# SolidState ## SolidState - 10.10.10.51 ### Target Enumeration: OS: Linux IP: 10.10.10.51 User: 914d0a4ebc177889b5b89a23f556fd75 Root: b4c9723a28899b1c45db281d99cc87c9 ### Ports / Services / Software Versions Running 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) 25/tcp open smtp JAMES smtpd 2.3.2 80/tcp open http Apache httpd 2.4.25 ((Debian)) 110/tcp open pop3 JAMES pop3d 2.3.2 119/tcp open nntp JAMES nntpd (posting ok) 4555/tcp open james-admin JAMES Remote Admin 2.3.2 ### Vulnerability Exploited: Apache James Server 2.3.2 - Remote Command Execution ### Privilege Escalation: Root cronjob running /opt/tmp.py which is world writable ### Exploiting the host: Nmap ![](https://lh3.googleusercontent.com/nZoVzStFkdm1Oq07gZVPJRZDnIkx--n1uyEKYR_rM2dLGK8098kXZxrt_FoH3mrdxnz-1p1ocg0HeAJrw07XhkBmQ4DwfA4aJDSEOlsYgLcngVZzlt6R3DCI6dS17h3wYfOSigvh) Nothing exploitable yet so run a deep scan with nmap on Bank as it is faster: ![](https://lh3.googleusercontent.com/lYpBVC2Mb0dnJ6tXu1ahVHnCqqvNPdVlKsx5XwOolAWTIR9tFZGNv8eQmMioaS5Xb8NVlPDsLxCH5XVkaIbCL4I2eazOLKDHUxGm3kTdjywfeb8KBNGGbjJ4wXYfPUtRwbmq-F0n) New port 4555/tcp has been found running we find the following default credentials ![](https://lh5.googleusercontent.com/K-SdSWaajVYV3eU2hEcvshYqNYthad1NflsQLLHIYjVibcE7_1h8wm0UWsErSTRi0D5DFxVQIzdvawn4d4Jut2fNqU3FtokxbKYDf6uPYnm1aNeVDAwE8RwNSBaxbnJMyKznFRQs) Online guides state to login with telnet: ![](https://lh3.googleusercontent.com/YhhooD7Sust_229cAqTtnsYz4D6WbK8UREzbrJ71h0wwWNdC7T7eVsabDXXNLW-UtwGR0FeKQK5PofeaNayIfJUBz_QdLEWY-qnThyli0vcGlcwuUJ4Q5Xi14V8SgfZoTDgpbELF) Searchsploit gives us an exploit to try ![](https://lh5.googleusercontent.com/e6h10SV2kP7rpJHCNKylcATfLK3Y-uueJMV0NddlD922OrmsSLnuyKO5I0eoPnomQcihYbf0Lr93j_Iye6AjL4sCyphmAOpjLZUgEqg4c0Ls73lrhDxy-c_3_e-_MZSVJlZrN_Y6) Modify the exploit

Execute it

Now you need to login as a user via ssh to spawn a shell. After checking all of the users emails mindy has some ssh creds

Now login to mindys mail account

And you have a ssh password so start a nc listener on port 443 and login to ssh ![](https://lh3.googleusercontent.com/nz5ogVnrvsJzeEwq1ywh8O_eIm0PZas_UqjV_ruBybVDvJKqjasWzpe6d4sR2gt9s5vzxUkFH9fhP17yffMzsK8Dtv_qpTiD7B6XIv_lG24HoYJJlSVtcpz7ML4cK3e5kPROu54R) Now you have a low privileged user as mindy

Download your tools and run ![](https://lh3.googleusercontent.com/tJG_5uLU5oSOKqvtJYx-di_ukjIASi964cqWOhN1hUj1BFc8HLqEA-F0PSrxQarnY2P3O1f6lJYuJ32Op0Rbqf4woQhwOuRD7xyEQ9EFRFYGuIwog7qowlc1lo6RLfc1RRmyAF0k) Looks like a root script which clears out tmp every few minutes. Echo the following into the bottom of the file and set up a nc listener on port 444 ![](https://lh5.googleusercontent.com/vnHXdwzCVbtm88V1aJfTTowq1gl33xnuyRI4mMUfkOxB-GQIu6exGfFQRkcNODD1lHuxD8FTyz3dBytNdGLh3YjfYrxzUkArZYgK8nL7QPxflEHGbbyXEmSnfzaOgt2XDSx11-ak) After a few minutes you will receive a root shell to collect your flags:

Add persistence if needed: ![](https://lh4.googleusercontent.com/ne5Ngn50l_F3-u-POi5yKXswVG-NAyZBKd8WnK_OY0fyF3-dL4AWOqWeKRdSQ2gWF-90yq4k1TWD4rK1Eq8Guk8thOzKB49bu4sDpC-1WuyliI6oS4zwsXeJuIUSyjevhYBTrn-V)