STRATOSPHERE
- Layout for this exercise:

1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Stratosphere, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu/
2 - ENUMERATION
- Stratosphere's IP is 10.10.10.64:

- Scanning with Nmap:

- Connecting with the browser:

- Bruteforcing with Dirbuster and the medium size directory list:

- Dirbuster finds folders like /manager or /Monitoring:

- Going to /Monitoring we are redirected to this web page:

- Clicking Sign On:

- In both cases let's notice the presence of the extension .action, what is a class used by Apache Struts:
https://svn.apache.org/repos/asf/struts/archive/trunk/struts-doc-1.1/api/org/apache/struts/action/Action.html

3 - EXPLOITATION
- Apache Struts is vulnerable to multiple exploits, like explained at CVE-208-11776:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776

- There are a lot available exploits, so let's take for instance the Python script struts-pwn:

- Downloading to Kali:


- Reading README.md we find an example of usage:

- Now let's check that the script works (by default it runs the command id):

- Also, we can use the script to read /etc/passwd:

... etc ...
- Listing /home content:

- Listing richard's folder content:

- Reading db_connect we find credentials for databases ssn and users:

- Showing tables from database users we find the table accounts:

- Selecting * from table accounts we find a password for user richard:

- Connecting to SSH with user richard's credentials we get a low privileged remote shell:
richard:9tc*rhKuG5TyXvUJOrE^5CK7k

4 - CAPTURING THE 1st FLAG
- Reading user.txt:

5 - PRIVILEGE ESCALATION
- However access to the root folder is denied, so we need Privilege Escalation:

- User richard has got some sudoer privileges:

- Reading test.py content it seems that it holds some encoding/decoding and hashing processes:

- Executing test.py, just in case, it does not show any output:

- Let's see that test.py imports hashlib, so we can write hashlib.py in this way:

- Now, just following the sudoer message and executing the command a root shell is achieved:


6 - CAPTURING THE 2nd FLAG
- Reading root.txt:
