Cap is an easy difficulty Linux machine running an HTTP server that performs administrative functions including performing network captures. Improper controls result in Insecure Direct Object Reference (IDOR) giving access to another user's capture. The capture contains plaintext credentials and can be used to gain foothold. A Linux capability is then leveraged to escalate to root.
Create a directory on the Desktop with the machine's name, and inside this directory, create another directory to store the materials and outputs needed to run the machine, including the scans made with nmap.
Task 1 - Reconnaissance
su
echo "10.10.10.245 cap.htb" >> /etc/hosts
mkdir -p htb/cap.htb
cd htb/cap.htb
mkdir {nmap,content,exploits,scripts}
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 cap.htb
PING cap.htb (10.10.10.245) 56(84) bytes of data.
64 bytes from cap.htb (10.10.10.245): icmp_seq=6 ttl=63 time=77.8 ms
64 bytes from cap.htb (10.10.10.245): icmp_seq=9 ttl=63 time=80.1 ms
64 bytes from cap.htb (10.10.10.245): icmp_seq=11 ttl=63 time=51.5 ms
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target should be a *nix system, while Windows systems usually have a TTL of 128 secs.
1.1 - How many TCP ports are open?
Let's start right away with an active port scan with nmap
Then, to understand the target scope, we can start to checking web server via browser:
it is a dashboard view regarding security events, failed login attempts and more, going to 'Security Snapshot' we have a counter packet sniffer with the possiblity to download traffic captured.
while, selecting 'IP Config' we can see the network interface of attacker machine 10.10.10.245
than, clicking 'Network Status' there's all current connections:
finally, the 'user tab' on top-right is only a mockup without functionality, but we'll track this name: 'Nathan', it can be useful for SSH and FTP services.
Doing a directory enumeration with GoBuster tool and checking source page we don't discover others useful thing.
gobuster dir -u http://cap.htb -w /usr/share/wordlists/dirb/common.txt
1.2 - After running a "Security Snapshot", the browser is redirected to a path of the format /[something]/[id], where [id] represents the id number of the scan. What is the [something]?
This request is a good hint to understand which path to take, so let's try to generate some traffic with ICMP requests, and check if the traffic is captured.
Indeed it is, and we can answer the question by displaying the url path.
data
Task 2 - Exploitation & User Flag
2.1 - Are you able to get to other users' scans?
Trying to use the ffuf tool with a wordlist of the most frequent users, I did not get any results.
An interesting thing to note in the Security Snapshot is the URL scheme when creating a new capture, which is in the format /data/ . The id is incremented for each capture.
I tried to insert different parameters and I found the presence of the vulnerability Insecure Direct Object Reference (IDOR) is a vulnerability that arises when attackers can access or modify objects by manipulating identifiers used in a web page.
It means that server should stores latest scans and it has been packet captures from users before us. I remember that i started to see /data/1, than browsing to /data/0 does indeed reveal a packet capture with multiple packets.
Then, we can state the possibility to get scans of other users answering to the last question.
yes
2.2 - What is the ID of the PCAP file that contains sensative data?
Now, we can open pcap file (that has a reference with machine name) and analyze traffic using Wireshark, and searching ftp, http or others sensitive traffics in cleartext.
And here we immediately see a successful connection attempt on the FTP protocol of the previously mentioned user 'Nathan' with the relative password in cleartext.
0
2.3 - Which application layer protocol in the pcap file can the sensitive data be found in?
The sensitive data is present in FTP protocol, these below is the complete TCP Stream:
Great, now we know the password credentials for FTP service, we will also try it on SSH service.
ftp
2.4 - We've managed to collect nathan's FTP password. On what other service does this password work?
Also anticipated, we can test credentials for FTP and SSH services.
FTP/21
ftp nathan@cap.htb
SSH/22
Great, the credentials work on both services ;)
SSH
2.5 - Submit the flag located in the nathan user's home directory.
We had already seen interesting files in the previous task, let's proceed with viewing the user flag in Nathan's folder.
🚩 Flag 1 (user.txt)
f17ce10e2a6f6da2a5f4d76ebb61c401
Task 3 - Privilege Escalation & Root Flag
3.1 - What is the full path to the binary on this machine has special capabilities that can be abused to obtain root privileges?
Executing sudo -l command we can't see commands that user Nathan can execute with sudo privileges:
Then first to use automated tools like as Linpeas, and remembering the hint of the question, i want to try to execute some useful commands:
3.2 - Submit the flag located in root's home directory.
The goal is to set our setuid to 0 (root user), let's proceed.
We can change it directly on victim machine and executing OS commands via python3.8 interpreter: usr/bin/python3.8
import os
os.setuid(0)
os.system("/bin/bash")
and after setting uid to 0 we obtain root permission!
we complete by heading to the root folder to capture the root.txt flag: cat /root/root.txt
🚩 Flag 2 (root.txt)
751fab1137897a30e64a45e099f8f9b7
checking cronjobs, potential kernel version and , we got an interesting output from linux capabilities only, so let's go ahead with that!
Analyzing the first string of this output: /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip we observe the presence of '', therefore the capabily to elevate privileges to the python interpreter.
