There are two webservers and a port running freeswitch.

There's also an smb share with anonymous access, with two directories — called "cassandra" and "freeswitch."

I opted to just download both cassandra and freeswitch locally using "mget *", just because they were probably worth grepping through.

I initially find a password for the User03 account on Cassandra, then I looked more into where I got the password from and it was just sample CQL documentation, totally worthless.

I ran enum4linux on the smbshare and uncovered the cassie and anthony users.

I then ran multiple freeswitch exploits, and couldn't find anything. What I did find was that "ClueCon" was used in an exploit-db freeswitch exploit as the default password for freeswitch, which didn't work.

I then discovered LFI on the Cassandra page through results from autorecon, really, although exploits online would've pointed out LFI just fine as well. Downloaded /etc/passwd with no issue, and snooped around for ssh keys, to no avail.

The home page of port 3000's web server gives you a "Cassandra Web" interface, and it's evident that it runs as "cassie" because she can't do anything, really. There was very little information to be gleaned, from what I could tell. There was, however, an API endpoint at the /hosts directory, which I tried to fuzzed with feroxbuster, but it didn't give me anything.

A risk with some of these boxes is information overload — especially when I'm just trying to uncover the beginning of the exploit path, it's easy to just get paralyzed by all the stuff in front of you. I thought that the API endpoint might have been something, and also suspected I might have been missing something on the Cassandra web page, where you could formulate queries of your own.

I looked through the smb freeswitch drive again and found a default password for freeswitch, "ClueCon", the same as offered in the exploit. Here's where I should have put 2 and 2 together. I assumed the directory on the SMB share was identical to the one available through LFI on the webserver; but I would've gotten a different password if I had looked at the same file through LFI. This is the kind of stuff that comes through practice.

I was happy, though, that I had basically found the attack path — I hadn't wandered off into a rabbit hole.

In other news, I'd like to share this cheat-sheet from Muhammad Noman Khalid:

https://www.linkedin.com/pulse/muhammad-nomans-oscp-journey-comprehensive-review-noman-khalid-rwmse/

Probably the single most helfpul cheatsheet I've found — dense with useful commands. He didn't just throw tons of commands into a document; rather, it seems like he thought about each one and left out extraneous ones.