Vulnhub SolidState 1 Walkthrough

by Vince
in Blog
Hits: 4246

As soon as I scanned this box, I knew my entry point.  What's the first rule of Fight Club?  You don't talk about Fight Club.  So I won't say where I got my first experience with a similar box but James and I are quite familiar with each other.  

In the description, it's mentioned that it was formerly on HackTheBox.  I've played on HackTheBox, pulled my hair out working on HTB boxes, and this seems like an easy box for HTB.  Or maybe it's hard and the entry was known to me.  I digress.


Performing our scan:





I'm honing in on James but I'll at least take a peek elsewhere for the time being.  Hitting the web port with Nikto:




Don't really find much so looking further with Gobuster:




Something is blocking me from scanning and I have to reset the box as some sort of mechanism blocks me from further accessing port 80.  I lose interest in further enumerating because I'm 100% certain I know the entry.

I'm jumping ahead but there are two things we need to know to get the James exploit to work:

1.  We need need credentials for the James admin console -- the default is root : root
2.  We need ssh credentials.

First I try to access the James admin:




Ok, we're in.  Typing help shows us our list of commands.  Typing listusers gives us a list of... you guessed it... users:




I'm going to reset all of the accounts with the password of:  123456




Then I'm going credential hunting in their mailboxes:




And there you have it.  It's almost a shame to know this avenue because it's a fun little puzzle the first time around.

https://www.exploit-db.com/exploits/35513

We need to change our payload for this exploit:




With that small modification, we need to trigger the payload with an SSH login:




With our listener setup:




It's also worth noting that a direct SSH will end up with a jailed session.  If you enter:  echo $PATH with our payload session, you'll notice this session isn't jailed.  

I scan the system with a Linux privilege escalation script:




From the results, I find a script running in /opt.  Looking at the script:




I see that the script is cleaning out the /tmp folder but what if we modify it:




I'm literally recycling the same line we used in the James exploit -- hey, if it works, why change it?

I save the file in my local www folder and then I'm going to download it to our victim machine:




I download the file, copy it to /opt over the existing version, double check my script and now I'll setup a listener:



I wasn't counting but it was probably just a minute or two before I got my shell.  I check my id -- root! 

There's a user flag in Mindy's home dir but as I stated previously, I'm not really into chasing flags.  I will state that I did try using the flag contents retrieved here on HTB and it appears these are not the same flags as what's being used on the HTB version of SolidState.