Hello friends!! Today we are going to solve another CTF challenge “Stratosphere” which is lab presented by Hack the Box and is available online for those who want to increase their skill in penetration testing and black box testing. Stratosphereis retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges, from beginners to Expert level.
Level:Easy
Task:find user.txt and root.txt file in victim’s machine.
WalkThrough
Since these labs are online available therefore they have static IP. The IP of Stratosphereis 10.10.10.64
Let’s start off with scanning the network to find our target.
nmap -sV 10.10.10.64
As per nmap port 80 is open for HTTP let’s explore the target IP in the browser. After exploring port 80, we was welcomed by following page where we didn’t found any informative clue.
After then we visit Port 8080 for HTTP proxy and here also we get same web page. We try to inspect source code of port 80 and 8080 but we got nothings.
Therefore next we decided to have directory brute force attack with help of Dirbuster and used wordlist “dictionary-list-2.3-medium.txt” for the attack.
Luckily it fetched some web directories such as /Monitoring, let’s explore it in the web browser.
So when we try to open the URL http://10.10.10.64:8080/Monitoring then it gets redirect to http://10.10.10.64:8080/Monitoring/example/Welcome.action for login. I closely look at the URL containing .action extension, so I made Google search to extract complete information related to this extension. I found action extension is utilized by apache struts2 which has a history of bugs and vulnerabilities and if you will search for its exploit, you will get lot of python scripts and exploits to compromise this service.
So we used nmap script to identify its state of vulnerability
nmap -p8080 --script http-vuln-cve2017-563 --script-args path=/Monitoring/ 10.10.10.64Awesome!!! It is vulnerable to cve2017-563, let’s exploit it.
I found an exploit Struts-Apache-ExploitPack , lets download it from git hub and give full permission.
git clone https://github.com/drigg3r/Struts-Apache-ExploitPack.git cd Struts-Apache-ExploitPack cd Exploiter ls chmod 777 Exploit.sh
Now run the following command to exploit the victim machine.
./Exploit.sh http://10.10.10.64:8080/Monitoring/example/Welcome.action id ls cat db_connect Username: admin Password: admin
So now we have database credential, let’s utilized them for getting all information from inside the database.
mysqldump -u admin -padmin --all-databases --skip-lock-tablesHere I found Password “9tc*rhKuG5TyXvUJOrE^5CK7k” for user Richard, now let’s try to connect with SSH using these credential.
ssh richard@10.10.10.64
Yuppie we successfully logged in victim’s machine, so now let get the user.txt and root.txt
ls cat user.txt cat test.pyHere we notice that test.py was computing some hash values and at the end it will give success.py from inside the root directory and whole script is depends upon hashlib.
Then we also check sudo rights for Richard and found he has sudo right to run all type of python script. So very first we check test.py file and start solving hashes in order to get success.py
sudo /usr/bin/python /home/richard/test.py
So we got the hash value, now we need to decode it and after decoding I found “kayboo!”
On submitting the decoded text, it generated a new hash for further step and again I decode it and submit the answer and after then again a new hash and it was processing repetitively same at each time on submitting decoded text.
Since test.py was importing hashlib which was a python library so I last option was python library hijacking to escalate the root privilege.
Therefore I create a hashlib.py script in the current directory to import system binary ‘/bin/bash’ and hence now when we will run test.py then it will import hashlib.py which will calls /bin/bash binary file.
echo 'import os;os.system("/bin/bash")' > hashlib.py sudo /usr/bin/python /home/richard/test.pyBooom!!! Here we owned root access, now let’s get the root.txt file and finish this task.
Author:AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here