Clue Proving Grounds Write-Up
SUMMARY
This write-up covers the Clue machine from Offsec’s Proving Grounds, a Linux machine requiring chained exploitation across two separate services.
Port 3000 ran Cassandra Web, vulnerable to a Remote File Read exploit. While this gave arbitrary file reads, direct exploitation wasn’t sufficient for a shell. Port 8021 ran FreeSwitch, which had a command execution script — but it relied on the default password, which had been changed. The FreeSwitch event socket configuration path (event_socket.conf.xml) was read via the Cassandra Web file read vulnerability, exposing the actual password. With the correct password, the FreeSwitch RCE exploit executed commands as freeswitch and a reverse shell was received.
Process enumeration (ps -faux) revealed cleartext credentials for user cassie. Switching to cassie, sudo -l showed she could run cassandra-web as any user. Starting a local Cassandra Web server on a custom port and abusing its path traversal allowed reading privileged files. The .bash_history of user anthony revealed he could SSH as root using his private key. Reading anthony’s id_rsa via path traversal and authenticating as root via SSH completed the machine.
PATH TO FOLLOW
- Reconnaissance & Service Discovery (Cassandra Web + FreeSwitch)
- Remote File Read via Cassandra Web Exploit
- FreeSwitch Password Extraction from Config File
- Authenticated FreeSwitch RCE & Reverse Shell
- Cleartext Credentials in Process List → Pivot to
cassie - Sudo
cassandra-webPath Traversal for Privileged File Read - Root SSH Key Extraction & Shell as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.