Tabby — HTB Walkthrough

Dhanishtha Awasthi
4 min readJan 16, 2021

--

Recently retired machine, fits under OSCP like machines list. Quite similar to another HTB machine Jerry. Better exploitation in privilege escalation part.

ENUMERATION

Nmap scan with default scripts for version scan leads us to following open ports.

Port 80 HTTP Enumeration

Got nothing much in nikto, gobuster and other few scans. Visiting to page at port 80 we see interesting lines at bottom

This takes us to page: http://megahosting.htb/news.php?file=statement ; ///Add megahosting.htb to hosts file on your system, else you won’t be able to access it.

So we may try here something like Path traversal. We will use common file like /etc/passwd.

we can successfully see the content of the file

Great!!!!! Users on system found : — — users : ash

Port 8080 Tomcat Enumeration

Visiting the page at port 8080 takes us to

So we can see here 3 links

  1. Tomcat docs
  2. Examples to see source code and run them
  3. Admin pages
  4. Manager -GUI = manager webapp
  5. Admin-GUI = host-manager webapp

Info disclosed

Default tomcat home page : /var/lib/tomcat9/webapps/ROOT/index.html

  • CATALINA_HOME in /usr/share/tomcat9
  • CATALINA_BASE in /var/lib/tomcat9
  • Rules in /usr/share/doc/tomcat9-common/RUNNING.txt.gz.
  • Users in /etc/tomcat9/tomcat-users.xml
  1. Visiting manager webapp: It asks for authentication and when it fails, it shows us following error page

Here it states that , username and password is found in page

Conf/tomcat-users.xml

  1. Similarly in host webapps, you get the same authentication error
  2. Checking in Tomcat docs
  1. Based on this our file path should be

/var/lib/tomcat9/conf/tomcat-users.xml

After a lots of enumeration and finally a hint, I came to conclusion package is installed in /etc/tomcat-users.xml

Thus path will be

/usr/share/tomcat9/etc/tomcat-users.xml

  1. On burp capturing the request on repeater and sending it shows as follows
  1. Username : Tomcat

Password : $3cureP4s5w0rd123!

Now this could take us to admin webpages. Fortunately it opens host-manager web app page

  1. Now we need to upload something, might be a war file. For this , usually a manager has permission for direct upload. But since we are not manager, we need to deploy it manually. Let’s check the way to do so

Uploading war file

  1. Create msfvenom payload in war file
  1. Now we will send a crafted request to server

Using metasploit

It will give error two or three times, but will give shell

takes some time to create the process

User Enumeration Completed. We have user tomcat, and need ash.

For enumeration I ran linPEAS.sh; found a file /var/www/html/files/16162020_backup.zip. Tried to access it by ash, but it is password protected.

So we will crack it using John The Ripper. to do this just transfer file to your local machine using netcat

Then, using john > zip2john

After we get ash.hashes , we will crack it using rockyou and john

Username : ash, Password : admin@it

getting user flag

Privilege Escalation

Ash is member of group

  1. Adm
  2. Cdrom
  3. Dip
  4. Lxd
  5. Plugdev

So we can exploit lxd for privilege escalation

LXD doesn’t attempt to match privileges of calling user and hence has write access to LXD unix socket.
  1. On your machine :
  1. On target machine Ash Home directory. I recommend resetting the machine before doing this because some else might have done the same steps and a fingerprint of alpine- package may already exist.

Keep all default settings as shown

Eureka !! We got root.

--

--