Flatline

Flatline

Room link: https://tryhackme.com/room/flatline

Scanning

I ran an full nmap scan with ping disabled after it didnt allow me to run a scan.

ajread@aj-ubuntu:~/TryHackMe$ nmap -p- -Pn [Remote IP]
Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-11 07:54 EST
Nmap scan report for [Remote IP]
Host is up (0.10s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
8021/tcp open  ftp-proxy

Nmap done: 1 IP address (1 host up) scanned in 253.58 seconds

I ran more aggressive scans on each of the ports from the full nmap scan since I wanted to gather some more information.

ajread@aj-ubuntu:~/TryHackMe$ nmap -A -p 3389 -Pn [Remote IP]
Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-11 07:59 EST
Nmap scan report for [Remote IP]
Host is up (0.10s latency).

PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: WIN-EOM4PK0578N
|   NetBIOS_Domain_Name: WIN-EOM4PK0578N
|   NetBIOS_Computer_Name: WIN-EOM4PK0578N
|   DNS_Domain_Name: WIN-EOM4PK0578N
|   DNS_Computer_Name: WIN-EOM4PK0578N
|   Product_Version: 10.0.17763
|_  System_Time: 2022-03-11T12:59:24+00:00
| ssl-cert: Subject: commonName=WIN-EOM4PK0578N
| Not valid before: 2021-11-08T16:47:35
|_Not valid after:  2022-05-10T16:47:35
|_ssl-date: 2022-03-11T12:59:26+00:00; -1s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.71 seconds

I started up hydra to brute force a log in with RDP to see what would happen.

Enumeration

However, it didnt work so I decided to go after the more interesting FreeSwitch service. I found a possible exploitiation with command execution (https://www.exploit-db.com/exploits/47799). According to the exploit, FreeSwitch allow commands to be run after proper authentication. The default password for the service is ClueCon. So, I renamed the exploit to freeswitch.py and connected to the service with the below command.

Therefore, I was able to run any command that I wanted with the freeswitch.py script that authenticated my socket with the remote service. Looking at the output of whoami, I appear to be running as user on the system.

Initial Access

I had to do some digging around. But, I eventually found the location of the user.txt.

Privilege Escalation

Within the desktop directory of the user, I noticed a root.txt.

I tried to access it but it came up with the following output. Meaning, I was not able to read the txt file or I didnt have the proper permissions. My guess, I didnt have the proper permissions.

I navigated to the Administrator home directory and found an interesting executable called OpenClinic. The name of the room is Flatline so I guessed that this exe has something to do with local privilege escalation, continuing on the medical theme.

There was a local privilege escalation exploit for that version of OpenClinic (https://www.exploit-db.com/exploits/50448). In this priv esc, I needed to modify the mysqld.exe or tomcat8.exe executables within the bin directory of mariadb and restart the OpenClinic service, which would execute the modified executable as system. In summary, exploit targets the ability for any user to modify mysqld.exe or tomcat8.exe which run as system.

To be sure, I confirmed the existence and location of the vulnerable mysqld.exe.

Following the local priv esc exploit, I created a payload with msfvenom on my local machine.

I set up a netcat listener on my local machine.

I also served up an http server using python.

I used curl to grab the malicious mysqld_evil.exe from my local machine.

I saw it grab the shell from my server.

I renamed the mysqld_evil.exe the correct name, mysqld.exe.

Then, I restarted the machine.

And got admin access after a short reboot.

PreviousDigDugNextGit Happens

Last updated