SolidState

This is my write-up for the Hack The Box machine called SolidState located at: https://app.hackthebox.com/machines/SolidState.

nmap scan:

The basic nmap scan shows 4 ports open. However, in the machine tags, we see the following:

It seems that our basic nmap scan did not catch any web ports (80 or 443). I then ran a deeper nmap scan (nmap -T4 -A -v -Pn 10.10.10.51 -oN solidstate.nmap)which led me to find out port 80 is open as well:

Going to the the website, we see a message submission box:

Maybe this might be used for command execution or a reverse shell process? I then ran dirsearch (dirsearch -e php,html,js,cgi,bak,txt -u http://10.10.10.51 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt) on the IP Address to see if there are items we have access to:

Looking at the files in those directories led me to a dead end. I then wanted to enumerate the smtp users to see that maybe there is a user whose mailbox I can get access to. I ran the command smtp-user-enum -M VRFY -U rockyou.txt -t 10.10.10.51 for this. After the program ran for a while, I turned it off, since I had not gotten any result from this. I then found an exploit on Metasploit that had an exploit exactly for this version:

I tried various settings to get it to work, however I was not able to do so. While browsing this exploit on Metasploit, I realized the default credentials loaded into the exploit were root:root. I had a hunch that I should try this out, but I did not follow it. Looking at the official Hack The Box write-up for this machine, I realized that I was right. Also, I had found out that my nmap scan had missed port 4555. I was able to login into the port using those credentials:

When we run listusers we see the following:

After I was stuck for a while, I found out from the official write-up that I was looking at the wrong exploit, and the correct one was: https://www.exploit-db.com/exploits/35513. I then also learned that we have to modify this exploit to make it to work. If we got to this GitHub page (swisskyrepo) we can see commands we can use for reverse shells. I then added one of the Bash TCP payloads and edited the python file:

On another terminal, I ran a netcat listener to wait for the reverse shell:

After you run the python script (on another terminal), you get the following message:

The payload was submitted, but I was not able to get a shell. I realized the netcat listener was not going to come in handy for this, so I closed it. The official write-up stated that I should change the password for the user mindy and then login to her account:

Reading the second email shows us the following:

We can then use these credentials to login to SSH and get the user flag:

Running commands like wget, was showing me an error:

I then found this website that showed me the way to get out of rbash restricted shells:

I then uploaded linpeas.sh to the machine using python3:

For some reason, unknown to me, the linpeas.sh script would not run all the way through. I then tried the LinEnum.sh script, and that was able to go through. However, it did not show me files that I was able to read/write to on the system. I then viewed the official write-up and this write-up to then learn that there was a python file in the /opt/ directory:

I tried to overwrite the file with my own, but I did not have permissions to do so:

I found out I can echo strings into the file:

I had a netcat listener setup on another terminal. Then, one line at a time, I echo-ed commands into the file until I had this:

After a minute, I had the root shell: