Solid State

Overview

Initial Foothold : Default creds in James Remote Admin

Privilege Escalation : Misconfiguration of permissions

Enumeration

Port Scanning

Start with full nmap port scanning

kali@kali:~/htb$ sudo nmap -sS -T4 10.10.10.51 -p- -A                                                                                                      
PORT     STATE SERVICE     VERSION                                                                    
22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)                              
| ssh-hostkey:                                                                                        
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)                                        
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)                                       
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)                                     
25/tcp   open  smtp        JAMES smtpd 2.3.2                                                          
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.5 [10.10.14.5]),                          
80/tcp   open  http        Apache httpd 2.4.25 ((Debian))                                             
|_http-server-header: Apache/2.4.25 (Debian)                                                          
|_http-title: Home - Solid State Security                                                             
110/tcp  open  pop3        JAMES pop3d 2.3.2
119/tcp  open  nntp        JAMES nntpd (posting ok)
4555/tcp open  james-admin JAMES Remote Admin 2.3.2
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 4.2 (95%), Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.8 - 3.11 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.4 (95%), Linux 4.8 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Haven't Got much information on webserver

There was interesting port which is port 4555 where JAMES Remote Admin 2.3.2 was running i.e. mail server was running

Lets try to access this using telnet

telnet 10.10.10.51 4555

Try to use default username root and password root to login and we successed to login

Lets list users running on this mail server using listusers command

Got some users

We can reset there password using setpassword command

you can find this information using help command

Lets reset all the users passwords

Now lets access pop3 mail server on port 110

POP3 contains mail which the users have recieved by them from others

telnet 10.10.10.51 110

Use the username and password which got from above

LIST the mail avaiable to this user using LIST command

James have no mails available

Try mindy account and see what we can find

Retrive 2 mail using RETR command

And got the ssh creds of the mindy user

Summary

Got SSH creds of mindy user in mailbox of mindy

Exploitation

Lets login as mindy using creds

mindy : P@55W0rd1!2@

Got the shell but it was restricted you can see from rbash text

Lets try to bpass this restricted shell

There is a good post on this

Multiple Methods to Bypass Restricted ShellHacking Articles

Now we will use ssh to bypass the rbash shell

Only add -t "bash --noprofile" to bypass the rbash shell using ssh

Got the shell without any restriction

Privilege Escalation

Find out files which are writable by our user using find command

find / -writable 2>/dev/null

There we saw a odd file named tmp.py in /opt folder

lets see its content and permissions

Observe the content of the file

This script was removing the files from /tmp/ folder and also this script was running with root permission

Also the user has write access

so we can add our malicious in this script and when it will execute as root user we will get root shell

Here we added reverse shell code in this script and start listener on port 1234

Got the root shell

That's all for this box

Good Bye :)