103f56c43) Knowing then I then created a new administrative user and added them to the administrators group. ```python python exploit.py 'net user /add viper Password123 && net localgroup "Administrators" /add viper' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FB1ZqQ8GbBtXOdsNp8Z67%2Fimage.png?alt=media\&token=8adbc46a-cdcc-4f6b-b40b-44eba1390307) With successful confirmation we can then login as our own administrative user with `xfreerdp` as `RDP` is open. ```bash xfreerdp /v:10.10.146.100 /u:viper /p:Password123 +clipboard ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FWc6SvgyYFxHBFQUWpi7t%2Fimage.png?alt=media\&token=ca7e3b13-4153-4268-b85d-12afdd439325) After starting command prompt we move over to the user Nekrotic's desktop and grab the `user.txt` flag contents. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FIMMeBW3OvLQQTWi2jVfe%2Fimage.png?alt=media\&token=3a2d64fe-8506-4678-909a-9dfe529bd584) With `root.txt` we find that we are unable to access due to insufficient permissions. Seeing as we are an admin the best route may be to use `psexec` to escalate to SYSTEM and then to read the file. Psexec.exe: **Note:** Psexec can be copy and pasted over though `xfreerdp` if executed with the parameter `+clipboard`. Run `Psexec.exe` with the following to start a command prompt as SYSTEM. ``` psexec.exe -accepteula -s cmd.exe ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F4K2fcvwp2U1XoUMOUtUs%2Fimage.png?alt=media\&token=f9baa9c4-2889-4110-8e40-da316e634cfc) Where we can then read the contents of `root.txt`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FhEgL2VzdErUejrUXtyZn%2Fimage.png?alt=media\&token=607f530a-fecc-415e-b8ac-a74de3363faa)