Hacking
GithubTwitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
PurpleSharp
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By GitBook
Stratosphere

Stratosphere - 10.10.10.64

Target Enumeration:

OS: Linux
IP: 10.10.10.64
User: e610b298611fa732fca1665a1c02336b
Root: d41d8cd98f00b204e9800998ecf8427e

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
80/tcp open http
8080/tcp open http-proxy

Vulnerability Exploited:

Apache Struts vulnerability to read mysql database gives ssh password for user richard

Privilege Escalation:

User allowed to run python as sudoer
Python input() vulnerability allows root command execution

Exploiting the host:

Nmap (8080 is not included in screenshot)
Dirsearch:
Monitoring and manager discovered.
Manager is basic auth to tomcat manager
Bruteforce with intruder and a large wordlist (basic auth and all default creds) none worked
Dirb found /host-manager/ which was also bruteforced.
Nothing useful so far.
Enumerating /Monitor/ gives us a clue to a struts vuln.
Downloading the following script allows code execution
Executing the script gives you:
Find the tomcat users file
Now you have the password:
This was not useful.
Looking in the current root dir we see a file called db_cocnnect
Looking at the contents gives us some credentials
user=ssn_admin
This did not work as a login so try admin admin and enumerate the database
This password works for the user richard
Sudo -l gives you
Looking at test.py we can abuse the input() function to get a root shell using python2.7 specifically as a sudo user. It is also possible to crack all of the hashes however this does not give you a root shell as sucess.py does not exist.
Enter the following command to get root.
Hack The Box last updated - 2019 - Previous
Jeeves
Next - Hack The Box last updated - 2019
Inception
Last modified 3yr ago
Copy link
Outline
Stratosphere - 10.10.10.64
Target Enumeration:
Ports / Services / Software Versions Running
Vulnerability Exploited:
Privilege Escalation:
Exploiting the host: