SolidState machine is a vulnerable machine with Linux operating system among retired machines. We are expected to have user and root privileges by using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine
Classic Scan
Full Port Scan
Network scan results “22/tcp ssh OpenSSH 7.4p1, 25/tcp smtp JAMES smtpd 2.3. 2, 80/tcp http Apache httpd, 110/tcp pop3 JAMES pop3d, 119/tcp nntp JAMES nntpd, 4555/tcp rsip, 631/udp open|filtered ipp, 1900/udp open|filtered upnp, 5353/udp open|filtered zeroconf” ports are open.
Since these port numbers are many, let’s do vuln scan.
We can’t detect a vuln. Let me try to connect to the interesting ports with nc
We connected to port 4555 with nc and it was asking us for crendetial information, so we tried the default paros and detected the root root user.
We have changed all user’s passwords to pass. Let’s connect to it with telnet tool because of pop3 protocol
Connection made in user Mindy
USER mindy
PASS pass
List with mails high schooled
Second mail read with rejection 2
We have detected the ssh credentials information for the mindy user in the mail content. Let’s provide ssh connection using this information
username: mindy
pass: P@55W0rd1!2@
Here we got our shell connection, we got our user flag, but we could not even run the cd command, it gave rbash error (Restricted Shell).
Here we disconnect the ssh connection and provide ssh connection in this form
Ssh mindy@10.10.10.51 -t bash
In this way we run all bash commands. Since we don’t have root privileges, we provide local enumeration.
Here in the writable files section, let’s read the remarkable contents of /opt/tmp.py
This commuy deletes everything under the /tmp/ directory, let’s try to write our bsah script that will give us revershell in the os.system parenthesis with the vi editor
After editing, we’ll put our necta on hold.
This is how we got root authorization