This post documents the complete walkthrough of SolidState: 1, a boot2root VM created by Ch33z_plz, and hosted at VulnHub. If you are uncomfortable with spoilers, please stop reading now.

Background

It’s originally created for HackTheBox.

Information Gathering

Let’s start with a nmap scan to establish the available services in the host.

# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.20.130
...
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp    syn-ack ttl 64 JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (192.168.20.128 [192.168.20.128]), PIPELINING, ENHANCEDSTATUSCODES,
80/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.25 ((Debian))
| http-methods:
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp  open  pop3    syn-ack ttl 64 JAMES pop3d 2.3.2
119/tcp  open  nntp    syn-ack ttl 64 JAMES nntpd (posting ok)
4555/tcp open  rsip?   syn-ack ttl 64
| fingerprint-strings:
|   GenericLines:
|     JAMES Remote Administration Tool 2.3.2
|     Please enter your login and password
|     Login id:
|     Password:
|     Login failed for
|_    Login id:

nmap finds a couple of open ports. JAMES 2.3.2 sure brings back memories. :wink:

JAMES Remote Administration Tool 2.3.2

Heck. This is screwed up.

629c36fb.png

Let’s list down the users with listusers.

8cd5a986.png

I have an evil idea. Let’s change all the users’ password to their usernames.

69947cb7.png

Reading Other’s Emails

Now that I have changed all the passwords, I can log in to their POP3 account to read their emails.

30b3d5bc.png

You can see that James asked John to send Mindy a temporary password for SSH access.

756a4ea3.png

Let’s see if the password is valid.

Low-Privilege Shell

227b5cb6.png

The password works but we have a small problem.

600ffd3d.png

Bypass Restricted Shell

This is almost trivial to bypass. We know SSH allows us to execute commands upon login. With this in mind, we can do something like this.

fdb63dcc.png

Privilege Escalation

During enumeration of mindy’s account, I found a world-writable file /opt/tmp.py. Here’s how it looks like.

b832b86f.png

If I had to guess, I would say this is run by crontab under root’s account. Let’s replace it with something special. :smiling_imp:

cb88cc77.png

About three minutes later, a root shell appears.

e2b80d6f.png

What’s the Flag?

1f886db9.png

:dancer:

Afterthought

Here’s the user’s flag for completeness sake.

f55b594c.png