Clue 🔺

Enumeration

We can connect to smb shares

Web server is forbidden

Port 300 is for apache cassandra

Searching for an exploit for freeswitch we have

But doesn't seem to work

The exploit is using the default password ClueCon

So the default password is not set.

Looking in the smb share freswitch we find ClueCon

So the password is set in /etc/freeswitch/autoload_configs/event_socket.conf.xml

Searching an wxploit for cassandra

We can read files so we can try to get the password from before

And the password is different. StrongClueConEight021

Using the exploit from before we can change the password

We can set a reverse shell

ps auxww shows a ruby process with cassie password

cassie:SecondBiteTheApple330

With sudo -l we see that we can execute casandra-web as root so

Now using the same exploit as before for reading files, we would be reading files as root

Start a casandra web on another port and execute the script locally

The script is only making a curl request with 8 ../ so we can make it without script locally

If we see anthony stuff, in bash history we see

So the private key is the same for anthony and root so read id_rsa and login via SSH