SolidState: 1 Walkthrough
source link: https://www.tuicool.com/articles/hit/q6n2YjE
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
This post documents the complete walkthrough of SolidState: 1, a boot2root VM created by Ch33z_plz , and hosted at VulnHub . If you are uncomfortable with spoilers, please stop reading now.
Background
It’s originally created for HackTheBox.
Information Gathering
Let’s start with a nmap
scan to establish the available services in the host.
# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.20.130 ... PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) | ssh-hostkey: | 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA) | 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA) |_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519) 25/tcp open smtp syn-ack ttl 64 JAMES smtpd 2.3.2 |_smtp-commands: solidstate Hello nmap.scanme.org (192.168.20.128 [192.168.20.128]), PIPELINING, ENHANCEDSTATUSCODES, 80/tcp open http syn-ack ttl 64 Apache httpd 2.4.25 ((Debian)) | http-methods: |_ Supported Methods: POST OPTIONS HEAD GET |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Home - Solid State Security 110/tcp open pop3 syn-ack ttl 64 JAMES pop3d 2.3.2 119/tcp open nntp syn-ack ttl 64 JAMES nntpd (posting ok) 4555/tcp open rsip? syn-ack ttl 64 | fingerprint-strings: | GenericLines: | JAMES Remote Administration Tool 2.3.2 | Please enter your login and password | Login id: | Password: | Login failed for |_ Login id:
nmap
finds a couple of open ports. JAMES 2.3.2 sure brings back memories.
JAMES Remote Administration Tool 2.3.2
Heck. This is screwed up .
Let’s list down the users with listusers
.
I have an evil idea. Let’s change all the users’ password to their usernames.
Reading Other’s Emails
Now that I have changed all the passwords, I can log in to their POP3 account to read their emails.
You can see that James asked John to send Mindy a temporary password for SSH access.
Let’s see if the password is valid.
Low-Privilege Shell
The password works but we have a small problem.
Bypass Restricted Shell
This is almost trivial to bypass. We know SSH allows us to execute commands upon login. With this in mind, we can do something like this.
Privilege Escalation
During enumeration of mindy
’s account, I found a world-writable file /opt/tmp.py
. Here’s how it looks like.
If I’ve to guess, I’d say this is run by crontab
under root
’s account. Let’s replace it with something special.
About three minutes later, a root
shell appears.
What’s the Flag?
Afterthought
Here’s the user’s flag for completeness sake.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK