Official Tabby Discussion

Foothold Hint: everyone is looking for a path… what about stop searching and use permutations with repetition ?

Spoiler Removed

Could use some help as I’m pretty lost. Got to the point where I have to deploy something on the high port service, but all I’m getting is a 401 Unauthorized response. I know the creds I got are the ones because it worked once and I’m pretty sure I managed to get the user’s password while I had access to the machine, but now I can’t get past that 401 even though I’m using the same syntax. To be honest I don’t know what I’m doing wrong

@egre55 thanks man, that was a really fun one!

@n1ghtcrawl3r thank you for the assistance with the foothold :slight_smile:

This one was really fun, managed user and root without checking the forums on this one!!!

WOW Rooted! Nice box.

uid=0(root) gid=0(root)```

Type your comment> @sn0b4ll said:

Good machine. If you are stuck with l** not finding the i**** or other strange errors, don’t try to run the commands from /tmp/ but from some user folder.

Dude, you saved my life. But why? I spent hours on priv esc in /tmp/. And shifting to user’s home dir solved all the errors.

trying to import image of alp***.tar.gz i got error no directory or file

even it exists with the right path!?

need a nudge on initial foothold

Finally rooted the box!!!
This is my first box I have rooted, as I am complete beginner it required more time than usual. Following are some hints for you guys,

Foothold: Just try to install it locally, you will find the location!!!

User: What are the files owned by the user???

Root: What’s my I’d??? Check Something unusual in it and just Google it!!!

Big shoutout to @kcaaj and @Karthik0x00 without them I couldn’t have rooted the box , they provided me with all nudges at every step. Feel free to DM me for nudges!!!

Type your comment> @kneedeep said:

Rooted.
Honestly, that foothold killed me. It took me a long time to find the right program to use, but once I found the correct one it worked immediately. If you’re having trouble with that, I would say move to a different program if the one you’re using doesn’t work within a few tries.
User wasn’t too bad, but I actually didn’t even notice I had gotten it for a moment. When you find something, try using it somewhere else.
Root was super interesting. I’ve never seen this method before. I had already ran an enumeration program, but for root what you’re looking for is in plain sight. There’s a nice article out there explaining exactly what to do.
If this is too much info, please report!

I ended up finding a guide online for how to get the foothold manually. Took me a long time to figure out that was the path to get the foothold.

With user, i was a bit annoyed with myself. I found it within 5 minutes of getting on the box and didn’t think to try the obvious thing until I saw your comment. So basic.

Root was awesome. Same as you, I had never seen that before.

Linpeas is a lifesaver.

Awesome box. Learned a LOT about tomcat.

Foothold: First things first… after a bit of basic enumeration, there is a way to view other files. Think about what is running on the system and which files might contain some juicy info.
Hint: I personally check page source of EVERYTHING and view things through burp if something doesn’t appear as it should.
If you are getting nowhere with where to look, then maybe think about installing the program and having a look at the folder structure.
Check your privileges and then a lot of googling for exploits will eventually give you some very straight forward tips.

User: Again basic enumeration. Once you find something, thats not the only place you can use it. It is right there in front of you!

Root: Awesome. Now that you are a new user, maybe think about starting your enumeration from the beginning. Each time you priv esc you should always begin enumeration as if it is the first time you are looking at the machine.

Just rooted. Really interesting method to rooting, going to have to add that to the privesc checklist.

For me the box was a little buggy when performing the privesc method, I had a lot of issues with shell hanging. If this happens I would say run the command wait for a bit, open another shell and check if the command actually ran.

Dm if you need a nudge.

Spoiler Removed

Spoiler Removed

Finally got root.

#1 - Foothold
Broke down and installed it locally - used “f**d” of all things. Followed up with a common offensive tool with some slight changes in the config. Pay careful attention to the roles of this account. This stage took the longest amount of time for me, but eventually did get a shell!

#2 - User
A number of folks have said ‘what you find you can use somewhere else’. I’d like to be clear that this is not something you find in the ‘foothold’ stage and use in the ‘user’ stage. It is something you find with a shell in the ‘user’ stage and use twice. (At least that’s how it was for me. Some people might’ve actually found it on their way to getting a ‘foothold,’ but I doubt it. If you did, nice work!)

#3 - Root
I went a little overkill with this. The thing I needed to abuse was already there and I didn’t need to b***d anything. Like many on this forum, this stage took the least amount of time.

This was an awesome learning experience! Thanks!

anyone else struggling to get a tty shell?

i am getting “No storage pool found. Please create a new storage pool” error, while trying to root Tabby, Could anyone let me know if you too had faced the same issue

Type your comment> @shaky4848 said:

i am getting “No storage pool found. Please create a new storage pool”

Just google the exact error and the three letters for the technology you are trying to use, and it will tell you the command you need to execute. This just needs to be done once, the first time the technology is used on the machine by the user.

Whew. Rooted.

Foothold

The initial foothold for this was what took the longest. I eventually had to follow the advice of some of the commenters and install a local copy of the service to find where important files were stored. Even with that, in my browser I still couldn’t see what I needed until I peeked behind the curtain. I was stuck at this point for a while too until I reviewed what the access I already would permit me to do. After that, it was just trial and error until I hit the right syntax to drop what I’d built.

User

This was pleasantly easy. I’d already enumerated some places to explore, so visiting those places was profitable. I was also surprised that the content of a thing was not as important as what let me view the content of the thing. “Oh, huh, that worked.”

Root

I identified right away something “new” and figured that was important. Googling eventually got me what I needed, after I wasted way too much time staring at someone else’s image instead of looking for my own. I was also surprised I had to build my own place to swim, but that was easy enough. This path to root was interesting, but it really seemed to require finding exactly the right web page with Google and then being good at reading and typing at the same time. I never would have come up with any of that on my own, but then again I’d never used that technology before.