AdSense

Tuesday, February 5, 2019

SolidState


SOLIDSTATE

 - Layout for this exercise:




1 - INTRODUCTION

 - The goal of this exercise is to develop a hacking process for the vulnerable machine SolidState, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu

2 - ENUMERATION

- SolidState's IP is 10.10.10.51:


- Scanning all ports with Nmap there are 6 open ports:

- Connecting with the browser:

- Scanning deeply those 6 open ports:


- So the James Remote Admin 2.3.2 application is running on port 4555, what is vulnerable to this exploit:

 https://www.exploit-db.com/exploits/35513
- Reading the content we discover default credentials root:root :


3 - EXPLOITATION

 - The connection to port 4555 using credentials root:root is successful:



- HELP lists available commands:

- Listing users:



- Resetting passwords:


- Now, using these new passwords let's connect to the POP3 service running on port 110:

- users james, thomas and mailadmin don't have messages to be retrieved:

- user john has and interesting message from james, where they talk about user mindy's credentials:

- However, the most interesting task is to retrieve user mindy's two messages:






- At the second message we can read the password P@55W0rd1!2@

- Using this password to try an SSH connection for mindy:

4 - READING THE 1st FLAG

 - Reading user.txt:


5 - PRIVILEGE ESCALATION

 - However this shell is no very powerful because a lot of essential commands are restricted:


- To start a Privilege Escalation process let's copy locally the script of the 35513 exploit, where the payload can be modified according to our own interest:

- Giving execution permissions:


- Setting a Netcat listening session after the modified payload:



- Running 35513.py against SolidState's IP:

- So to get the payload executed we need that somebody logs in, for instance user mindy:



- As a consequence there is a reverse shell that can be improved successfully:





 - This shell allows more commands than the previous one:

  
- At this point let's look for any process being run by users either mindy, james, ...:







- It seems that a process inside folder /opt is being run with root privileges, and going there we discover that tmp.py is owned by root and sldo it is world writable:


- Reading tmp.py:
- Modifying tmp.py so that a shell is remotely spawn:






- After 3 minutes a root shell is spwan:


- Checking that tmp.py is scheduled as a crontab job every 3 minutes:



6 - CAPTURING THE 2nd FLAG

 - Reading root.txt:





Posted by at
Labels: