[HTB] Tabby — Writeup

bigb0ss
5 min readFeb 16, 2021

This was an easy difficulty box. It was pretty easy and straight-forward box. Good learning path for:

  • LFI — File Enumeration
  • Tomcat JSP Script Exploit
  • Password Protected .zip File Abuse
  • Linux LXD Container Breakout

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -p- -sC -sV 10.10.10.194PORT     STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Interesting Ports to Note

  • HTTP (80/TCP) — Mega Hosting Web page.
  • HTTP (8080/TCP) — Apache Tomcat Default Page.

NOTE: I did perform a quick default login check against the manager login portal /manager/html, but no luck there.

Initial Foothold

LFI (Mega Hosting Website)

By looking at the source code for the web page, we can discover the domain name megahosting.htb. Let’s add that into our /etc/hosts file.

And we can see that http://megahosting.htb/news.php?file= is vulnerable to LFI, and we can read arbitrary files within the system.

Indeed, the news.php was badly written to be vulnerable to LFI. It simply takes the user supplied filename and opens it up.

--

--

bigb0ss

OSWE | OSCE | OSCP | CREST | Lead Offensive Security Engineer — All about Penetration Test, Red Team, Cloud Security, Web Application Security