Hacking
  • Penetration Testing
  • Methodologies
    • Exfil
    • Manual Enumeration
    • Basic Buffer Overflow
    • Basic Internal Network test
    • Basic Mobile Testing guide
    • Basic Subdomain Enumeration guide
  • Guides
    • Build A Raspberry Pi Dropbox
    • Golang
    • Powershell / PowerView
    • PurpleSharp
  • Hack The Box last updated - 2019
    • Legacy
    • Devel
    • Optimum
    • Popcorn
    • Beep
    • Tenten
    • Arctic
    • Cronos
    • Grandpa
    • Granny
    • October
    • Lazy
    • Sneaky
    • Holiday
    • Blocky
    • Shrek
    • Blue
    • Joker
    • Europa
    • Haircut
    • Bank
    • SolidState
    • Mantis
    • Shocker
    • Tally
    • Sense
    • Jeeves
    • Stratosphere
    • Inception
    • Bashed
    • Fluxcapacitor
    • Canape
    • Rabbit
    • Chatterbox
    • Nibbles
    • Sunday
    • Aragog
    • Valentine
    • Silo
    • Olympus
    • Poison
    • Celestial
    • Waldo
    • Jerry
    • Access
    • Active
    • Netmon
  • scriptz
  • Issues
    • gists
    • Boring Issues
Powered by GitBook
On this page
  • SolidState - 10.10.10.51
  • Target Enumeration:
  • Ports / Services / Software Versions Running
  • Vulnerability Exploited:
  • Privilege Escalation:
  • Exploiting the host:
  1. Hack The Box last updated - 2019

SolidState

SolidState - 10.10.10.51

Target Enumeration:

OS: Linux

IP: 10.10.10.51

User: 914d0a4ebc177889b5b89a23f556fd75

Root: b4c9723a28899b1c45db281d99cc87c9

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)

25/tcp open smtp JAMES smtpd 2.3.2

80/tcp open http Apache httpd 2.4.25 ((Debian))

110/tcp open pop3 JAMES pop3d 2.3.2

119/tcp open nntp JAMES nntpd (posting ok)

4555/tcp open james-admin JAMES Remote Admin 2.3.2

Vulnerability Exploited:

Apache James Server 2.3.2 - Remote Command Execution

Privilege Escalation:

Root cronjob running /opt/tmp.py which is world writable

Exploiting the host:

Nmap

Nothing exploitable yet so run a deep scan with nmap on Bank as it is faster:

New port 4555/tcp has been found running we find the following default credentials

Online guides state to login with telnet:

Searchsploit gives us an exploit to try

Modify the exploit

Execute it

Now you need to login as a user via ssh to spawn a shell.

After checking all of the users emails mindy has some ssh creds

Now login to mindys mail account

And you have a ssh password so start a nc listener on port 443 and login to ssh

Now you have a low privileged user as mindy

Download your tools and run

Looks like a root script which clears out tmp every few minutes.

Echo the following into the bottom of the file and set up a nc listener on port 444

After a few minutes you will receive a root shell to collect your flags:

Add persistence if needed:

PreviousBankNextMantis

Last updated 6 years ago

https://www.exploit-db.com/exploits/35513/