Hack The Box-Tabby-w/o Metasploit

Tabby is an easy Linux based machine from Hackthebox. The initial foothold to this box is obtained by Tomcat Manager app exploit and an LFI. Gaining user access requires a decent amount of enumeration. Root access obtained by exploiting the LXC.

In this blog I have tried to separate each process

  1. Enumeration

2. Initial foothold

3. Lateral movement

4. Privilage escalation

Lets get started…

1. Enumeration

Currently, I am using nmapAutomator to make my work easy. You can install nmapAutomator from the below Github link


So initial results from nmapAutomator is

port 80 and 8080 seems to run http and 8080 has Tomcat running on it

at port 80

From here i decided to add megahosting.htb and tabby.htb to /etc/hosts file

and port 8080 we can see few details about tomcat application installed

on inspecting the pagesource of port 80, I saw some thing intresting

here we can try a local file inclusion. so instead of statements we can try to read sensitive files like shadow or passwd files.

In the background nmapAutomator helped me with gobuster results on port 8080

On visiting /manager is saw a new path conf/tomcat-users.xml

Maybe by visiting that xml file we could get something interesting

Now we need to access this file by LFI which we discovered before

From google I get to know that tomcat xml file is stored at /usr/share/tomcat9/etc/tomcat-users.xml

From the same page i got credential for tomcat user

username: tomcat

password: $3cureP4s5w0rd123!

2. Initial Foothold

Now it time to to exploit the tomcat application


Since there are no gui option to upload the war shell, we need to do it using curl command


Lets create the war file using msfvenom

now uploading the shell using curl

curl -u 'tomcat':'$3cureP4s5w0rd123!' --upload-file shell.war "http://megahosting.htb:8080/manager/text/deploy?path=/shell.war"

Now we need to set up netcat listener and execute the shell.war payload at http://megahosting.htb:8080/shell.war

3. Lateral Movement

on the box, i searched for files owned by ash

I setup a server using python3 on the tabby box and downloaded the zip file

I was able to crack the password protected file using fcrackzip

On unziping the file i was unable to find anything useful

I tried to su as ash using the same password

user: ash

password: admin@it

We own the user now!!

4. Privilege escalation

This part is really easy. Detailed explanation is givien in the below link from hacking articles blog

I downloaded the image from my kali

I tried to create the image from tmp directory but it was not working. From hackthebox forum i get to know why and you can read more here


I copied the file to ash home directory and ran the below command

lxc image import ./alpine-v3.12-x86_64-20201106_2001.tar.gz --alias myimage

lxc init myimage ehackify -c security.privileged=true

lxc config device add ehackify mydevice disk source=/ path=/mnt/root recursive=true

lxc start ehackify

lxc exec ehackify /bin/sh

If you find this useful you can respect me on Hackthebox


Image for post

You can connect me on

LinkedIn: Derick N

Twitter: Derick N