HTB - Tabby
IP - 10.10.10.194
This box was a easy level linux box on HTB created by egre55 , it started with finding an
LFI on the website running on port
80 and using it to find the
credentials of the
tomcat manager portal, but manager portal is not accessible to us so we cannot upload our
war exploit using it instead we use
curl to upload and deploy our war exploit and get a
reverse shell through it. User is simple, basic enumeration will lead to you a
zip file and then we crack the password of that zip file, which is also the password of user
ash. Root was pretty slick based on
lxd, we found user ash is in group lxd and then simply follow an
lxd privesc blog to get root on the box.
As always let’s start off with nmap script nmap -sC for default scripts
Alright, if it isn’t obvious yet I am a IPPSEC fanboi. Aight, firing up nmap to scan all open ports on the box.
And here is our nmap result
So we have Apache web server on port 80, lets explore that first.
Enumerating the Apache Web Server
The website looks like some hosting platform.
After a bit enumeration, we find
news.php page which has an
I tried to find
apache logs or any other logs that might help me get
RCE but got nothing usefull at all. So I started enumeration the other
Enumerating the Tomcat Web Server
I tried using
gobuster to find hidden directories but got nothing at all D:
After reading forums I got the nudge that we can look for the file that stores the default creds of tomcat user, using the
LFI vuln we have on the main website running on port 80.
And we got tomcat credentials
Ah even though our creds are right we don’t have access to the manager console, I looked around for ways to upload our war exploit and found that we can use
curl to upload and deploy it. Thanks to
pop_eax for nudge on the command as those bad characters were messing it up for me.
Alright first thing first, let’s create a reverse shell exploit using
Cool, now let’s upload our war exploit using using the
Yeet, it got successfully deployed, starting the netcat listner using
rlwrap nc -lvnp 9889 and navigating to
http://10.10.10.194:8080/pwned to get our reverse shell.
After some basic enumeration we got a zip file which was password protected, so I pulled it over to my machine and cracked it using john,
zip2john *.zip > hash and john hash -wordlist=/usr/share/wordlist/rockyou.txt.
Got the password for the zip file
admin@it and it was also the password of user
Rooting the Box
lxd seems like something interesting, I googled about it and found a blog post that covers how you can do a privesc if user is in
lxd group, I simply followed the blog to get root. I am not covering the root part as it’s simple and a blog covering it is already present.