Stratosphere - 10.10.10.64
Ports / Services / Software Versions Running
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
80/tcp open http
8080/tcp open http-proxy
Apache Struts vulnerability to read mysql database gives ssh password for user richard
User allowed to run python as sudoer
Python input() vulnerability allows root command execution
Exploiting the host:
Nmap (8080 is not included in screenshot)
Monitoring and manager discovered.
Manager is basic auth to tomcat manager
Bruteforce with intruder and a large wordlist (basic auth and all default creds) none worked
Dirb found /host-manager/ which was also bruteforced.
Nothing useful so far.
Enumerating /Monitor/ gives us a clue to a struts vuln.
Downloading the following script allows code execution
Executing the script gives you:
Find the tomcat users file
Now you have the password:
This was not useful.
Looking in the current root dir we see a file called db_cocnnect
Looking at the contents gives us some credentials
This did not work as a login so try admin admin and enumerate the database
This password works for the user richard
Sudo -l gives you
Looking at test.py we can abuse the input() function to get a root shell using python2.7 specifically as a sudo user. It is also possible to crack all of the hashes however this does not give you a root shell as sucess.py does not exist.
Enter the following command to get root.