HackTheBox:Tabby(Linux)
This was an amazing box with lots to learn.
So lets start this with nmap scan with this machine.

Now with this we have a website in which we are not able to access news.php. So lets add megahosting.htb to /etc/hosts . After this when we try to access news.php we are able to do it.

Now the interesting part is the url ,it has file parameter. We can check if this has LFI vulnerability.

This certainly has lfi so we need to see what kind of file might have something important for us. Upon researching about tomcat we get to know that tomcat stores users information in /usr/share/tomcat9/etc/tomcat-users.xml

So now we have a username and password and the roles of this user are admin-gui and manager-script. admin-gui is accessible to us but it has nothing to take us forward. So we need to work on manager-script which isn’t accessible directly ,we do directory busting of this directory.

We get manager/text and we search about this we get to know we can upload a war file and then access it to get the shell.So we generate the war file using msfvenom.

After generating the file we deploy it to the target.

Now when we use curl we get the shell on our netcat listener.

Here we find that there is a backup file which we can download on our system using netcat.

After downloading the file we find out it is locked so we need to find the password which we are going to crack using john .

After getting the password we can use it to switch the user to ash and get our first flag.

After this we see that there is lxd present over here which is interesting. We can use it for privilege escalation. This is a pretty interesting concept. It creates a container inside which we have access to root user’s files and folders.
We will first build the linux image on our system which will help us in building container.

After this we transfer the image to the target system.

After transferring we import the image into lxc.

After importing the image we will use lxd init and we will accept all the defaults.

Now we will create a new container.

We will also mount the host file system into the container.And then we will start the container and execute it.

The shell is inside the container. So we need to find the host file system to get the root flag.

Happy Hacking!!!!
Comments
Post a Comment