HackTheBox – SolidState

SolidState is labeled as a “medium” level machine so I decided to take on this for my next target.

Port 80 is hosting a web server, let’s see what we get here.

So after trying multiple options including SQL injection on the site, finding hidding diretories with dirbuster, it seems that the next step is to check the interesting port 4555.

NetCat

After searching on Google, “James remote administration tool default password” I was able to identify the default password is root:root. With netcat, we can establish connection to that port.

nc 10.10.10.51 4555

After check the help options, it looks like I was able to add a new user.

nc 10.10.10.51 4555

At this point I was not able to find additional options with the help command. If we look back at the enumeration scan, we can see that pop 3 for email is opened. Maybe we can reset some user names and read some emails?

Resetting james user password

Telnet

telnet 10.10.10.51 110

Looks like james does not contain any emails. We have to try a few more users until we find the correct one.

After trying thomas, and john, it appears that John could have some userful information.

user joh

The message contained inside john’s account is the following:

retr 1

Looks like the next clue would be in mindy’s account.

There’s two messages on mindy’s account

and

P@55W0rd1!2@

Bingo! We have mindy’s ssh password. Now we can connect to her account through port 22.

First Flag

We have our first flag. Now let’s move forward into elevating our privileges.

Privilege Escalation

We will need to escape out of our currently shell since it appears to be restricted. This is where I had to take a step back and check the other ports. I was not able to move forward with the restricted shell.

Looking back at the enumeration, we can see that there are two James 110 and 199 ports. By doing some research, we can find James pop3d 2.3.2 have some vulnerabilities that we can take advantage of.

I downloaded the exploit from this website.

James exploit

On the payload section, we can enter our custom command that will run on the victim’s machine. If we carefully think about this, we need to input a command that will run on the server and will give us unrestricted command access. This sounds like a reverse SSH or NetCat connection that we can use to elevate our privileges.

Lessons Learned

This virtual Machine has taught us two important points in systems security.

  • No one should be sharing passwords through email servers. Users should be given a one time expiration link where they can set up their passwords through a secured portal. As you can see through this tutorial, we were able to successfully login to the email server using a known vulnerability.
  • POP3 email servers should have strong.
  • Services like James Remote Administration Tool should have their default Admin password changed.

Leave a Reply

Your email address will not be published. Required fields are marked *