Official Tabby Discussion

Beautiful box! Thanks @egre55 for having fun while doing it!

finally got root, really interesting box.

I found the initial foothold frustrating as the container i span up to check the directory structure was different to that of the target. It made it difficult to see what was included.

user was cheeky and something I overlooked a few times. i will keep my lips zipped on this one though.

root was something I had never come across before. I had issues finding the correct path initially and it was a bit of up hill climb to the finish but a fun journey.

thanks for the box!

Any help with elevating to a*h? I have searched the to**at9 directory where I spawned. Nothing seems to stick out.

Update looking for files owned by the person who I am trying to get helped! Thanks for the nudges!

Is it about EL injection or it’s best I forget about it? Because it doesn’t seem to work anyways. I even thought I didn’t need to focus on what was displayed as a result from my input, tried to ping myself and other things like that, but… no, it doesn’t work. I might want to recheck my syntax but I feel like it’s just useless.

Type your comment> @ion0x0 said:

Is it about EL injection or it’s best I forget about it? Because it doesn’t seem to work anyways. I even thought I didn’t need to focus on what was displayed as a result from my input, tried to ping myself and other things like that, but… no, it doesn’t work. I might want to recheck my syntax but I feel like it’s just useless.

not 100% sure what you’re referring to, but no injection of any type of syntax is necessary.
there wasn’t from my run anyway…

Type your comment> @kcaaj said:

Type your comment> @ion0x0 said:

Is it about EL injection or it’s best I forget about it? Because it doesn’t seem to work anyways. I even thought I didn’t need to focus on what was displayed as a result from my input, tried to ping myself and other things like that, but… no, it doesn’t work. I might want to recheck my syntax but I feel like it’s just useless.

not 100% sure what you’re referring to, but no injection of any type of syntax is necessary.
there wasn’t from my run anyway…

Well I mean these scripts in /examples, but I already noticed that these are the default ones come preinstalled with tomcat, so I wasted 40 minutes just for nothing. Though now I kinda know what I need. So how do I access that user configuration file? Should I look for LFI?

Edit: lol. the LFI turned out to be much simpler than I thought.

There’s some filter most likely. I can read no file, only passwd. Trying to read a file where I need to specify its extension results in nothing. Any hints regarding bypassing the filter?

i got the ho**-ma***er but no exploits for that
some nudge would be great

Type your comment> @de4dgh0st said:

i got the ho**-ma***er but no exploits for that
some nudge would be great

go back a little bit & read what you see really carefully. don’t disregard errors as disadvantageous.
you will need to refer to documentation too. refer to something being disabled due to CSRF protections.

Rooted! Fun box and learned some really cool new tricks. Nothing much to add to what hasn’t already been shared.

Best hint I could share…when you find the file, understand not only what it’s saying you can do, but where you need to go to do it

Happy to help via DM for nudges, just let me know what you’ve tried :slight_smile:

Rooted !

Interesting box, not CTF-like at all.

PM if needed :slight_smile:

I managed to get access to /man* * ** /t* * * /d* * * * with the creds of t* * * * t. although, when I dep* * * the .w** file i build with msfvenom, the application crashes and it doesn’t run it.
thus, i cant get a reverse shell :<(. would you help me?

Type your comment> @Cheeriest said:

I managed to get access to /man* * ** /t* * * /d* * * * with the creds of t* * * * t. although, when I dep* * * the .w** file i build with msfvenom, the application crashes and it doesn’t run it.
thus, i cant get a reverse shell :<(. would you help me?

there’s a module you can use for the same framework you’re trying to utilise.
a very special module. utilise correctly & the shell will come straight back to you just like that.

Hi,
I’m stuck from user to root, I think i found the path using l*c, I found the steps doing some google but after importing the image, when I run l*c in*t … the shell it’s frozen. Am I on the correct path? Any hint?
Thanks

read the entire thread but found myself more confused, plenty of enumeration done. Need a basic pointer for the foothold. Looking at the CVE # that’s like that George Orwell book but not quite. DM/PM please with any pointer for foothold.

Got root! The machine was easy but was really stuck on initial foothold due to never really experiencing being in this kind of situation and so I never learned how to properly do it, but now I know :slight_smile:

Thanks to @Hilbert and @JaXigt for the intial foothold nudge!
If you need any help, don’t hesitate to DM me! It’s the least I can do!

Finally rooted.

Foothold was the toughest part. The rest was quite easy.

Foothold : Look out for news and installing cat locally to better understand where exactly is what you need

PM if anyone need any nudges

To be honest, it was a bit harder than I expected.
Foothold: It’s all about enumeration, you gotta enumerate and see what you can find and how you can use it.
User: There’s an interesting file that has pretty much useless contents, but it’s the key that will pass you to user :slight_smile:
Root: IMHO the exploit is not as easy to understand as some of the other easy machines, but you can find it clearly detailed on how to use it online :slight_smile: just do your basic checks and try to google anything that is out of the ordinary and see what you can find…

@zeroes said:

read the entire thread but found myself more confused, plenty of enumeration done. Need a basic pointer for the foothold. Looking at the CVE # that’s like that George Orwell book but not quite. DM/PM please with any pointer for foothold.

Open the site in a browser, have a look at the information and you should see something that shows you a thing you can exploit manually. This will allow you get information you need to access the thing the box name alludes to. From here you can work out how to fuzz the information you need to get actual access.

Then its a fairly simple attack to put something you can use in a place you can use it and get a low priv shell on the box.

I don’t know if any CVE is needed here.

A tad stuck here. I have user and pass, but unable to find a way to log in at the moment. The obvious way to connect is giving me permission denied (publickey). Am I on the right track or should I be looking for a alternative way?