HTB - Tabby
IP - 10.10.10.194
Overview
This box was a easy level linux box on HTB created by egre55 , it started with finding an LFI
on the website running on port 80
and using it to find the credentials
of the tomcat
manager portal, but manager portal is not accessible to us so we cannot upload our war exploit
using it instead we use curl
to upload and deploy our war exploit and get a reverse shell
through it. User is simple, basic enumeration will lead to you a zip file
and then we crack the password of that zip file, which is also the password of user ash
. Root was pretty slick based on lxd
, we found user ash is in group lxd and then simply follow an lxd privesc blog
to get root on the box.
Enumeration
As always let’s start off with nmap script nmap -sC for default scripts Alright, if it isn’t obvious yet I am a IPPSEC fanboi. Aight, firing up nmap to scan all open ports on the box.
And here is our nmap result
So we have Apache web server on port 80, lets explore that first.
Enumerating the Apache Web Server
The website looks like some hosting platform.
After a bit enumeration, we find news.php
page which has an LFI
.
I tried to find apache logs
or any other logs that might help me get RCE
but got nothing usefull at all. So I started enumeration the other tomcat server
.
Enumerating the Tomcat Web Server
I tried using gobuster
to find hidden directories but got nothing at all D:
Foothold
After reading forums I got the nudge that we can look for the file that stores the default creds of tomcat user, using the LFI
vuln we have on the main website running on port 80.
And we got tomcat credentials tomcat:$3cureP4s5w0rd123!
Ah even though our creds are right we don’t have access to the manager console, I looked around for ways to upload our war exploit and found that we can use curl
to upload and deploy it. Thanks to pop_eax
for nudge on the command as those bad characters were messing it up for me.
Alright first thing first, let’s create a reverse shell exploit using msfvenom
.
Cool, now let’s upload our war exploit using using the curl
command.
Yeet, it got successfully deployed, starting the netcat listner using rlwrap nc -lvnp 9889
and navigating to http://10.10.10.194:8080/pwned
to get our reverse shell.
Getting User
After some basic enumeration we got a zip file which was password protected, so I pulled it over to my machine and cracked it using john, zip2john *.zip > hash and john hash -wordlist=/usr/share/wordlist/rockyou.txt
.
Got the password for the zip file admin@it
and it was also the password of user ash
.
Rooting the Box
lxd
seems like something interesting, I googled about it and found a blog post that covers how you can do a privesc if user is in lxd group
, I simply followed the blog to get root. I am not covering the root part as it’s simple and a blog covering it is already present.