Tabby
HTB Write Up
Lets start with an NMAP scan
root@liberty:~# nmap -A tabby.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-27 10:04 EDT
Nmap scan report for tabby.htb (10.129.28.106)
Host is up (0.015s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
| 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
|_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=10/27%OT=22%CT=1%CU=39779%PV=Y%DS=2%DC=T%G=Y%TM=5F9829
OS:05%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST
OS:11NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC
OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelLets enumerate 80 & 8080 with Dirb:
While poking around through the results I also wanted to test the sites for LFI or RFI vulnerabilities. While clicking each link in the site we noticed the news site redirected to megahosting.htb/news.php?file=statement. This file= looking like it could be a LFI. Lets take a look at /etc/hosts and /etc/passwd
With this access we should go after the Tomcat web-server config. After some serious Googling we find that the location of the tomcat creds is usr/share/tomcat9/etc/tomcat-users.xml. When originally loading the page I was convinced the LFI wasn't working. ALWAYS VIEW THE SOURCE.
These creds get us in but I don't see anywhere to upload a WAR. Java web applications are usually packaged as WAR files for deployment. ... These files can be created on the command line or with an IDE like Eclipse. After deploying our WAR file, Tomcat unpacks it and stores all project files in the webapps directory in a new directory named after the project.
We can find the syntax for generating this type of payload under my cheetsheets section:
After creating our WAR reverse_shell we can deploy it with curl
After uploading the shell lets start our listener and navigate to the page
After enumerating the box we find a backup zip. Let's take a took at that locally. To do this I will use nc to down download the zip.
Tabby
Kali
The zip turned out to be encrypted so I used fcrackzip and the rockyou wordlist and got a hit!
Lets try to get access to the user.txt file with these creds:
Privilege Escalation:
Lets
After reviewing the groups Ash is a member of I came across this article:
The article summarizes the priv esc as follows:
In order to take escalate the root privilege of the host machine you have to create an image for lxd thus you need to perform the following the action:
Steps to be performed on the attacker machine:
Download build-alpine in your local machine through the git repository.
Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user.
Transfer the tar file to the host machine
Steps to be performed on the host machine:
Download the alpine image
Import image for lxd
Initialize the image inside a new container.
Mount the container inside the /root directory
After reading the article above the tool would not build after a couple of Google searches I found this article:
I needed to add the -a i686 to my build command:
Last updated