Hack The Box — Tabby Writeup w/o Metasploit

Rana Khalil
13 min readNov 7, 2020

I presented this box at the Hack The Box Ottawa August Meetup. The presentation has been recorded and posted on YouTube.

Let’s get started!

Reconnaissance

Run AutoRecon to enumerate open ports and services running on those ports.

sudo autorecon.py 10.10.10.194

View the full TCP port scan results.

root@kali:~/# cat _full_tcp_nmap.txt
....
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 338ABBB5EA8D80B9869555ECA253D49D
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http syn-ack ttl 63 Apache Tomcat
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
....

We have 3 ports open.

  • Port 22: running OpenSSH 8.2p1
  • Port 80: running Apache
  • Ports 8080: running Apache Tomcat

Before we move on to enumeration, let’s make some mental notes about the scan results.

  • The OpenSSH version that is running on port 22 is not associated with any critical vulnerabilities, so it’s unlikely that we gain initial access through this port, unless we find credentials.
  • Port 8080 is running Apache Tomcat. We’ll have to check if we have access to the manager interface and test for default credentials. If we do get access to the application, we can simply deploy a war file that sends a reverse shell back to our attack machine.
  • Port 80 is running a web server…

--

--