HackTheBox:Tabby(Linux)

 This was an amazing box with lots to learn.

So lets start this with nmap scan with this machine.

nmap scan

Now with this we have a website in which we are not able to access news.php. So lets add megahosting.htb to /etc/hosts . After this when we try to access news.php we are able to do it.

website

Now the interesting part is the url ,it has file parameter. We can check if this has LFI vulnerability.

lfi check

This certainly has lfi so we need to see what kind of file might have something important for us. Upon researching about tomcat we get to know that tomcat stores users information in /usr/share/tomcat9/etc/tomcat-users.xml

tomcat-users.xml

So now we have a username and password and the roles of this user are admin-gui and manager-script. admin-gui is accessible to us but it has nothing to take us forward. So we need to work on manager-script which isn’t accessible directly ,we do directory busting of this directory.

directory busting

We get manager/text and we search about this we get to know we can upload a war file and then access it to get the shell.So we generate the war file using msfvenom.

war file generate

After generating the file we deploy it to the target.

deploying war file

Now when we use curl we get the shell on our netcat listener.

initial shell

Here we find that there is a backup file which we can download on our system using netcat.

netcat listener

After downloading the file we find out it is locked so we need to find the password which we are going to crack using john .

cracking password using john

After getting the password we can use it to switch the user to ash and get our first flag.

user flag

After this we see that there is lxd present over here which is interesting. We can use it for privilege escalation. This is a pretty interesting concept. It creates a container inside which we have access to root user’s files and folders.

We will first build the linux image on our system which will help us in building container.

alpine linux image

After this we transfer the image to the target system.

transfer image

After transferring we import the image into lxc.

import image to lxc

After importing the image we will use lxd init and we will accept all the defaults.

lxd init

Now we will create a new container.

new container

We will also mount the host file system into the container.And then we will start the container and execute it.

mounting the container and executing it

The shell is inside the container. So we need to find the host file system to get the root flag.

root flag

Happy Hacking!!!!

Comments

Post a Comment

Popular posts from this blog

HackTheBox:Blunder(Linux)

Image
  Lets hit this off with nmap scan. nmap scan We see that port 80 is open and certainly that’s where we will start but the site doesn’t have much for us. port 80 So we need to explore this a bit and do the directory busting for this target. directory busting We found the admin page , now again we hit a dead end since we don’t have credentials. login page So we do directory busting again. directory busting The other directories are not so interesting but this todo.txt is promising. todo.txt First thing, its written that they need to update the CMS which means that this version is definitely vulnerable and the other thing is that this fergus user needs to do something about uploading images. So we have a username but no password. For password we can brute force our way in but for that we can’t have a random list so we can use  cewl  tool to generate the wordlist. custom wordlist using cewl Now since we know its Bludit ,we should find some  exploit  which can help ...
Read more

Legacy:Hack The Box(Windows)

Image
  The nmap scan for this target shows the open ports and if we perform an aggressive scan we get to know that the target is vulnerable to MS17–010 and MS08–067. nmap scans We have a github  exploit  available for MS08–067. In this exploit we just need to change the payload . So we need to first generate the payload using msfvenom. payload generation We just need to copy and paste the payload in the POC. updating the POC Now we need to open the netcat listener on our machine and run the exploit. netcat connection We got a connection on our machine. And we can easily get the user flag and root flag. Flags Happy Hacking!!!!
Read more