Clue 🔺

Enumeration

We can connect to smb shares.

The web server is forbidden.

Port 300 is for Apache Cassandra.

Searching for an exploit for freeswitch:

But it doesn't seem to work.

The exploit is using the default password ClueCon.

So the default password is not set.

Looking in the smb share freeswitch, we find ClueCon.

So the password is set in /etc/freeswitch/autoload_configs/event_socket.conf.xml.

Searching for an exploit for cassandra:

We can read files, so we can try to get the password from before.

And the password is different: StrongClueConEight021.

Using the exploit from before, we can change the password.

We can set a reverse shell.

ps auxww shows a ruby process with the cassie password:

cassie:SecondBiteTheApple330

With sudo -l, we see that we can execute cassandra-web as root, so:

Now, using the same exploit as before for reading files, we would be reading files as root.

Start a cassandra-web on another port and execute the script locally.

The script is only making a curl request with eight ../, so we can do it without the script locally.

If we check Anthony's stuff, in bash history we see:

So the private key is the same for anthony and root, so read id_rsa and login via SSH.