HTB Stratosphere Write-Up



Initial Enumeration

nmap flags are : nmap -v -sV -sC -oA nmap/scanResults

Nmap returned the following:

It shows 3 ports are open which are 22,80 and 8080, I did a full port scan but did not find anything different. Everything seems to be normal, nothing much to do here.

Visiting the website, we are greeted with this:


Pretty dandy if you ask me >_< !! Let’s start the directory brute forcing then!

gobuster flags are : gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Gobuster scan

Hmm?? Omoshiroi!! This is starting to get interesting now! We get two directories but the status is 302 (which means “moved permanently”)

Without further ado lets search em’ up!

A search to returned the following:

Login on the

It’s asking for credentials but we don’t have any, still I tried some basic combinations like “admin::admin”, “admin::password” and such but to no luck :( .

A search to actually redirected me to and this is what greeted me.

Clicking on both the links showed this:

Under Construction!

At this point I did some more directory brute forcing and used all the wordlists but I didn’t have a clue as to what to do now. I though that if requires a login and is a site under construction then why bother with the later website? Something is definitley fishy in the second url. My mistake was that I was searching for credentials to log in to the first one and lost a lot of time. Then I noticed something strange in the second website.

Apache Struts Vulnerability

Precisely! They were all ending with “.action” and after searching I found the gold-mine I was looking for.

From , “Actions are the core of the Struts2 framework, as they are for any MVC (Model View Controller) framework. Each URL is mapped to a specific action, which provides the processing logic which is necessary to service the request from the user.

But the action also serves in two other important capacities. Firstly, the action plays an important role in the transfer of data from the request through to the view, whether its a JSP or other type of result. Secondly, the action must assist the framework in determining which result should render the view that will be returned in the response to the request.”


From Wikipedia:

“Struts 2 has a history of critical security bugs, many tied to its use of OGNL technology, some vulnerabilities can lead to arbitrary code execution. In October 2017, it was reported that failure by Equifax to address a Struts 2 vulnerability advised in March 2017 was later exploited in the data breach that was disclosed by Equifax in September 2017.”


After reading it’s documentation I ran it as:

It worked and we see the id of Tomcat showing up. Now, after all this, I am still after those credentials so that we can login to that site and I know any user on this box should be on the home folder, so here I go!

using multiple commands I fished out the user “richard” !!

python -u -c ‘cd ../../../home && ls -la’

But the trouble is, I don’t know “richard” ‘s password so I can’t ssh in as user in the box. Need more enumeration.

Looking at tomcat directory I found a directory called “db_connect”. A text file containing Database credentials.

Retrieving credentials from Database

python -u -c ‘cat db_connect’

Caution: First credentials are Rabbit Hole! I learned it the hard way T_T

I tried to login to mysql using the credentials given here using my own machine but it seems like Stratosphere was blocking connections. The only way is to use the RCE to access it. Again remember, we don’t have reverse shell so it should be a one-liner command. We know we are using database name: “users” so “SELECT * from <tableName> should work!

This was according to me the hardest part! After many hit and trials, and searching I finally got it to work. This article helped me very much ! But how many tables are there? I ran the following to know.

python -u -c ‘mysql -u admin -padmin -e “use users; show tables”’

Immediately it informed me that the table name is “accounts” ! UwU !

richard should secure his account asap

python -u -c ‘mysql -u admin -padmin -e “use users; SELECT * from accounts”’

aaanddd… we got richard’s password!! Who would have know it was here!!! OwO

Lets SSH in !!!

Everything’s fine! user.txt is done! Now Priv Esc!

Privilege Escalation — DLL Injection

This sure returned interesting results! So richard can run two things without password, first is the in its home directory and other, it can also use python version to do the same ( /usr/bin/python*). So it is now pretty obvious that if we somehow hijack and force it run system commands, we are pretty much done with. And yes it was that easy!

Taking a look at

It’s asking us to crack some hashes, after which it will run the “os.system(‘/root/’)” command, it has cleverly shielded the import os module inside the “question” function, the last boss lives up-to its name!

Now obviously it does not wants us to win this little cracking game (yes, I tried). The first three hashes seems easy and hashcat will do its job perfectly but the last one is intentionally there to stop us. Here comes DLL Injection!!!

DLL Injection means instead of linking the libraries from the disc, if a same name python script is present in the same folder it links it. Here hashlib is the very good attack target for DLL Injection. Once the original from the /usr/lib/python2.7/ is not linked anymore and it is linked with our own custom made in the home folder, the whole cracking game would crumble! Let’s do it!

the original in the /usr/lib/python2.7 directory

Lets create our own which will be actually linked instead of the original one and execute the bash command! echo ‘import os; os.system(“/bin/bash”)’ >

custom made (exploit) in /home/richard

Time for the final attack! STARBURST STREAM!

YESS!! WE ARE ROOT!! root.txt can be obviously obtained from the root directory!


Stay Cool!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store