SolidState
https://app.hackthebox.com/machines/85
Last updated
https://app.hackthebox.com/machines/85
Last updated
Looking at our nmap results we see the target system is running JAMES 2.3.2 is an Apache mail server.
Some quick research shows that RCE is possible on version 2.3.2. However, this is not our attack vector.
The default login credentials for the admin interface on port 4555 is usually set to root:root. Connecting to the admin interface with telnet we are able to authenticate.
Running the HELP command we are then able to list known users using the listusers command.
We also see a command for resetting a users password. From here I reset every single users password and then logged into pop3 using telnet in an attempt to discover sensitive information contained within emails.
Then login over telnet to pop3.
Retrieving email index 2 we discover SSH credentials.
We are then able to authenticate over SSH as the user Mindy.
After logging in we notice we are in a rbash shell which is a restricted shell. I have previously covered rbash shell escapes in "Sunset Decoy" where I will be using the same technique to escape the restricted shell.
We are then able to grab the user.txt flag.
After performing some basic enumeration steps I was unable to identify any interesting routes for escalation. I decided to upload a pspy binary to monitor for scheduled tasks and processes that might be running.
After uploading the binary to the target system I then change the permissions to allow execution.
Then executed the binary.
In the output we notice the following python script is being executed on a regular interval.
Browsing to the file we notice it is owned by root. However, we have rights to edit the file.
To take advantage of this for privilege escalation we can clear the contents of the file and use nano to input a Python reverse shell.
Then use nano to insert the following reverse shell:
A few minutes later we will receive a root shell. Where we can then grab the root.txt flag.
