Box: Cap by InfoSecJack
Cap HTB Info card
IP = 10.10.10.245
Difficulty: Easy
Machine OS: Linux
Learning Platform: hackthebox.eu
Finished on: Kali Linux VM
Reconnaissance
Added IP to
/etc/hosts
file and also stored as environment variable.
Syntax: sudo vi /etc/hosts
, then press i to enter insert mode and paste the machine IP and add name for that host. (I named it cap.htb
)
Syntax: export IP=10.10.10.245
Preliminary Enumeration via nmap
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack gunicorn
Machine OS: Ubuntu Focal Fossa, based on OpenSSH version.
Enumeration
Web Enumeration
Looking at the web page, we have a security dashboard as seen below.
Webpage at port 80(http)
There is an interesting tab named
Security Snapshot
. We can navigate through that and we can see that it captures network traffic and lets us download it.
Security Snapshot page w/ our generated traffic
Looking closely at the URL, we can see that the pages are referenced via page numbers in URL. We can try to manipulate the page number in the URL and we might see interesting
.pcap
file.
page number in URL
IDOR (Insecure Direct Object References) on Security Snapshot page
Nice! We can see the page zero of the security snapshot!
We can download the
.pcap
file and use it against wiresharkOpen
0.pcap
on wireshark.
Syntax:
wireshark
, then select thefile
tab and open the directory where the.pcap
file reside.
0.pcap when opened with wireshark
We could already see that there is a
FTP
traffic captured in the network.FTP
authentication is not encrypted, so we can see what's happening in plain text and hopefully we can get some interesting finds here.Voila! We found plaintext credentials on
FTP
authentication traffic!
Capture FTP (File Transfer Protocol) traffic
We can see the plaintext password of
nathan
user! We can now try to login toFTP
ofnathan
user.
FTP Enumeration
Logging to the
FTP
server, we can see what it seems the home directory ofnathan
.
Files named exploit.c, exploit, linenum.sh are all real user input because of shared instances in the box.
Possible Exploits
Password reuse and using unencrypted communications leading to password leak.
Insecure Direct Object References in website leading to credential leak.
Exploitation
Using IDOR(Insecure Direct Object References), we found unencrypted data hidden on
.pcap
file.We logged in via ssh using the credentials found in FTP communications.
Credentials Found via Wireshark
nathan:Buck3tH4TF0RM3!
Privilege Escalation
Internal Enumeration
Via logging in through ssh, we can see the
/home
directory ofnathan
which is also the same directory as we saw earlier in FTP.
logged in as nathan in SSH (Secure Shell)
user.txt
file is also here so we can submit it now. :DWe start automatic enumeration using LinPEAS.
Vertical Privilege Escalation
Using
LinPEAS
, we see some interesting privilege escalation vector. Linux Capability :D
python3.8 capability shown by LinPEAS
You can learn about linux capabilities here.
P.S. I highly recommend the linked webpage above because of knowledge you get in here when it comes to penetration testing!
cap_setuid
capability allows changing of UID(User Identification).UID 0 is hardcoded UID for
root
user in nix systems. In somenix systems there is 2 root users. (refer to this Discussion here.)
To exploit the capability of a binary with cap_setuid
(in this case python3.8
):
Syntax: /usr/bin/python3.8 -c 'import os;os.setuid(0);os.system("/bin/bash");'
Explanation: runs python3.8 with a command that imports os
library and sets the UID to 0 (root) and executes /bin/bash
as root.
Exploiting cap_setuid capability of python3.8 binary.
Navigate to
/root/
directory and get yourroot.txt
flag!
Congratulations!
STATUS: ROOTED
The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.
Post Exploitation / Maintaining Access
Copied the
/etc/shadow
file for user identification and their passwords.Added another root user for backdoor.
Clearing Tracks
Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.
Status: Finished
Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated :D
Donation Box
Not required but appreciated :D
Socials