# Stratosphere

## Stratosphere - 10.10.10.64

### Target Enumeration:

OS: Linux

IP: 10.10.10.64

User: e610b298611fa732fca1665a1c02336b

Root: d41d8cd98f00b204e9800998ecf8427e

### Ports / Services / Software Versions Running

22/tcp   open ssh        OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)

80/tcp   open http

8080/tcp open  http-proxy

### Vulnerability Exploited:

Apache Struts vulnerability to read mysql database gives ssh password for user richard

### Privilege Escalation:

User allowed to run python as sudoer

Python input() vulnerability allows root command execution

### Exploiting the host:

Nmap (8080 is not included in screenshot)

<div align="left"><img src="https://lh4.googleusercontent.com/ZRvHZSqL_57jRGh53epuS-bBEbQR0VlxQpDgI8yLucp4KgQ-z8k5Po0q3NUARP0xdKte0-6OoIPrF0QlTLpY-0_hEsjCM5JIi6aPq50EGTzhghORnY9mzj0ZKOJJ_pSwBYXbW0BH" alt=""></div>

Dirsearch:

![](https://lh3.googleusercontent.com/QvhtBANLyxaRElL6AKwdKdDEjioLyA9kgPgrZKHx5eVks5QmKCSQRfmD1ZElM8YwpMsaawThVEborcHDP7QJvN8GngG0yVs3pChZY-yT1C-0RnMUAATg4KI4av-07acI6shnACLm)

Monitoring and manager discovered.

Manager is basic auth to tomcat manager

Bruteforce with intruder and a large wordlist (basic auth and all default creds) none worked

Dirb found /host-manager/ which was also bruteforced.

![](https://lh3.googleusercontent.com/78zRHjSWUvTAF35WDq3i1wQMOnHnxrPW2p1ujktQUIOgmrPlqbyxf_R9oNPpNiXvg5hXI3I12ogMj_wASACTaTDNcQVCInSIu5y-eluuutGW_9e3yo7zfsiiu88HlF4yFCAe7Y6B)

Nothing useful so far.

Enumerating /Monitor/ gives us a clue to a struts vuln.

![](https://lh4.googleusercontent.com/LRZncp3ezC_P_Mdg3tnKSLmsOSm7Qp6aQ_ocXXt87NBKYllPVbbq4iBrfQW-JAaJlt86CS9CF7NtuBERCpghe54MS8d0p-U6-gQWlkXOqIoxtPZLb_rdLXuZ7Yd15b8OFhKYbVAp)

Downloading the following script allows code execution

<https://raw.githubusercontent.com/mazen160/struts-pwn/master/struts-pwn.py>

![](https://lh6.googleusercontent.com/BW00nfFNrTfnkEellLa842YLjoVk0eAT9kNqVEZVFZ87JX6HtJMHzD89ztoH1fDH0kxuFVmdDcXG7iNf2PkCUpYPJJhN6Y82gagvKEs8IRhfJNi7_SAf-nKOR-9I16wj6SxQye5h)

Executing the script gives you:

![](https://lh5.googleusercontent.com/87mPmfSVpy30JqeGBYIZGltoHF_OrDEetJNBuB_wEUFUU7bcPmgf4B9NuMG3rsWOi-PYnBzlBOpqhoUU2Nvmqxnb85_hjGy--VFp1Gre-oqcdGcPgJNteo2oeGh77hAMZ8jcKqo-)

Find the tomcat users file

![](https://lh5.googleusercontent.com/8huxihUPpOaaln9YtivHSWH5insF4OJeYc7ojsGX-salcVciaXDwtHGkxRig-lUP83Z_WKS8yOvptB2EBn675uiAHyl_Kfhg0DGdAHJ6yJbcK-djuZGXWr-yrSVd8u5dEHhlbbRM)

Now you have the password:

![](https://lh6.googleusercontent.com/yHjv7ubxdtaSUW85_pw-qXdCfTri0m4yVpeTdI6xM-oEXQG3RFCW1P-VHS06VDiAfvGbIF96Zisu3TOwbmEFP6HHsYeb-zT7sv-XReaTxdcTC4LGuiiAkDoofanEwMlq4oe2hZ40)

This was not useful.

Looking in the current root dir we see a file called db\_cocnnect

![](https://lh4.googleusercontent.com/32h9tcmRBnLkCk9Duw_8qCfOXBh77fH5PPXBX7qXdRs43R8nQILeLk9eZEuf4YurYuoo_kgzO1UcT7EzkwmlK0gLsL5IBRsZuyteWjpxD7j8EyzcvmXil9VlctENRlV2qca2rbgr)

Looking at the contents gives us some credentials

![](https://lh6.googleusercontent.com/GQvjAwSq2y5dlV-7CtvvQsYRmZA4luyxcZhAKtS07wiXnkjvnMUVqp72ntIdapqHwdHkvhlncPsL4-EuuZTqdE8jv2p6wXfxaRVzyhnbIsAzMwm4rB4jVOcZIWbsB7OpntaTvQlM)

user=ssn\_admin

pass=AWs64\@on\*&

This did not work as a login so try admin admin and enumerate the database

![](https://lh6.googleusercontent.com/HcuclVkkRX-8jjLt0eT4wVuNvMeB5eWkNuQXR0hEXAH-6S60ft_xetAESkIJL3TXUO5n1VEghqx_7s1LvQHvtAzfzjASxlEvuvLpaxgLsS18LFIOW4vyh16AsJYadCxdLex6-dr9)

This password works for the user richard

![](https://lh6.googleusercontent.com/8gE1h5Ny0LaC_3dndlwvdYIrknmDKiaaMSitoZL20zeEo5Iu3ABi418KfgF5wnCyrFHFwjmLjrxKbZPVKKMgwHWv0QT-06UAArzyfJZwiZD7cavNkxCQX2xNAwFHbRs0xpZDQBud)

Sudo -l gives you

![](https://lh3.googleusercontent.com/cWiPTl71V9Hy4MY1eWVwAzgz9yZulbNObER8-dPiJhe-Md4MjKE5DYv-xYJ5Be--9wccvclmZNP7DEyj0MvYxRJvkEFP9CNqJ33P_mJ2z8xm0Y-xvxZiRq26br8VC-wLNRKDTkY5)

Looking at test.py we can abuse the input() function to get a root shell using python2.7 specifically as a sudo user. It is also possible to crack all of the hashes however this does not give you a root shell as sucess.py does not exist.

<div align="left"><img src="https://lh4.googleusercontent.com/ZMU_nille77yfnbLt0pYM5YK5O3j4456AMsloYqaEMUf7oGFw_MKkE0MBA6GdHaZupE4tNO_IdGowzIwzjABDGx0NckRIqGfhTB5G1veOeXm5uBDSIHl9Ecdg07J0q04SJYgkirZ" alt=""></div>

Enter the following command to get root.

![](https://lh5.googleusercontent.com/gNyA9CXer_s78eMAlm80OZ6Zq-syaC8q048P5QrF2GAQ0ogprhoA20yfJoXOzN8VLhGBfRtVa_iglCzGTlnAuwKsGG5FNR2ngmkv1X4sBkvVjYhAfbqWU5iJ3sYYOicxPaQ8nczq)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/stratosphere.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.