Cap
HTB - Cap
Linux - Easy
IP = 10.10.10.245
First Add hostname to /etc/hosts file, name cap.htb
Enumuration
Nmap: sudo nmap -A cap.htb
Use Nmap scan for the open ports, Here is some service information and web-server banner
- 21 ftp vsfp 3.0.3
- 22 ssh
- 80 http gunicorn
(gunicorn is a python Web Server Gateway Interface (WSGI) use for UNIX system).
Somehow maybe the FTP and gunicorn have the vulnerability, after googling around I didn’t find any critical or High vulnerability that can lead to exploit (trying FTP with anonymous login doesn’t works too).
Gobuster: gobuster dir -u http://cap.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -z
Enum directory of the target with gobuster dir mode, found interesting directory and now I should go to the web and testing some workflow or how this web-app works.
After discovery how this web-application works the data page contain logging of packet and store to pcap file in order and index it seem to have broken access control here, then I try to change index of data page by increase, decrease it and found this 0.pcap file as image below.
Wireshark: Using wireshark to analyze the packet and found the FTP credential of nathan
Optional: using tshark to extract the information of packet by filtering
Tshark: tshark -r 0.pcap -Y ftp
Exploitation & Privilege Escalation
Now I got the FTP credential but it should try login on other places too such as, SSH and then got the user :)
Look like nathan doesn’t have any sudo permission so I use linpeas to enumuration more information so I can escalate to root
Scp: scp filename user@remotehost:location
Since I know the ssh user credential I just use scp to transfer file between local and remote machine
Linpeas:
Now run the linpeas.sh then I got some information, it obvious this machine have capability of cap_setuid function and can access through python then I can escalate to root with just basic python script
Run python3 -c 'import os; os.setuid(0); os.system("/bin/bash -i")' and then get rooted 🐱👤 quiet easy right?
