Flatline
https://tryhackme.com/room/flatline
Nmap
Starting out with only two ports of which, we can disregard RDP
for the moment and focus on 8021 which Nmap
has detected as being "FreeSWITCH mod_event_socket".
mod_event_socket
is a TCP-based interface to control FreeSWITCH, and it operates in two modes, inbound and outbound.
By default, connections are only allowed from localhost, but this can be changed via configuration files
Freeswitch: https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket
With this in mind and when researching exploits on Google we find the following python script on exploit-db: https://www.exploit-db.com/exploits/47799.
The syntax to be used for the script for command execution:
Note: When using the script I found I was not seeing any return feedback from the script. I was not sure at the time if this was the script or the target system. Looking at other walk through's after rooting the box I noticed this behaviour is unexpected. However, I have detailed my steps around the issue below as I thought originally, it was intentional.
Going with the above in mind I started sending some basic commands to the box. Without being able to see the results of the command I fired up WireShark and used this to record the command output.
As shown below the current user is an Administrator on the machine.
Knowing then I then created a new administrative user and added them to the administrators group.
With successful confirmation we can then login as our own administrative user with xfreerdp
as RDP
is open.
After starting command prompt we move over to the user Nekrotic's desktop and grab the user.txt
flag contents.
With root.txt
we find that we are unable to access due to insufficient permissions. Seeing as we are an admin the best route may be to use psexec
to escalate to SYSTEM and then to read the file.
Psexec.exe: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
Note: Psexec can be copy and pasted over though xfreerdp
if executed with the parameter +clipboard
.
Run Psexec.exe
with the following to start a command prompt as SYSTEM.
Where we can then read the contents of root.txt
.
Last updated