FreeSWITCH
Nmap discovered a FreeSWITCH service on the target port 8021
The running service is FreeSWITCH mod_event_socket
/Practice/Clue/2-Enumeration/attachments/Pasted-image-20250325172714.png)
FreeSWITCH is a free and open-source telephony software for real-time communication protocols using audio, video, text and other forms of media. The software has applications in WebRTC, voice over Internet Protocol (VoIP), video transcoding, Multipoint Control Unit (MCU) functionality and supports Session Initiation Protocol (SIP) features.
According to the official documentation, mod_event_socket is a module within FreeSWITCH that is a TCP-based interface to control FreeSWITCH, and it operates in two modes, inbound and outbound. (These terms are relative to FreeSWITCH). By default, connections are only allowed from localhost, but this can be changed via configuration files
Connecting
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/clue]
└─$ telnet $IP 8021
Trying 192.168.220.240...
Connected to 192.168.220.240.
Escape character is '^]'.
Content-Type: auth/requestConnecting to the port reveals some interesting data That’s an authentication request, which can be replied with the auth command
/Practice/Clue/2-Enumeration/attachments/{6D6B0F21-7707-4889-B253-2CAFE37A6094}.png)
Trying the default password, ClueCon, from the backup in the Samba server appears to fail
Vulnerabilities
/Practice/Clue/2-Enumeration/attachments/{83117605-AE97-4BBC-90E1-352DCE3A2251}.png)
Looking it up online for known vulnerabilities reveals a RCE vulnerability