Official Tabby Discussion

Type your comment> @Somnus said:

The Biggest push/hint i could give you is.

on Your local kali Box

sudo apt-get install …

find / -iname …

???

Profit :slight_smile:

I’ve tried that and pulled a few other things from files that i know will be there/accessible. They point to dirs and files that i’ve already tried with no love. I feel like i’m missing something obvious, but tried both the normal paths and stuff indicated within the system. Local install shows a clear path, but no love on the target. Just can’t get what I’m missing, been looking at it for 3 days.

@sloth1985 said:
Well, like a lot of other people on here I’m having trouble finding a certain file for the initial foothold. I’ve tried installing t****t locally as a few people have suggested and the file I am looking for is where it should be (two places in fact) but using the same path(s) on Tabby gives me nothing.

I’m a little bit stuck now.

yep, same thing man, tried fuzzing too, no love, but may be slightly off on syntax. Finding the initial vuln and knowing what i need to look for only took 30mins, but after that…nothing. Looked in several system files that indicate where stuff usually ‘lands’ but no love when trying them.

Type your comment> @initinfosec said:

@sloth1985 said:
Well, like a lot of other people on here I’m having trouble finding a certain file for the initial foothold. I’ve tried installing t****t locally as a few people have suggested and the file I am looking for is where it should be (two places in fact) but using the same path(s) on Tabby gives me nothing.

I’m a little bit stuck now.

yep, same thing man, tried fuzzing too, no love, but may be slightly off on syntax. Finding the initial vuln and knowing what i need to look for only took 30mins, but after that…nothing. Looked in several system files that indicate where stuff usually ‘lands’ but no love when trying them.

I think the people that say it is right in front of you are a little off the mark. Yes it is on the path of one of the locations you should find fairly easily, but if you guess it you made one ■■■■ of a leap. There is a much much easier way to find the exact path with zero guessing. Think of different ways you might search for something installed on your workstation. Now think of what files it uses and access those

Type your comment> @0ryuk0 said:

Type your comment> @StamGR said:

Stuck on finding tc-u****.l . I have tried possible paths as suggested, tried path after running it locally and even read tc**.s****** file with L** however ,even that path failed.

Any nudges would be greatly appreciated.

don’t use guides to install it, just install it
and when you try in htb pay attention to the response (a tool allows you to easily see it if you can’t see it)

i’m blocked on the next step… failing to start something after correctly sending it… maybe i need to understand something about VH before using it?

gotcha - installing confirmed why i might not be able to see what i’m looking for, but not really sure how to get around it. Will keep digging.

Spoiler Removed

Type your comment> @termtype said:

Got low-priv shell user - all I can say is think about what you can do with the discovered creds and pay close attention to the roles specifically. You can basically achieve the same thing with manager-script (via Curl) as you could with manager-gui to upload your rev shell; Google is your friend. Hope this helps a bit.
I’ll repost once I get the big fish - root! :slight_smile: eZ shout Outz to zer0bubble, Rocketeer, Sloth1985, and 6h4ack for being awesome h4x0r’s and the help to get to where I am.

mind if we DM? - could use a quick nudge, been stuck for a few days (see posts just above yours.) Have an idea where i think it should be but I’m either slightly off or don’t have perms for that certain file. Trying to think how to get around that or what i’m missing.

@initinfosec said:
Type your comment> @termtype said:

Got low-priv shell user - all I can say is think about what you can do with the discovered creds and pay close attention to the roles specifically. You can basically achieve the same thing with manager-script (via Curl) as you could with manager-gui to upload your rev shell; Google is your friend. Hope this helps a bit.
I’ll repost once I get the big fish - root! :slight_smile: eZ shout Outz to zer0bubble, Rocketeer, Sloth1985, and 6h4ack for being awesome h4x0r’s and the help to get to where I am.

mind if we DM? - could use a quick nudge, been stuck for a few days (see posts just above yours.) Have an idea where i think it should be but I’m either slightly off or don’t have perms for that certain file. Trying to think how to get around that or what i’m missing.

NVM i think I finally made some progress - attention to details and other variants help! :slight_smile:

ETA - i may have spoke too soon lol

Finally rooted. What a box !

I really loved the privesc: I never used such technique, and I’m glad I learned its existence.

Clearly, the foothold was the hardest part, by far ! Don’t give up !

Awesome machine!
Thanks to @egre55 for uploading it, it was easy but I still learned a lot

My Hints:

Initial Foothold

  • Try to replicate their environment
  • You are more powerful than you think

User

  • So you were there all this time

Root

  • Is like the whale but is not the whale

If this is spoiler, please remove it

Could someone nudge for user stage? i have full tty shell for to…, but not sure how to esc to a… user

Finally rooted the box. Thank you @AidynSkullz for little nudges and @egre55 , the box was great at initial foothold, took days.

I’m struggling with my upload, i swear i have my syntax just like the docs are requesting. Is anyone willing to pm me with some light assistance?

Hi, it was pretty fun privesc. Thanks for this to creator.
Feel free to msg me for hints.

Type your comment> @initinfosec said:

@initinfosec said:
Type your comment> @termtype said:

Got low-priv shell user - all I can say is think about what you can do with the discovered creds and pay close attention to the roles specifically. You can basically achieve the same thing with manager-script (via Curl) as you could with manager-gui to upload your rev shell; Google is your friend. Hope this helps a bit.
I’ll repost once I get the big fish - root! :slight_smile: eZ shout Outz to zer0bubble, Rocketeer, Sloth1985, and 6h4ack for being awesome h4x0r’s and the help to get to where I am.

mind if we DM? - could use a quick nudge, been stuck for a few days (see posts just above yours.) Have an idea where i think it should be but I’m either slightly off or don’t have perms for that certain file. Trying to think how to get around that or what i’m missing.

NVM i think I finally made some progress - attention to details and other variants help! :slight_smile:

ETA - i may have spoke too soon lol

Got it - i see why I missed it earlier - man I’m feel dumb.

For people that are struggling to find something to get the foothold - if you know what you’re looking for, read the documentation, play with it locally, and look at other items on the system or in scans that might shed light on what you might need. Once you find some possibilities, try them in a few different tools. Turns out I had a valid thing earlier on, but the method I was using made me dismiss it - trying another method with the same info revealed what i needed to know.

Trying to keep it vague, but HIH.

@initinfosec said:

mind if we DM? - could use a quick nudge, been stuck for a few days (see posts just above yours.) Have an idea where i think it should be but I’m either slightly off or don’t have perms for that certain file. Trying to think how to get around that or what i’m missing.

NVM i think I finally made some progress - attention to details and other variants help! :slight_smile:

ETA - i may have spoke too soon lol

Would you be so kind as to pm me? I’m stuck on the same part as your comment and have run out of ideas. I’ve been following the documentation, a few articles, and a tool i found but nothing allows my deploy.

GotRoot!
Wow was that an interesting box. I worked the majority of the time on the initial foothold. I definitely learned a lot from this machine. It got a lot easier once you were on the box, don’t overthink things like I did.

Foothold

  • DONT guess, use the advantage of open source. Also make sure to read the docs!

User

  • This frustrated me for a little, I was overthinking it way too much. Once you have something see where you can use it

Root

  • Google what’s right in front of you

Like always if you need a nudge just ask

Type your comment> @CyberG33k said:

Type your comment> @initinfosec said:

@sloth1985 said:
Well, like a lot of other people on here I’m having trouble finding a certain file for the initial foothold. I’ve tried installing t****t locally as a few people have suggested and the file I am looking for is where it should be (two places in fact) but using the same path(s) on Tabby gives me nothing.

I’m a little bit stuck now.

yep, same thing man, tried fuzzing too, no love, but may be slightly off on syntax. Finding the initial vuln and knowing what i need to look for only took 30mins, but after that…nothing. Looked in several system files that indicate where stuff usually ‘lands’ but no love when trying them.

I think the people that say it is right in front of you are a little off the mark. Yes it is on the path of one of the locations you should find fairly easily, but if you guess it you made one ■■■■ of a leap. There is a much much easier way to find the exact path with zero guessing. Think of different ways you might search for something installed on your workstation. Now think of what files it uses and access those

yeah i got it eventually, cheers mate. Just wasn’t thinking as deeply as i needed to about why something may or may not show :slight_smile:

root@tabby:~# whoami && id && hostname
root
uid=0(root) gid=0(root) groups=0(root)
tabby
root@tabby:~#

w00t, got root! Big shout outz to - zer0bubble, Gotroot and sloth1985!!! RESPEKT.

I am having issues with my user/root flags. They are saying incorrect for whatever reasons. Is anyone else experiencing similar issues? I think HTB has a flaw in their dynamic flag implementation or something.

In the sea of “root was 5 minutes” comments about this box, I’d like to say that I had never seen this particular tech, and I was glad to get to research it and learn a little something today. Thanks, @egre55!