Box: Cap by InfoSecJack

Cap HTB Info card

IP = 10.10.10.245
Difficulty: Easy 
Machine OS: Linux
Learning Platform: hackthebox.eu
Finished on: Kali Linux VM

Reconnaissance

  • Added IP to /etc/hosts file and also stored as environment variable.

Syntax: sudo vi /etc/hosts , then press i to enter insert mode and paste the machine IP and add name for that host. (I named it cap.htb)

Syntax: export IP=10.10.10.245

Preliminary Enumeration via nmap

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack gunicorn

Machine OS: Ubuntu Focal Fossa, based on OpenSSH version.

Enumeration

  1. Web Enumeration

  • Looking at the web page, we have a security dashboard as seen below.

Webpage at port 80(http)

  • There is an interesting tab named Security Snapshot. We can navigate through that and we can see that it captures network traffic and lets us download it.

Security Snapshot page w/ our generated traffic

  • Looking closely at the URL, we can see that the pages are referenced via page numbers in URL. We can try to manipulate the page number in the URL and we might see interesting .pcap file.

page number in URL

IDOR (Insecure Direct Object References) on Security Snapshot page

  • Nice! We can see the page zero of the security snapshot!

  • We can download the .pcap file and use it against wireshark

  • Open 0.pcap on wireshark.

  1. Syntax: wireshark, then select the file tab and open the directory where the .pcap file reside.

0.pcap when opened with wireshark

  • We could already see that there is a FTP traffic captured in the network.

  • FTP authentication is not encrypted, so we can see what's happening in plain text and hopefully we can get some interesting finds here.

  • Voila! We found plaintext credentials on FTP authentication traffic!

Capture FTP (File Transfer Protocol) traffic

  • We can see the plaintext password of nathan user! We can now try to login to FTP of nathan user.

  1. FTP Enumeration

  • Logging to the FTP server, we can see what it seems the home directory of nathan.

Files named exploit.c, exploit, linenum.sh are all real user input because of shared instances in the box.

Possible Exploits

  • Password reuse and using unencrypted communications leading to password leak.

  • Insecure Direct Object References in website leading to credential leak.

Exploitation

  • Using IDOR(Insecure Direct Object References), we found unencrypted data hidden on .pcap file.

  • We logged in via ssh using the credentials found in FTP communications.

Credentials Found via Wireshark

nathan:Buck3tH4TF0RM3!

Privilege Escalation

Internal Enumeration

  • Via logging in through ssh, we can see the /home directory of nathan which is also the same directory as we saw earlier in FTP.

logged in as nathan in SSH (Secure Shell)

  • user.txt file is also here so we can submit it now. :D

  • We start automatic enumeration using LinPEAS.

Vertical Privilege Escalation

  • Using LinPEAS , we see some interesting privilege escalation vector. Linux Capability :D

python3.8 capability shown by LinPEAS

  • You can learn about linux capabilities here.

P.S. I highly recommend the linked webpage above because of knowledge you get in here when it comes to penetration testing!

  • cap_setuid capability allows changing of UID(User Identification).

  • UID 0 is hardcoded UID for root user in nix systems. In somenix systems there is 2 root users. (refer to this Discussion here.)

To exploit the capability of a binary with cap_setuid (in this case python3.8):

Syntax: /usr/bin/python3.8 -c 'import os;os.setuid(0);os.system("/bin/bash");'

Explanation: runs python3.8 with a command that imports os library and sets the UID to 0 (root) and executes /bin/bash as root.

Exploiting cap_setuid capability of python3.8 binary.

  • Navigate to /root/ directory and get your root.txt flag!

Congratulations!

STATUS: ROOTED

The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.

Post Exploitation / Maintaining Access

  • Copied the /etc/shadow file for user identification and their passwords.

  • Added another root user for backdoor.

Clearing Tracks

  • Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.

Status: Finished

Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated :D

Donation Box

Not required but appreciated :D

Socials