HackThebox: Tabby Writeup

Hello cyber geeks! I am back with another writeup. This time I have made a walkthrough of Hackthebox machine name tabby(linux).

So let’s get start this:

Reconnaissance:

Let start the recon with nmap.

nmap -sC -sV -oN nmap.txt 10.10.10.194

  • -sC: run default nmap scripts
  • -sV: detect service version

As you can see there are three ports open:

  • Port 22: ssh
  • Port 80: Apache
  • Port 8080: Tomcat

Let’s start this with port 80. Now open the ip in browser. And there you will see this

So it’s look like hosting. If you enumerate the website you will found nothing as suspicious. So let’s click on the NEWS. And there you will get error. So if you notice the URL it is megahosting.htb. So you have to add the ip in your host.

So after refreshing the tab you will see some text like apologize and all. If you will check the source code you will find nothing. Now if you will notice the url it says “http://megahosting.htb/news.php?file=statement”.

Are you thinking the same what I am thinking? Yeah let’s try LFI. So this the link for exploits of LFI.

So I tried the basic one. http://megahosting.htb/news.php?file=../../../../../../../../etc/passwd. And BOOM!! it was vulnerable.

So you can’t get much more things from this. Let’s try to see the another port i.e 8080. So if you open that in browser it looks like this.

As you can see tomcat9 is running. Now if find exploit for tomcat9 no one will work. Let’s see the directories and files on port 8080.

└─$ gobuster dir -u http://10.10.10.194:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x txt,php,html,css 2>/dev/null

So if you open docs you will find the documentation of tomcat and in manager you will get the login page.

Let’s see how we can exploit the tomcat.

With the help of msfvenom we can make a payload for revershell.

So for uploading the shell we have to find the credentials of manager. If you try the default credentials of tomcat it won’t work. Let’s see the where credentials are stored. So here first we need to understand its directory structure of tomcat.

So password are stored in /usr/share/tomcat9/etc/tomcat-users.xml. Now we can access this using LFI.

http://megahosting.htb/news.php?file=../../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml

Now check the source code you will find the creds.

Now if you try to login in /manger you will get error. As we have credentials we can upload the shell. But if try to login with the credentials it will give the error. With the help of curl we can also upload the shell

So now we have to open a listener and then open the file in the browser. I used netcat listener.And then open the file http://10.10.10.194:8080/tabbyhack-shell/

Whooh!!… we got the shell. Now we have to make interactive using python tty.

As now we have to enumerate. So for this I use linpeas.sh

Now we have transfer the linpeas from out local machine to attacker machine.I used python http server for transferring files.

You have to start this in the directory where linpeas is there.

Then “chmod +x linpeas.sh” and “./linpeas.sh”

We got a user ash. And backup file.

As we can’t unzip that file in the attacking machine so we have to transfer the file from attacking machine to local machine.

Now we have the zip file in our attacking machine now unzip that.

And it is asking for password and we don’t have password. Now we have to find the password for the file using john.

GETTING USER ACCESS:-

Then we got the password of the zip:- admin@it

So if you unzip the files which are in /var/www/html

So now we can try this as ssh password of user ash.

GETTING ROOT ACCESS:-

So here we go with our usual command i.e id

But here lxd look’s suspicious!

So if you google that try to search then you will get this link.

So I have just copy and paste the commands told there and BOOM!! I am root.

And now in attacker machine

So I am having error like already running because I am doing these commands twice. Now we have to cat the root.txt.

So the summary of root part is it is moving root folder into a container and then mount that container into machine.

So I hope you enjoyed while reading!!