Nmap Results
The usual SYN
scan didn't work for me, so I tried a XMAS
scan, which worked.
sudo nmap -sX -Pn -p- --min-rate 10000 -A -oN scan.txt $target
# Nmap 7.93 scan initiated Thu Apr 6 11:06:49 2023 as: nmap -sX -Pn -p- --min-rate 10000 -A -oN scan.txt 10.10.10.51
Nmap scan report for 10.10.10.51
Host is up (0.013s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 770084f578b9c7d354cf712e0d526d8b (RSA)
| 256 78b83af660190691f553921d3f48ed53 (ECDSA)
|_ 256 e445e9ed074d7369435a12709dc4af76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.13 [10.10.14.13])
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open rsip?
| fingerprint-strings:
| GenericLines:
| JAMES Remote Administration Tool 2.3.2
| Please enter your login and password
| Login id:
| Password:
| Login failed for
|_ Login id:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4555-TCP:V=7.93%I=7%D=4/6%Time=642EE01D%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,7C,"JAMES\x20Remote\x20Administration\x20Tool\x202\.3\.2\nPle
SF:ase\x20enter\x20your\x20login\x20and\x20password\nLogin\x20id:\nPasswor
SF:d:\nLogin\x20failed\x20for\x20\nLogin\x20id:\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=4/6%OT=22%CT=1%CU=43689%PV=Y%DS=2%DC=T%G=Y%TM=642EE121
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11
OS:NW7%O6=M53CST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
OS:R=Y%DF=Y%T=40%W=7210%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Network Distance: 2 hops
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 199/tcp)
HOP RTT ADDRESS
1 15.09 ms 10.10.14.1
2 15.04 ms 10.10.10.51
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Apr 6 11:11:29 2023 -- 1 IP address (1 host up) scanned in 280.34 seconds
Service Enumeration
TCP/80
Gobuster Enumeration
gobuster dir -u http://10.10.10.51 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt -r -t 200 -o gobuster.txt
/about.html (Status: 200) [Size: 7183]
/index.html (Status: 200) [Size: 7776]
/services.html (Status: 200) [Size: 8404]
/assets (Status: 200) [Size: 1496]
/images (Status: 200) [Size: 2516]
/README.txt (Status: 200) [Size: 963]
/LICENSE.txt (Status: 200) [Size: 17128]
TCP/25, TCP/110, TCP/119, TCP/4555
Initial Enumeration
I was looking at my notes and I had an entry for another Apache James target I tested. In my notes, I was able to connect to the Apache James remote administration port on TCP/4555
and login with the default credentials of root:root
. I'm going to try that here:
Having changed all the of the mail users' passwords, I should be able to login to each user's mailbox and see if I can find any useful information.
Mapping User Mailboxes
I am going to add the mail domain to my /etc/hosts
file, so that I can use the domain name when mapping the mailboxes.
Updating the Hosts File
sudo nano /etc/hosts
10.10.10.51 solid-state-security.com
Using Mutt to Map the Mailboxes
The mail server running on the target does not have an IMAP server, so I'll be using some Mutt configuration files to map some mailboxes for those accounts which I changed the password.
James
Thomas
Mailbox empty.
John
Press the Enter
key to open the email.
Press q
to exit.
Mindy
- Username:
mindy
- Password:
P@55W0rd1!2@
Mail Admin
Mailbox empty.
Exploit
This "award winning security team" left their mail administrative server configured with default credentials, allowing a user to manage user mailboxes with extreme ease. I was able to change the password on all mailbox accounts and read the contents of said mailboxes. One of the mailboxes contained a cleartext SSH credential.
Changing default passwords would prevent such attacks. It is also recommended to use SSH key authentication.
Breaking out of RBash
With SSH, you can interactively logon by specifying a connection string like the one pictured above:
But, it is also possible to run ad-hoc commands through SSH using a connection string like this:
Allow me to demonstrate:
Recalling from before the user mindy
has several system binaries symbolically linked in /home/mindy/bin
and this folder is also in Mindy's $PATH
variable. So, using the ssh
command we can link /bin/bash
to /home/mindy/bin/bash
and spawn a Bash subprocess to break out of rbash
.
I used this command to update the $PATH
variable to add the proper system binaries:
Post-Exploit Enumeration
Operating Environment
OS & Kernel
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686 GNU/Linux
Current User
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)
sudo does not appear to be installed
Users and Groups
Local Users
james:x:1000:1000:james:/home/james/:/bin/bash
mindy:x:1001:1001:mindy:/home/mindy:/bin/rbash
Local Groups
osboxes:x:1000:
mindy:x:1001
cdrom:x:24:james
floppy:x:25:james
audio:x:29:pulse,james
dip:x:30:james
video:x:44:james
plugdev:x:46:james
netdev:x:108:james
bluetooth:x:112:james
lpadmin:x:114:james
scanner:x:116:saned,james
Network Configurations
Interfaces
ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:31:ec brd ff:ff:ff:ff:ff:ff
inet 10.10.10.51/24 brd 10.10.10.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:31ec/64 scope global mngtmpaddr dynamic
valid_lft 86397sec preferred_lft 14397sec
inet6 fe80::250:56ff:feb9:31ec/64 scope link
valid_lft forever preferred_lft forever
Open Ports
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
Interesting Files
/opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
Privilege Escalation
Looking at /opt/tmp.py
, it seemed like a Python script that would be run by a cron
job. This script is being used to clear everything out of the /tmp
folder recursively. So, I created a file /tmp/test
and waited a bit while enumerating some other things. And sure enough, when I checked back later, /tmp/test
was gone.
We can update this script with a Python payload of our choosing and see which user we can pivot to.
nano /opt/tmp.py
Let's wait for the script to run and see if the SUID bit gets added to /bin/bash
, which would do a couple of things:
- Confirm the script is being run by
root
- Allow us to spawn a Bash process with
root
's SUID permissions, sinceroot
owns that binary
Flags
User
2e0afac767cf3761362c9a8e12691a63
Root
1e2fc9def55e943cbb636110e2b8e9ae