# Stratosphere ## Stratosphere - 10.10.10.64 ### Target Enumeration: OS: Linux IP: 10.10.10.64 User: e610b298611fa732fca1665a1c02336b Root: d41d8cd98f00b204e9800998ecf8427e ### Ports / Services / Software Versions Running 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0) 80/tcp open http 8080/tcp open http-proxy ### Vulnerability Exploited: Apache Struts vulnerability to read mysql database gives ssh password for user richard ### Privilege Escalation: User allowed to run python as sudoer Python input() vulnerability allows root command execution ### Exploiting the host: Nmap (8080 is not included in screenshot)

Dirsearch: ![](https://lh3.googleusercontent.com/QvhtBANLyxaRElL6AKwdKdDEjioLyA9kgPgrZKHx5eVks5QmKCSQRfmD1ZElM8YwpMsaawThVEborcHDP7QJvN8GngG0yVs3pChZY-yT1C-0RnMUAATg4KI4av-07acI6shnACLm) Monitoring and manager discovered. Manager is basic auth to tomcat manager Bruteforce with intruder and a large wordlist (basic auth and all default creds) none worked Dirb found /host-manager/ which was also bruteforced. ![](https://lh3.googleusercontent.com/78zRHjSWUvTAF35WDq3i1wQMOnHnxrPW2p1ujktQUIOgmrPlqbyxf_R9oNPpNiXvg5hXI3I12ogMj_wASACTaTDNcQVCInSIu5y-eluuutGW_9e3yo7zfsiiu88HlF4yFCAe7Y6B) Nothing useful so far. Enumerating /Monitor/ gives us a clue to a struts vuln. ![](https://lh4.googleusercontent.com/LRZncp3ezC_P_Mdg3tnKSLmsOSm7Qp6aQ_ocXXt87NBKYllPVbbq4iBrfQW-JAaJlt86CS9CF7NtuBERCpghe54MS8d0p-U6-gQWlkXOqIoxtPZLb_rdLXuZ7Yd15b8OFhKYbVAp) Downloading the following script allows code execution ![](https://lh6.googleusercontent.com/BW00nfFNrTfnkEellLa842YLjoVk0eAT9kNqVEZVFZ87JX6HtJMHzD89ztoH1fDH0kxuFVmdDcXG7iNf2PkCUpYPJJhN6Y82gagvKEs8IRhfJNi7_SAf-nKOR-9I16wj6SxQye5h) Executing the script gives you: ![](https://lh5.googleusercontent.com/87mPmfSVpy30JqeGBYIZGltoHF_OrDEetJNBuB_wEUFUU7bcPmgf4B9NuMG3rsWOi-PYnBzlBOpqhoUU2Nvmqxnb85_hjGy--VFp1Gre-oqcdGcPgJNteo2oeGh77hAMZ8jcKqo-) Find the tomcat users file ![](https://lh5.googleusercontent.com/8huxihUPpOaaln9YtivHSWH5insF4OJeYc7ojsGX-salcVciaXDwtHGkxRig-lUP83Z_WKS8yOvptB2EBn675uiAHyl_Kfhg0DGdAHJ6yJbcK-djuZGXWr-yrSVd8u5dEHhlbbRM) Now you have the password: ![](https://lh6.googleusercontent.com/yHjv7ubxdtaSUW85_pw-qXdCfTri0m4yVpeTdI6xM-oEXQG3RFCW1P-VHS06VDiAfvGbIF96Zisu3TOwbmEFP6HHsYeb-zT7sv-XReaTxdcTC4LGuiiAkDoofanEwMlq4oe2hZ40) This was not useful. Looking in the current root dir we see a file called db\_cocnnect ![](https://lh4.googleusercontent.com/32h9tcmRBnLkCk9Duw_8qCfOXBh77fH5PPXBX7qXdRs43R8nQILeLk9eZEuf4YurYuoo_kgzO1UcT7EzkwmlK0gLsL5IBRsZuyteWjpxD7j8EyzcvmXil9VlctENRlV2qca2rbgr) Looking at the contents gives us some credentials ![](https://lh6.googleusercontent.com/GQvjAwSq2y5dlV-7CtvvQsYRmZA4luyxcZhAKtS07wiXnkjvnMUVqp72ntIdapqHwdHkvhlncPsL4-EuuZTqdE8jv2p6wXfxaRVzyhnbIsAzMwm4rB4jVOcZIWbsB7OpntaTvQlM) user=ssn\_admin pass=AWs64\@on\*& This did not work as a login so try admin admin and enumerate the database ![](https://lh6.googleusercontent.com/HcuclVkkRX-8jjLt0eT4wVuNvMeB5eWkNuQXR0hEXAH-6S60ft_xetAESkIJL3TXUO5n1VEghqx_7s1LvQHvtAzfzjASxlEvuvLpaxgLsS18LFIOW4vyh16AsJYadCxdLex6-dr9) This password works for the user richard ![](https://lh6.googleusercontent.com/8gE1h5Ny0LaC_3dndlwvdYIrknmDKiaaMSitoZL20zeEo5Iu3ABi418KfgF5wnCyrFHFwjmLjrxKbZPVKKMgwHWv0QT-06UAArzyfJZwiZD7cavNkxCQX2xNAwFHbRs0xpZDQBud) Sudo -l gives you ![](https://lh3.googleusercontent.com/cWiPTl71V9Hy4MY1eWVwAzgz9yZulbNObER8-dPiJhe-Md4MjKE5DYv-xYJ5Be--9wccvclmZNP7DEyj0MvYxRJvkEFP9CNqJ33P_mJ2z8xm0Y-xvxZiRq26br8VC-wLNRKDTkY5) Looking at test.py we can abuse the input() function to get a root shell using python2.7 specifically as a sudo user. It is also possible to crack all of the hashes however this does not give you a root shell as sucess.py does not exist.

Enter the following command to get root. ![](https://lh5.googleusercontent.com/gNyA9CXer_s78eMAlm80OZ6Zq-syaC8q048P5QrF2GAQ0ogprhoA20yfJoXOzN8VLhGBfRtVa_iglCzGTlnAuwKsGG5FNR2ngmkv1X4sBkvVjYhAfbqWU5iJ3sYYOicxPaQ8nczq)