Stratosphere Box Writeup & Walkthrough – [HTB] – HackTheBox

This article shows how to hack the Stratosphere box and gain both user.txt and root.txt.

Stratosphere is a machine on the HackTheBox Platform.

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.

This article shows how to hack the Silo box and gain user.txt and root.txt.

First, we scan the Stratosphere box open ports and see if there are some services are weak.

ScanPorts
Ports Scan

There are 3 ports open. 22/TCP is SSH service, 80/TCP is web service. 8080/TCP probably is Tomcat or WebLogic service.

The HTTP service is running on this box.

HTTP Service
HTTP Service

We use dirb to enumerate the website. Great! We identify a sub-folder, which name is “Monitoring”.

Website Enumeration
Website Enumeration

Then, we navigate to the website: http://10.10.10.64/Monitoring/. The website redirects us to the following URL.

http://10.10.10.64/Monitoring/example/Welcome.action

As you may know, the “.action” extension is the Apache Struts extension, and there are several vulnerabilities on the Apache Struts.

We try this payload first. Struts-pwn

Download the exploit to the local Kali machine, and then execute the following command to run the exploit.

1
2
3
python struts-pwn.py \
--url http://10.10.10.64:8080/Monitoring/example/Welcome.action \
-c 'id'

Great! The command id has been successful executed as shown in the screenshot below.

Apache Struts RCE
Apache Struts RCE

Next, we need to find a way to get user.txt. First, read the /etc/passwd file to identify the username.

Stratosphere /etc/passwd File
Stratosphere /etc/passwd File

We can find that the username is richard. Then, let’s attempt to list Richard home folder. Due to the low privileged account, we do not have privilege to read Richard’s home folder.

Insufficient Privilege
Insufficient Privilege

Although we are not able to read other user’s home folder, we should be able to read web folder (tomcat folder).

List Tomcat Folder
List Tomcat Folder

We then are able to read the config file to obtain MySQL database password.

Obtain MySQL Database Credential
Obtain MySQL Database Credential

You may realise that during the enumeration, the MySQL database port (3306) is not open. This means that the MySQL Service is listening to the local IP address (127.0.0.1).

Right now, we have:

  1. A remote command exec;
  2. MySQL Password
  3. MySQL can only be connected on the local IP address.

We now can use remote command exec to create a bash script to connect to the local MySQL and get sensitive information from the database.

1
2
3
4
python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c '"#!/bin/bash" > /tmp/1.sh'
python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c '"mysql -uadmin -padmin -D users<< EOF" >> /tmp/1.sh'
python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c '"select * from accounts;" >> /tmp/1.sh'
python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c 'EOF" >> /tmp/1.sh'

After we executed the above script (/tmp/1.sh), we get the following information

Note
Richard F. Smith 9tc*rhKuG5TyXvUJOrE^5CK7k richard

Now, we obtain Richard’s password and are able to log in to the server via ssh as richard.

Stratosphere User.txt
Stratosphere User.txt

We then work on privilege escalation. First, check the sudo list, and see what can we do by using sudo.

Stratosphere Sudo
Stratosphere Sudo

Then, we check the above python script.

Stratosphere Python Script
Stratosphere Python Script

It seems that we need to crack the md5 hash. However, there is an easy way.

We can just inject the following code, and then, we will get root.txt

1
__import__('os').system('cat /root/root.txt')
Stratosphere Root.txt
Stratosphere Root.txt

This box is not very complicated, and it is very strict. Everything is there, you just need to know what you need to do. Due to the poor network connection, I spent most of the time on the port scan and enumeration. Attacking the server only spent a few hours.