Links

SolidState

SolidState - 10.10.10.51

Target Enumeration:

OS: Linux
IP: 10.10.10.51
User: 914d0a4ebc177889b5b89a23f556fd75
Root: b4c9723a28899b1c45db281d99cc87c9

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
25/tcp open smtp JAMES smtpd 2.3.2
80/tcp open http Apache httpd 2.4.25 ((Debian))
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2

Vulnerability Exploited:

Apache James Server 2.3.2 - Remote Command Execution

Privilege Escalation:

Root cronjob running /opt/tmp.py which is world writable

Exploiting the host:

Nmap
Nothing exploitable yet so run a deep scan with nmap on Bank as it is faster:
New port 4555/tcp has been found running we find the following default credentials
Online guides state to login with telnet:
Searchsploit gives us an exploit to try
Modify the exploit
Execute it
Now you need to login as a user via ssh to spawn a shell.
After checking all of the users emails mindy has some ssh creds
Now login to mindys mail account
And you have a ssh password so start a nc listener on port 443 and login to ssh
Now you have a low privileged user as mindy
Download your tools and run
Looks like a root script which clears out tmp every few minutes.
Echo the following into the bottom of the file and set up a nc listener on port 444
After a few minutes you will receive a root shell to collect your flags:
Add persistence if needed: