Stratosphere Box Writeup & Walkthrough – [HTB] – HackTheBox

Introduction

Stratosphere is a machine on the HackTheBox.

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.

This article will show how to hack Stratosphere box and get user.txt and root.txt.

Stratosphere Box

Collection

First, we scan the Stratosphere box open ports and see if there are some services are weak.

StratosphereBox

There are 3 ports open. 22 is SSH, 80 is web server. 8080 maybe is Tomcat, Weblogic, or others.

Hack the Stratosphere Box

Hack the Stratosphere box http service

The HTTP server is running on this box, so let’s start on this service first. Open browser, and visit website.

StratosphereBoxWeb

It looks like a correct way. Then, we use dirb to enumerate this web.

StratosphereBoxEnumSmall

But, unluckily, we  did not find anything. So, I tried another big dictionary. And See if we can find something.

StratosphereBoxEnumBig

Finally, we find that there is a sub-folder, which name is “Monitoring“.

Then, we visit this web: http://10.10.10.64/Monitoring/, we can see, it will redirect to http://10.10.10.64/Monitoring/example/Welcome.action

StratosphereBoxMonitoring

Hack Apache Struts

As you may know, “action” extension is a very special extension. It is Apache Struts extension. And there are lots of vulnerabilities for this application.

We try this payload first. Struts-pwn

Use git clone it, and then run it.

python struts-pwn.py --url http://10.10.10.64:8080/Monitoring/example/Welcome.action -c 'id'

We can see the command is ran.

StratosphereBoxRunCommand

Get User.txt

Then, we need find a way to get user.txt. First, read the /etc/passwd file to identify user name.

StratosphereBoxPasswd

We can find that the user name is richard. Then, let’s try to list richard home folder.

StratosphereBoxNoPermission

There is no permission. Because the current user is “tomcat8”, we should have permission to read web folder and the web files may contain mysql password.

StratosphereBoxWebFolder

There are some folders and files, we can find sensitive information form these files.

we read “db_connect” file, and get the MySQL Password.

StratosphereBoxDBPass

As you may find that, we scan the ports in the beginning, but we did not find that MySQL port (3306) is open. This means that the port is listening the local ip address.(127.0.0.1)

Right now, we have:

  1. A remote command exec;
  2. MySQL Password
  3. MySQL can only be connected on the local ip address.

In my experience, we can use remote command exec to create a bash script to connect to the local MySQL and get sensitive information in the database.

python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c '"#!/bin/bash" > /tmp/1.sh'
python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c '"mysql -uadmin -padmin -D users<< EOF" >> /tmp/1.sh'
python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c '"select * from accounts;" >> /tmp/1.sh'
python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c 'EOF" >> /tmp/1.sh'

After we run these commands, it will create a 1.sh file in the tmp folder. And the content is:

StratosphereBox1sh

Then, we run this script, we will get the following information:

Richard F. Smith 9tc*rhKuG5TyXvUJOrE^5CK7k richard

Now, we have richard’s password. Login to richard via ssh.

StratosphereBoxUserTxT

Get Root.txt

Then, we are working on Priv Esc.

First, check the sudo list, and see what can we do by using sudo.

StratosphereBoxSudo

Then, we check that python script.

StratosphereBoxTestPy

It looks like about crack password… But, we are Hacker, we do not need to do that.

As you may know, Python 2 has vulnerability, and we can inject code.

We just inject the following code, and then, we will get root.txt

__import__('os').system('cat /root/root.txt')

StratosphereBoxRoottxt

Summary

This box is not very complicated, everything is there, you just need to know what you need to do. Such as, if you don’t know that is Apache Struts, you probably will stuck. The most time that I spend on is enumeration (Because I am in Australia, the network is not fast to connect to HTB server). The difficulty of this box is around 4/10.

There are other write-ups of HackTheBox.