# SolidState

## SolidState - 10.10.10.51

### Target Enumeration:

OS: Linux

IP: 10.10.10.51

User: 914d0a4ebc177889b5b89a23f556fd75

Root: b4c9723a28899b1c45db281d99cc87c9

### Ports / Services / Software Versions Running

22/tcp  open ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)

25/tcp  open smtp    JAMES smtpd 2.3.2

80/tcp  open http    Apache httpd 2.4.25 ((Debian))

110/tcp open  pop3 JAMES pop3d 2.3.2

119/tcp open  nntp JAMES nntpd (posting ok)

4555/tcp open  james-admin JAMES Remote Admin 2.3.2

### Vulnerability Exploited:

Apache James Server 2.3.2 - Remote Command Execution

<https://www.exploit-db.com/exploits/35513/>

### Privilege Escalation:

Root cronjob running /opt/tmp.py which is world writable

### Exploiting the host:

Nmap

![](https://lh3.googleusercontent.com/nZoVzStFkdm1Oq07gZVPJRZDnIkx--n1uyEKYR_rM2dLGK8098kXZxrt_FoH3mrdxnz-1p1ocg0HeAJrw07XhkBmQ4DwfA4aJDSEOlsYgLcngVZzlt6R3DCI6dS17h3wYfOSigvh)

Nothing exploitable yet so run a deep scan with nmap on Bank as it is faster:

![](https://lh3.googleusercontent.com/lYpBVC2Mb0dnJ6tXu1ahVHnCqqvNPdVlKsx5XwOolAWTIR9tFZGNv8eQmMioaS5Xb8NVlPDsLxCH5XVkaIbCL4I2eazOLKDHUxGm3kTdjywfeb8KBNGGbjJ4wXYfPUtRwbmq-F0n)

New port 4555/tcp has been found running we find the following default credentials

![](https://lh5.googleusercontent.com/K-SdSWaajVYV3eU2hEcvshYqNYthad1NflsQLLHIYjVibcE7_1h8wm0UWsErSTRi0D5DFxVQIzdvawn4d4Jut2fNqU3FtokxbKYDf6uPYnm1aNeVDAwE8RwNSBaxbnJMyKznFRQs)

Online guides state to login with telnet:

![](https://lh3.googleusercontent.com/YhhooD7Sust_229cAqTtnsYz4D6WbK8UREzbrJ71h0wwWNdC7T7eVsabDXXNLW-UtwGR0FeKQK5PofeaNayIfJUBz_QdLEWY-qnThyli0vcGlcwuUJ4Q5Xi14V8SgfZoTDgpbELF)

Searchsploit gives us an exploit to try

![](https://lh5.googleusercontent.com/e6h10SV2kP7rpJHCNKylcATfLK3Y-uueJMV0NddlD922OrmsSLnuyKO5I0eoPnomQcihYbf0Lr93j_Iye6AjL4sCyphmAOpjLZUgEqg4c0Ls73lrhDxy-c_3_e-_MZSVJlZrN_Y6)

Modify the exploit

<div align="left"><img src="https://lh4.googleusercontent.com/oY9klaTz6yzfhqAj2VjHktEFqDo25EOJTJ3EI3NHB0vWAJrP3-Jpaj0tq3A0MNMdJuFnbjkp6XY5L9EUN0w8v8IGmLen3GULLalgvQu20SXAHqdbcAsUWbmgo3UooW1oYyvhTvUa" alt=""></div>

Execute it

<div align="left"><img src="https://lh4.googleusercontent.com/-hIN5RjpBSUMqbL7rt84_I3KF-xj0471Y5-xVKvYZGtCkZqcKMQ_tjMOA2juZuwH38tzTxnjUHm5Yk8HVw54CqiWpJAf9sRadonDAz-6ubYwTiVxc_FpAczXM1H-Yv5-mR2mVLuU" alt=""></div>

Now you need to login as a user via ssh to spawn a shell.

After checking all of the users emails mindy has some ssh creds

<div align="left"><img src="https://lh5.googleusercontent.com/r_6mT4mkAgeAMZCWtq5gW9Ph3-gw59nSZrtuZmQDgZaBz1iY1_KJVozG7gS-eqrZvdT4IoZiTyTBo-cCHRnzrYeMgs8QeF0Tbk5FJ-sgOFX3HrczqowlbINAUg2VlI5ByVCw_cR5" alt=""></div>

Now login to mindys mail account

<div align="left"><img src="https://lh6.googleusercontent.com/HiVSaznPdJBWA9iqYgboQDR4OSvy7dOUg5y5b3CpQZ5lgmtrFuUBIowr6PTdDrnCsNU5ICsmFQZy0iq59grYGbUd-ZkKVJa2V5zIt2Mj6oEyafHqfrZthV_xPg7hdb5wTy9MZj4a" alt=""></div>

And you have a ssh password so start a nc listener on port 443 and login to ssh

![](https://lh3.googleusercontent.com/nz5ogVnrvsJzeEwq1ywh8O_eIm0PZas_UqjV_ruBybVDvJKqjasWzpe6d4sR2gt9s5vzxUkFH9fhP17yffMzsK8Dtv_qpTiD7B6XIv_lG24HoYJJlSVtcpz7ML4cK3e5kPROu54R)

Now you have a low privileged user as mindy

<div align="left"><img src="https://lh3.googleusercontent.com/KLtr9dWVvOX9L61Xe4EcLNAPljQnqBRQSbdTKxeP9C8b-AiSnSYAmLykmIY5nT__TTA7KYp9sYP7w-bRJPAwPEiImpAGkWbArNMLQn-41svvjpNN4I4SVZkPzbWbPFe1x09pZOj_" alt=""></div>

Download your tools and run

![](https://lh3.googleusercontent.com/tJG_5uLU5oSOKqvtJYx-di_ukjIASi964cqWOhN1hUj1BFc8HLqEA-F0PSrxQarnY2P3O1f6lJYuJ32Op0Rbqf4woQhwOuRD7xyEQ9EFRFYGuIwog7qowlc1lo6RLfc1RRmyAF0k)

Looks like a root script which clears out tmp every few minutes.

Echo the following into the bottom of the file and set up a nc listener on port 444

![](https://lh5.googleusercontent.com/vnHXdwzCVbtm88V1aJfTTowq1gl33xnuyRI4mMUfkOxB-GQIu6exGfFQRkcNODD1lHuxD8FTyz3dBytNdGLh3YjfYrxzUkArZYgK8nL7QPxflEHGbbyXEmSnfzaOgt2XDSx11-ak)

After a few minutes you will receive a root shell to collect your flags:

<div align="left"><img src="https://lh6.googleusercontent.com/rzi8ClwNeh_S2rmL8LXLWjQ6vrFvVJBg7kGVk5maVI0-cVcuAhpFEnc1JAW80cTnrq7_pAmNLatxT5Ud9P82XP68hRIG2ZwOk5F8T6bHhW4_j3QB_dfxjYww9z7C5zN_khCDEn3_" alt=""></div>

Add persistence if needed:

![](https://lh4.googleusercontent.com/ne5Ngn50l_F3-u-POi5yKXswVG-NAyZBKd8WnK_OY0fyF3-dL4AWOqWeKRdSQ2gWF-90yq4k1TWD4rK1Eq8Guk8thOzKB49bu4sDpC-1WuyliI6oS4zwsXeJuIUSyjevhYBTrn-V)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/solidstate.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.