Solid State
Overview
Initial Foothold : Default creds in James Remote Admin
Privilege Escalation : Misconfiguration of permissions
Enumeration
Port Scanning
Start with full nmap port scanning
kali@kali:~/htb$ sudo nmap -sS -T4 10.10.10.51 -p- -A
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.5 [10.10.14.5]),
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 4.2 (95%), Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.8 - 3.11 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.4 (95%), Linux 4.8 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernelHaven't Got much information on webserver
There was interesting port which is port 4555 where JAMES Remote Admin 2.3.2 was running i.e. mail server was running
Lets try to access this using telnet
telnet 10.10.10.51 4555
Try to use default username root and password root to login and we successed to login
Lets list users running on this mail server using listusers command
Got some users
We can reset there password using setpassword command
you can find this information using help command
Lets reset all the users passwords
Now lets access pop3 mail server on port 110
POP3 contains mail which the users have recieved by them from others
telnet 10.10.10.51 110Use the username and password which got from above
LIST the mail avaiable to this user using LIST command
James have no mails available
Try mindy account and see what we can find
Retrive 2 mail using RETR command
And got the ssh creds of the mindy user
Summary
Got SSH creds of mindy user in mailbox of mindy
Exploitation
Lets login as mindy using creds
mindy : P@55W0rd1!2@
Got the shell but it was restricted you can see from rbash text
Lets try to bpass this restricted shell
There is a good post on this
Now we will use ssh to bypass the rbash shell
Only add -t "bash --noprofile" to bypass the rbash shell using ssh
Got the shell without any restriction
Privilege Escalation
Find out files which are writable by our user using find command
find / -writable 2>/dev/nullThere we saw a odd file named tmp.py in /opt folder
lets see its content and permissions
Observe the content of the file
This script was removing the files from /tmp/ folder and also this script was running with root permission
Also the user has write access
so we can add our malicious in this script and when it will execute as root user we will get root shell
Here we added reverse shell code in this script and start listener on port 1234
Got the root shell
That's all for this box
Good Bye :)
Last updated
Was this helpful?