Official Tabby Discussion

GotRoot!
Wow was that an interesting box. I worked the majority of the time on the initial foothold. I definitely learned a lot from this machine. It got a lot easier once you were on the box, don’t overthink things like I did.

Foothold

  • DONT guess, use the advantage of open source. Also make sure to read the docs!

User

  • This frustrated me for a little, I was overthinking it way too much. Once you have something see where you can use it

Root

  • Google what’s right in front of you

Like always if you need a nudge just ask

Type your comment> @CyberG33k said:

Type your comment> @initinfosec said:

@sloth1985 said:
Well, like a lot of other people on here I’m having trouble finding a certain file for the initial foothold. I’ve tried installing t****t locally as a few people have suggested and the file I am looking for is where it should be (two places in fact) but using the same path(s) on Tabby gives me nothing.

I’m a little bit stuck now.

yep, same thing man, tried fuzzing too, no love, but may be slightly off on syntax. Finding the initial vuln and knowing what i need to look for only took 30mins, but after that…nothing. Looked in several system files that indicate where stuff usually ‘lands’ but no love when trying them.

I think the people that say it is right in front of you are a little off the mark. Yes it is on the path of one of the locations you should find fairly easily, but if you guess it you made one ■■■■ of a leap. There is a much much easier way to find the exact path with zero guessing. Think of different ways you might search for something installed on your workstation. Now think of what files it uses and access those

yeah i got it eventually, cheers mate. Just wasn’t thinking as deeply as i needed to about why something may or may not show :slight_smile:

root@tabby:~# whoami && id && hostname
root
uid=0(root) gid=0(root) groups=0(root)
tabby
root@tabby:~#

w00t, got root! Big shout outz to - zer0bubble, Gotroot and sloth1985!!! RESPEKT.

I am having issues with my user/root flags. They are saying incorrect for whatever reasons. Is anyone else experiencing similar issues? I think HTB has a flaw in their dynamic flag implementation or something.

In the sea of “root was 5 minutes” comments about this box, I’d like to say that I had never seen this particular tech, and I was glad to get to research it and learn a little something today. Thanks, @egre55!

Thanks everyone who nudged for user privesc stage and other subtle nudges on here already, i had some ovpn issues that didn’t help lol, challenging box for me compared to tryhackme

rooted!
the root is a really cool thing i’ve not seen on any other sites, but was easy enough to follow the trail, thanks!

Type your comment> @initinfosec said:

Type your comment> @initinfosec said:

@initinfosec said:
Type your comment> @termtype said:

Got low-priv shell user - all I can say is think about what you can do with the discovered creds and pay close attention to the roles specifically. You can basically achieve the same thing with manager-script (via Curl) as you could with manager-gui to upload your rev shell; Google is your friend. Hope this helps a bit.
I’ll repost once I get the big fish - root! :slight_smile: eZ shout Outz to zer0bubble, Rocketeer, Sloth1985, and 6h4ack for being awesome h4x0r’s and the help to get to where I am.

mind if we DM? - could use a quick nudge, been stuck for a few days (see posts just above yours.) Have an idea where i think it should be but I’m either slightly off or don’t have perms for that certain file. Trying to think how to get around that or what i’m missing.

NVM i think I finally made some progress - attention to details and other variants help! :slight_smile:

ETA - i may have spoke too soon lol

Got it - i see why I missed it earlier - man I’m feel dumb.

For people that are struggling to find something to get the foothold - if you know what you’re looking for, read the documentation, play with it locally, and look at other items on the system or in scans that might shed light on what you might need. Once you find some possibilities, try them in a few different tools. Turns out I had a valid thing earlier on, but the method I was using made me dismiss it - trying another method with the same info revealed what i needed to know.

Trying to keep it vague, but HIH.

Thank you !

I’m stuck after getting the shell, any hints for the first user
tried to enumerate almost everything

Type your comment> @n0Idea said:

I’m stuck after getting the shell, any hints for the first user
tried to enumerate almost everything

If you’ve found an initial vuln you can leverage that to look for clues that might lead the way. Just be careful before you write certain things off, and read the manual/documentation if needed :slight_smile:

If you’ve found an initial vuln you can leverage that to look for clues that might lead the way. Just be careful before you write certain things off, and read the manual/documentation if needed :slight_smile:

i already got a shell, now i need to find the a*h user password

I’m stuck at trying to get a sniff at the initial foothold. Any nudges in the right direction would be much appreciated!

Update:
Rooted! Big thanks to all who helped me along the way. Y’all are awesome! ?

I need help, I dont know if is the way to get it but I have been trying for 5h with the L**. Am i In the right direction, and if so what am I supposed to do. Plzz PM me!

Rooted

root@tabby:~# whoami && id && hostname
root
uid=0(root) gid=0(root) groups=0(root)
tabby
root@tabby:~#

Pm me for Nudges

last 2days ago(before machine was maintenance), i got user with meta…it but now cant use to get user again.
is there any issues? or is the process change to get root?

got user and root, however HTB won’t accept my user flag, any suggestions?
Edit: problem solved, great box, very neat way to get root :slight_smile:

trying to locate the infamous xml file. I’ve installed it locally, referred to various file listings for package installs, tried to use the L** vulnerability to get at the l*****.db file index. I’ve tried every combination of the paths listed on the landing page, and the ones listed in the service declaration file.

Nothing.

Any hints would be super helpful. I’m at a complete loss.

EDIT: Thanks for the nudges. Especially @kcaaj .
Many of you have probably put in the right path to that file. But think about the “source.”

Rooted, nothing on the box was guess work. Everything can be found by looking either at a copy of the service or google. I overlooked a really obvious thing when getting user and spent ages looking for what i already had.

have the creds, need help with w*r upload…

Rooted! Looking back, it was an easy machine, but don’t make my mistakes or you’ll spend a lot of time becoming crazy.

For foothold, the best way is to recreate the box conditions locally. Use a common package manager instead of downloading files from the website. To own the user, don’t forget to check anything you find. I didn’t (I thought that it was a rabbit hole) and spent much more time than needed. Remember this is a box marked easy, so don’t overcomplicate. Checking owners will also be helpful not to miss the right file. Then getting the root flag will be easy if you google right yourself.

If you need help, feel free to PM me.

Oh, and last but not least: STOP RESETTING THIS MACHINE. IT WORKS PERFECTLY. AND ALSO STOP OVERWRITING FILES: THERE IS AN AWESOME INVENTION CALLED “APPENDING STRINGS”. USE IT.

Hi,

it’s possible to get some hints for privilege escalation from UID:997 to UID: 1000 ?
After a few hours of research I have not yet noticed anything interesting … obviously … to my limited knowledge
Even in PM, like: “study this topic …”

Thanks

[EDIT]

Thanks to: 0ryuk0, oxybro, y4th0ts, sulcud for your support.