HTB Tabby

IDEK included in Cybersecurity

03 Apr 2026 About 200 words One minute

Contents

Reconnaisance

Port scanning using NMAP

└──╼ [★]$ nmap -sCV -p- -T4 10.129.16.168                                                                                
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-02 13:44 CDT
Nmap scan report for 10.129.16.168
Host is up (0.0022s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
|   256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
|_  256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Mega Hosting
|_http-server-header: Apache/2.4.41 (Ubuntu)
8080/tcp open  http    Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Seems 3 Port opened, port 22, 80, and 8080. I tried to open Tomcat port 8080 first.

/posts/ctf-writeups/htb-tabby/Pasted%20image%2020260403072749.png

In News Menu, displayed informations about data breached.

/posts/ctf-writeups/htb-tabby/Pasted%20image%2020260403075130.png

LFI in news.php within file statement

/posts/ctf-writeups/htb-tabby/Pasted%20image%2020260403075433.png

Tomcat config location at /usr/share/tomcat9/etc/tomcat-users.xml.