Official Tabby Discussion

Thanks @TaxWake for helping me with the initial foothold!

To offer some of my own tips to people yet to complete:

Initial foothold: In hindsight the paths given by the confirmation page are accurate but this may not be apparent until you know the complete path. I definitely recommend installing the package locally and then finding the desired file on your own system. Again make sure you find the correct file as there may be multiple in different locations!

User: Go to war on this box, lazy admins are our friend, even though this admin could be lazier.

Root: Well documented exploit method did not work for me in the /tmp directory, had to try elsewhere. Storage backend type was also important.

Rooted. DM for any hints.

Rooted. nice concept!!!. Ping me for any hints

I have finally managed to get a foothold, can anyone point me towards a resource that can help me figure out how to get a more useable reverse shell? i am using a java/jsp_shell_reverse_tcp payload and have tried upgrading it a meterpreter session using multi handler but still can’t spawn a pty or useable shell.

@rhysmorgan1986 said:

I have finally managed to get a foothold, can anyone point me towards a resource that can help me figure out how to get a more useable reverse shell? i am using a java/jsp_shell_reverse_tcp payload and have tried upgrading it a meterpreter session using multi handler but still can’t spawn a pty or useable shell.

Check the version of the software you are using to upgrade. Maybe the more recent one will work.

Funny machine. Learnt a thing or two, as always.
Thanks to the creator!

I used the L** to find the t*****-u****.x*l but I don’t understand why it is in the location it is. Can someone please explain?

@LMAY75 said:

I used the L** to find the t*****-u****.x*l but I don’t understand why it is in the location it is. Can someone please explain?

The simplest answer is because that is where the administrator put it when they were installing the application.

Got root !
My only advice here would be to get a better shell if it don’t work somehow… Lost a lot of time there.

A very enjoyable box… I actually learned how to create an HTTP server with a single line of bash , and I didn’t even know it was possible before… lot of fun , 10/10

Type your comment> @Xalfy said:

My only advice here would be to get a better shell if it don’t work somehow… Lost a lot of time there.

It is really useful by having a better shell via PTY module or socat. Enumeration and other check ups will come easier then.

@gunroot said:

It is really useful by having a better shell via PTY module or socat. Enumeration and other check ups will come easier then.

Actually I had no issue doing the enumeration and check ups with the kind of broken shell I had. It was one of the step of the privesc that was stuck in a loop. Someone on the previous page gave me the answer on how to upgrade my shell, and boum it worked.

rooted! foothold made me crazy for a bit but following the advice here on installing the service locally helped immensely.

user was pretty straightforward if you understand what stands out in some very obvious folders

I have seen the root exploit before but for some reason I could get my image to work until I placed it in the right folder.

Overall it was a fun box.

If you need any help or nudges feel free to send me a PM.

Just rooted the box. It’s the first box I tried on HTB (did about 5 from VulnHub before) and it was quite a frustrating experience. Took 3 days, 2.5 day were spent on finding a certain x** file. I actually had the right location very early but…well you know what the problem is…and then I over enumerated, including building from source etc. and went to location after location for days.

I’m torn on what to think about this little wrinkle because one of the first steps I did was to purposefully use a non-existing location to see what an error page would look like and well can’t say more without spoiling anything.

Lesson learned, I’ll always try different tools for this type of task in the future.

User: I think I got lucky by having the right idea very quickly, the file isn’t too horrible but one could create a giant rabbit hole there :wink:

Root: Pretty interesting, never did this before. Straightforward but cool. While I tried to gain root, the machine was rebooted a couple of tims which is frustrating. I can kind of understand why it happens, I was considering an avenue that requires rebooting.

So I guess this isn’t a spoiler but might prevent frustration for others…no rebooting required to root the box, don’t disturb the others working on the machine.

Thank you @egre55 for creating a nicely designed box.

Rooted !
First time I root a box without ever looking at any hints, I’m pretty happy about that :slight_smile:
Foothold was a pain but I learnt a bunch of things getting it so even though that was depressing at times, it was worth it !
I recently told myself I was too quick at reading enumeration reports so I really took my time here and I can’t stress enough how much it helped to carefully read about anything strange or unknown that popped on my screen.

Really nice box, it took me time but I enjoyed it a lot, thanks @egre55 !

P.S : I had troubles submitting both user and root flags. For some reasons HTB wouldn’t accept them. The only solution I found after trying to reconnect a few times was to reset the box, unfortunately :confused: Sorry for anyone who was working there with me…

Finally Rooted!

Foothold took more time than expected. The best hint you will find here is to install the cat on your local machine.

User was pretty straighforward, although it was not a common HTB privesc.

Root is easy too. If you pay attention, you will find a misconfiguration using really basic enum techniques.

Feel free to PM for nudges!

So, I found the correct config path from nudges here, but how was one supposed to guess the /e** part of it?

The app clearly says its paths, and the docs say where things are, but then it’s in neither of those things.

Was there some intermediate file I was supposed to find that I just didn’t?

The high port told me about where things should be, I’m just not sure how I was supposed to find the /e** in the middle.

@Salts said:

So, I found the correct config path from nudges here, but how was one supposed to guess the /e** part of it?

Fuzzing for it helps. That is “kind” of guessing but in a more formal, automated way.

sudo find / -iname “tomcat-users
/etc/tomcat9/tomcat-users.xml
/etc/tomcat9/tomcat-users.xsd

Сonfig files differ between Linux distros :confused:

Type your comment> @HamilcarR said:

A very enjoyable box… I actually learned how to create an HTTP server with a single line of bash , and I didn’t even know it was possible before… lot of fun , 10/10

You’ll find it comes in handy quite often :joy: