root@liberty:~# nmap -A tabby.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-27 10:04 EDT
Nmap scan report for tabby.htb (10.129.28.106)
Host is up (0.015s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
| 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
|_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=10/27%OT=22%CT=1%CU=39779%PV=Y%DS=2%DC=T%G=Y%TM=5F9829
OS:05%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST
OS:11NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC
OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Lets enumerate 80 & 8080 with Dirb:
While poking around through the results I also wanted to test the sites for LFI or RFI vulnerabilities. While clicking each link in the site we noticed the news site redirected to megahosting.htb/news.php?file=statement. This file= looking like it could be a LFI. Lets take a look at /etc/hosts and /etc/passwd
/etc/hosts
/etc/passwd
With this access we should go after the Tomcat web-server config. After some serious Googling we find that the location of the tomcat creds is usr/share/tomcat9/etc/tomcat-users.xml. When originally loading the page I was convinced the LFI wasn't working. ALWAYS VIEW THE SOURCE.
Tomcat GUI Creds
These creds get us in but I don't see anywhere to upload a WAR. Java web applications are usually packaged as WAR files for deployment. ... These files can be created on the command line or with an IDE like Eclipse. After deploying our WAR file, Tomcat unpacks it and stores all project files in the webapps directory in a new directory named after the project.
We can find the syntax for generating this type of payload under my cheetsheets section:
In order to take escalate the root privilege of the host machine you have to create an image for lxd thus you need to perform the following the action:
Steps to be performed on the attacker machine:
Download build-alpine in your local machine through the git repository.
Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user.
Transfer the tar file to the host machine
Steps to be performed on the host machine:
Download the alpine image
Import image for lxd
Initialize the image inside a new container.
Mount the container inside the /root directory
After reading the article above the tool would not build after a couple of Google searches I found this article:
