Tabby | Libertyunix

Last updated 4 years ago

Lets start with an NMAP scan

Lets enumerate 80 & 8080 with Dirb:

While poking around through the results I also wanted to test the sites for LFI or RFI vulnerabilities. While clicking each link in the site we noticed the news site redirected to megahosting.htb/news.php?file=statement. This file= looking like it could be a LFI. Lets take a look at /etc/hosts and /etc/passwd

With this access we should go after the Tomcat web-server config. After some serious Googling we find that the location of the tomcat creds is usr/share/tomcat9/etc/tomcat-users.xml. When originally loading the page I was convinced the LFI wasn't working. ALWAYS VIEW THE SOURCE.

These creds get us in but I don't see anywhere to upload a WAR. Java web applications are usually packaged as WAR files for deployment. ... These files can be created on the command line or with an IDE like Eclipse. After deploying our WAR file, Tomcat unpacks it and stores all project files in the webapps directory in a new directory named after the project.

We can find the syntax for generating this type of payload under my cheetsheets section:

After creating our WAR reverse_shell we can deploy it with curl

After uploading the shell lets start our listener and navigate to the page

After enumerating the box we find a backup zip. Let's take a took at that locally. To do this I will use nc to down download the zip.

Tabby

Kali

The zip turned out to be encrypted so I used fcrackzip and the rockyou wordlist and got a hit!

Lets try to get access to the user.txt file with these creds:

Privilege Escalation:

Lets

After reviewing the groups Ash is a member of I came across this article:

The article summarizes the priv esc as follows:

In order to take escalate the root privilege of the host machine you have to create an image for lxd thus you need to perform the following the action:

Steps to be performed on the attacker machine:

Download build-alpine in your local machine through the git repository.
Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user.
Transfer the tar file to the host machine

Steps to be performed on the host machine:

Download the alpine image
Import image for lxd
Initialize the image inside a new container.
Mount the container inside the /root directory

After reading the article above the tool would not build after a couple of Google searches I found this article:

I needed to add the -a i686 to my build command:

Last updated 4 years ago