18

SolidState: 1 Walkthrough

5 years ago

source link: https://www.tuicool.com/articles/hit/q6n2YjE
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

This post documents the complete walkthrough of SolidState: 1, a boot2root VM created by Ch33z_plz , and hosted at VulnHub . If you are uncomfortable with spoilers, please stop reading now.

Background

It’s originally created for HackTheBox.

Information Gathering

Let’s start with a nmap scan to establish the available services in the host.

# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.20.130
...
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp    syn-ack ttl 64 JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (192.168.20.128 [192.168.20.128]), PIPELINING, ENHANCEDSTATUSCODES,
80/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.25 ((Debian))
| http-methods:
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp  open  pop3    syn-ack ttl 64 JAMES pop3d 2.3.2
119/tcp  open  nntp    syn-ack ttl 64 JAMES nntpd (posting ok)
4555/tcp open  rsip?   syn-ack ttl 64
| fingerprint-strings:
|   GenericLines:
|     JAMES Remote Administration Tool 2.3.2
|     Please enter your login and password
|     Login id:
|     Password:
|     Login failed for
|_    Login id:

nmap finds a couple of open ports. JAMES 2.3.2 sure brings back memories.

JAMES Remote Administration Tool 2.3.2

Heck. This is screwed up .

7rIbmyi.png!web

Let’s list down the users with listusers .

vQryu2i.png!web

I have an evil idea. Let’s change all the users’ password to their usernames.

iQr6VnY.png!web

Reading Other’s Emails

Now that I have changed all the passwords, I can log in to their POP3 account to read their emails.

aQruuuj.png!web

You can see that James asked John to send Mindy a temporary password for SSH access.

eMnMri3.png!web

Let’s see if the password is valid.

Low-Privilege Shell

iIfYfuj.png!web

The password works but we have a small problem.

bArYJ3v.png!web

Bypass Restricted Shell

This is almost trivial to bypass. We know SSH allows us to execute commands upon login. With this in mind, we can do something like this.

FFbUneI.png!web

Privilege Escalation

During enumeration of mindy ’s account, I found a world-writable file /opt/tmp.py . Here’s how it looks like.

YfaU3ue.png!web

If I’ve to guess, I’d say this is run by crontab under root ’s account. Let’s replace it with something special. UnURFna.png!web

nMj2eiI.png!web

About three minutes later, a root shell appears.

UvM7JnM.png!web

What’s the Flag?

V3eMRbI.png!web

EZVFjaZ.png!web

Afterthought

Here’s the user’s flag for completeness sake.

V7jmqaN.png!web

Recommend

About Joyk

Aggregate valuable and interesting links.
Joyk means Joy of geeK