Hacking
  • Penetration Testing
  • Methodologies
    • Exfil
    • Manual Enumeration
    • Basic Buffer Overflow
    • Basic Internal Network test
    • Basic Mobile Testing guide
    • Basic Subdomain Enumeration guide
  • Guides
    • Build A Raspberry Pi Dropbox
    • Golang
    • Powershell / PowerView
    • PurpleSharp
  • Hack The Box last updated - 2019
    • Legacy
    • Devel
    • Optimum
    • Popcorn
    • Beep
    • Tenten
    • Arctic
    • Cronos
    • Grandpa
    • Granny
    • October
    • Lazy
    • Sneaky
    • Holiday
    • Blocky
    • Shrek
    • Blue
    • Joker
    • Europa
    • Haircut
    • Bank
    • SolidState
    • Mantis
    • Shocker
    • Tally
    • Sense
    • Jeeves
    • Stratosphere
    • Inception
    • Bashed
    • Fluxcapacitor
    • Canape
    • Rabbit
    • Chatterbox
    • Nibbles
    • Sunday
    • Aragog
    • Valentine
    • Silo
    • Olympus
    • Poison
    • Celestial
    • Waldo
    • Jerry
    • Access
    • Active
    • Netmon
  • scriptz
  • Issues
    • gists
    • Boring Issues
Powered by GitBook
On this page
  • Stratosphere - 10.10.10.64
  • Target Enumeration:
  • Ports / Services / Software Versions Running
  • Vulnerability Exploited:
  • Privilege Escalation:
  • Exploiting the host:
  1. Hack The Box last updated - 2019

Stratosphere

Stratosphere - 10.10.10.64

Target Enumeration:

OS: Linux

IP: 10.10.10.64

User: e610b298611fa732fca1665a1c02336b

Root: d41d8cd98f00b204e9800998ecf8427e

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)

80/tcp open http

8080/tcp open http-proxy

Vulnerability Exploited:

Apache Struts vulnerability to read mysql database gives ssh password for user richard

Privilege Escalation:

User allowed to run python as sudoer

Python input() vulnerability allows root command execution

Exploiting the host:

Nmap (8080 is not included in screenshot)

Dirsearch:

Monitoring and manager discovered.

Manager is basic auth to tomcat manager

Bruteforce with intruder and a large wordlist (basic auth and all default creds) none worked

Dirb found /host-manager/ which was also bruteforced.

Nothing useful so far.

Enumerating /Monitor/ gives us a clue to a struts vuln.

Downloading the following script allows code execution

https://raw.githubusercontent.com/mazen160/struts-pwn/master/struts-pwn.py

Executing the script gives you:

Find the tomcat users file

Now you have the password:

This was not useful.

Looking in the current root dir we see a file called db_cocnnect

Looking at the contents gives us some credentials

user=ssn_admin

pass=AWs64@on*&

This did not work as a login so try admin admin and enumerate the database

This password works for the user richard

Sudo -l gives you

Looking at test.py we can abuse the input() function to get a root shell using python2.7 specifically as a sudo user. It is also possible to crack all of the hashes however this does not give you a root shell as sucess.py does not exist.

Enter the following command to get root.

PreviousJeevesNextInception

Last updated 6 years ago