HackTheBox Tabby Write Up

In this post I will show you how I solved tabby, a Linux machine labelled as easy on HackTheBox platform...

Reconnaissance

I started with a quick top 1000 port scan using FinalRecon...

I got these 3 ports open, after this I switched to nmap to scan for complete port range...

$ nmap -p- -T3 -sT 10.10.10.194

Host is up (0.086s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 46.87 seconds.

at this point i have 3 open ports, after this I enumerated the services and versions on these specific ports...

$ nmap -p 22,80,8080 -sV 10.10.10.194
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-08 19:40 IST

Host is up (0.088s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
8080/tcp open  http    Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 7.79 seconds

After this I started analyzing the website running on port 80 and it has a message for visitors stating that they recovered from a breach, lets take a look at the URL

http://megahosting.htb/news.php?file=statement

it says megahosting.htb instead of the IP address so I created a new entry for it in /etc/hosts file on my machine and after that I was able to access the page...

it looks like it is "reading" a file "statement" and displaying its contents so I tried Directory Traversal attack here...

at this point my goal was to extract some credentials, now I checked port 8080, it has tomcat running and if you know about apache tomcat you know there is a manager dashboard, if I can get tomcat manager credentials from directory traversal I can upload a reverse shell, now the apache page shows a path where user entries are stored so using that I formed this URL...

http://megahosting.htb/news.php?file=../../../../usr/share/tomcat9/etc/tomcat-users.xml

I had to curl this xml file to get the contents and I got the credentials!

<role rolename="manager-script"/>
<user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>

Intrusion

Apache tomcat page specifies two applications : "manager webapp" and "host-manager webapp" , I tried to login into manager as we have the creds for it but I got this...

Access Denied!!!! but it has provided an example for adding username and password entry into the xml file and when I compared it with what I got in the curl request it says "manager-script" instead of "manager-gui", I read about this role and found that tomcat provides a text api for manager role and it is enabled, after some more research I created a reverse shell upload script which uses text API to upload a malicious WAR file, this script can also be used outside HTB if you have working credentials and access to text API, you can download the script here : WARSend . Below you can see the script in action!

and I successfully got a reverse shell here!

Let The Enumeration Begin

After some enumeration I found a zip file...

$ pwd
/var/www/html/files

$ ls
16162020_backup.zip
archive
revoked_certs
statement

I downloaded this zip file and tried to extract it but it was password protected! I used fcrackzip to bruteforce it...

$ fcrackzip -vuD -p /usr/share/wordlists/cleanrock.txt 16162020_backup.zip
'var/www/html/assets/' is not encrypted, skipping
found file 'var/www/html/favicon.ico', (size cp/uc    338/   766, flags 9, chk 7db5)
'var/www/html/files/' is not encrypted, skipping
found file 'var/www/html/index.php', (size cp/uc   3255/ 14793, flags 9, chk 5935)
found file 'var/www/html/logo.png', (size cp/uc   2906/  2894, flags 9, chk 5d46)
found file 'var/www/html/news.php', (size cp/uc    114/   123, flags 9, chk 5a7a)
found file 'var/www/html/Readme.txt', (size cp/uc    805/  1574, flags 9, chk 6a8b)
checking pw arizon09

PASSWORD FOUND!!!!: pw == admin@it

So I got another password here so I tried this password for the user ash and it worked and I got the user here at this point! After this I added my ssh public key to authorized_keys file for a fully interactive shell...

Privilege Escalation

I checked the id and saw that user ash is part of "lxd" group...

ash@tabby:~$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

LXD is a next generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead. I started looking for privilege escalation techniques using LXD and found a bash script on Exploit DB : Ubuntu 18.04 - 'lxd' Privilege Escalation . As per the instructions I downloaded the build-alpine script in my machine and used to fetch an alpine tar.gz file...

next I uploaded this tar.gz file along with the pivesc script...

after this I executed the privesc script and got a root shell and finally got Root!

Solved!