1. Enumeration
Port 80 enumeration, though JAMES Remote Admin 2.3.2 is abit dubious!
While we run dirbuster, we can search for james remote 2.3.2 exploit via searchsploit!
Looks like we found something!
Details of the payload, let’s copy it somewhere lest we need it later while we wait for dirbuster! It says credentials to James Remote Admin Tool is by default root/root, looks important!
So it works here, with some sort of payload inserted, and that it will be executed when somebody logs in… which also means root/root is correct for James Remote Admin tool
And here’s what we got from dirbuster, i went to look through the directories, those were not important, and i do not find any secret txts or useful credentials!
Which means James server is important here. Let’s login into Port 4555
Ah. We manage to login and we have several commands to start with
So first we have 6 users, ../../../../../../../../etc/bash_completion.d probably exists because of the payload earlier
Next we reset everyone’s password so we can access all of them in port 110! Remember port 25 is used to send emails, while port 110 is used to receive them!
And here’s john’s email, with the email saying to restrict mindy’s access and a “tempory” (temporary) password to login to her accounts! So let’s check mindy’s mail!
And this is what Mindy got, mindy:P@55W0rd1!2@ got her credentials now!
Now we manage to access Mindy’s account via SSH, of course, the ../../../etc/bash_completion.d triggers!
Oh no. It’s rbash, just when i thought the exploit is not needed. Hahaha i guess it’s not THAT easy.
2. Exploitation
Alright, let’s review the exploit code earlier, i believe there needs to be some modification
In the python code, there is a payload field, which i believe is where we add our exploit code in order to get a reverse shell. The code process is adding a user called ../../../../../../../../etc/bash_completion.d, followed by sending a mail to this user with our payload. Previously we ran the exploit code which sends a different payload, and that’s probably why it didnt work!
So looks like we need to replace the payload to a reverse shell code, remove the existing user and run the exploit code again!
So first for payload, i will use netcat’s reverse shell…
Ensure the user is removed.
Run the exploit script
Check that now user exists
And we SSH into 10.10.10.51 as mindy..
And our netcat will pick up the incoming connection
user.txt is now ours!
Oh strange that sudo command is not found
Checked for wget, so now we use linuxprivchecker to help us with our privilege escalation
3. Privilege Escalation
First we open a server
Use wget to retrieve the file
Set the permission bits in order to execute the file
After linuxprivchecker is executed, there will be a long list of enumerated items, all but one of them stood out, which is the world writable files. I would have expected linuxprivchecker.py to be the only world writable file since i used chmod 777 on it, but there is a /opt/tmp.py file that is also world writable. And it is run by root! so we have to check it out!
So in tmp.py it is a script which does rm -r /tmp/ so… recursively remove what’s in tmp directory…
Well it’s not a crontab, then how do we know if it is executed? I think we should try by putting a file into /tmp and see if it disappears and how long it takes to disappear.
Since our server is still up, we insert the linuxprivchecker.py in (Although i could have just copied or moved the file over)
And true enough, it disappears after 2-3 minutes! Not sure how they keep running it though
So now the script should be simple enough, we can either add an additional line below the script, or replace it entirely.
And we are root!
Root flag!
Overall the difficulty level is not that high for this machine, the nmap enumeration would have highlighted the James remote being the attack vector!
I guess that’s all! Till next time!
Matt and Gerald Computing 