Stratosphere Box Writeup & Walkthrough – [HTB] – HackTheBox
This article shows how to hack the Stratosphere box and gain both user.txt and root.txt.
Introduction
Stratosphere is a machine on the HackTheBox Platform.
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.
This article shows how to hack the Silo box and gain user.txt and root.txt.
Enumeration
First, we scan the Stratosphere box open ports and see if there are some services are weak.
There are 3 ports open. 22/TCP is SSH service, 80/TCP is web service. 8080/TCP probably is Tomcat or WebLogic service.
Hack Stratosphere Box
Obtain User.txt
Attack Stratosphere HTTP service
The HTTP service is running on this box.
We use dirb
to enumerate the website. Great! We identify a sub-folder, which name is “Monitoring”.
Then, we navigate to the website: http://10.10.10.64/Monitoring/. The website redirects us to the following URL.
http://10.10.10.64/Monitoring/example/Welcome.action
Attack Apache Struts
As you may know, the “.action” extension is the Apache Struts extension, and there are several vulnerabilities on the Apache Struts.
We try this payload first. Struts-pwn
Download the exploit to the local Kali machine, and then execute the following command to run the exploit.
|
|
Great! The command id
has been successful executed as shown in the screenshot below.
Obtain User.txt
Next, we need to find a way to get user.txt. First, read the /etc/passwd
file to identify the username.
We can find that the username is richard
. Then, let’s attempt to list Richard home folder. Due to the low privileged account, we do not have privilege to read Richard’s home folder.
Although we are not able to read other user’s home folder, we should be able to read web folder (tomcat folder).
We then are able to read the config file to obtain MySQL database password.
You may realise that during the enumeration, the MySQL database port (3306) is not open. This means that the MySQL Service is listening to the local IP address (127.0.0.1).
Right now, we have:
- A remote command exec;
- MySQL Password
- MySQL can only be connected on the local IP address.
We now can use remote command exec to create a bash script to connect to the local MySQL and get sensitive information from the database.
|
|
After we executed the above script (/tmp/1.sh), we get the following information
Now, we obtain Richard’s password and are able to log in to the server via ssh as richard.
Obtain Root.txt
We then work on privilege escalation. First, check the sudo list, and see what can we do by using sudo.
Then, we check the above python script.
It seems that we need to crack the md5 hash. However, there is an easy way.
We can just inject the following code, and then, we will get root.txt
|
|
Summary
This box is not very complicated, and it is very strict. Everything is there, you just need to know what you need to do. Due to the poor network connection, I spent most of the time on the port scan and enumeration. Attacking the server only spent a few hours.