SOLIDSTATE

This is a medium-rated HTB machine and the target IP is 10.129.123.8

Lets start.

Firstly we are looking to open ports and running services via nmap scan.

nmap -sC -sV -O -o nmp.txt 10.129.123.8

Full nmap scan:

nmap -sC -sV -p- -oA full 10.129.123.8

Directory fuzzing with gobuster but nothing important comes up.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.129.123.8 -k -t 10

There is a telnet on 129.129.123.8 and we are getting username and password.

telnet 129.129.123.8 110

Make connection to 10.129.123.8 with below command and reset all passwords of users.

nc 10.129.123.8 4555

After that make connection with mind and we got user flag.

ssh mindy@10.129.123.8

If you examine the permissions on the /opt/tmp.py file, you’ll notice that everyone has read, write, and execute access to it. Modify this.

So, all we have to do is modify the contents of the file to initiate a reverse shell to our attacking machine and then just wait for the cron job to return a privileged shell.