Stratosphere

Stratosphere - 10.10.10.64

Target Enumeration:

OS: Linux
IP: 10.10.10.64
User: e610b298611fa732fca1665a1c02336b
Root: d41d8cd98f00b204e9800998ecf8427e

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
80/tcp open http
8080/tcp open http-proxy

Vulnerability Exploited:

Apache Struts vulnerability to read mysql database gives ssh password for user richard

Privilege Escalation:

User allowed to run python as sudoer
Python input() vulnerability allows root command execution

Exploiting the host:

Nmap (8080 is not included in screenshot)
Dirsearch:
Monitoring and manager discovered.
Manager is basic auth to tomcat manager
Bruteforce with intruder and a large wordlist (basic auth and all default creds) none worked
Dirb found /host-manager/ which was also bruteforced.
Nothing useful so far.
Enumerating /Monitor/ gives us a clue to a struts vuln.
Downloading the following script allows code execution
Executing the script gives you:
Find the tomcat users file
Now you have the password:
This was not useful.
Looking in the current root dir we see a file called db_cocnnect
Looking at the contents gives us some credentials
user=ssn_admin
This did not work as a login so try admin admin and enumerate the database
This password works for the user richard
Sudo -l gives you
Looking at test.py we can abuse the input() function to get a root shell using python2.7 specifically as a sudo user. It is also possible to crack all of the hashes however this does not give you a root shell as sucess.py does not exist.
Enter the following command to get root.