Box: Cap by InfoSecJack

Cap HTB Info card
IP = 10.10.10.245
Difficulty: Easy
Machine OS: Linux
Learning Platform: hackthebox.eu
Finished on: Kali Linux VM

Reconnaissance

  • Added IP to file and also stored as environment variable.

Syntax: , then press i to enter insert mode and paste the machine IP and add name for that host. (I named it )

Syntax:

Preliminary Enumeration via nmap

PORT   STATE SERVICE REASON  VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack gunicorn

Machine OS: Ubuntu Focal Fossa, based on OpenSSH version.

Enumeration

  1. Web Enumeration
  • Looking at the web page, we have a security dashboard as seen below.
Webpage at port 80(http)
  • There is an interesting tab named . We can navigate through that and we can see that it captures network traffic and lets us download it.
Security Snapshot page w/ our generated traffic
  • Looking closely at the URL, we can see that the pages are referenced via page numbers in URL. We can try to manipulate the page number in the URL and we might see interesting file.
page number in URL
IDOR (Insecure Direct Object References) on Security Snapshot page
  • Nice! We can see the page zero of the security snapshot!
  • We can download the file and use it against wireshark
  • Open on wireshark.
  1. Syntax: , then select the tab and open the directory where the file reside.
0.pcap when opened with wireshark
  • We could already see that there is a traffic captured in the network.
  • authentication is not encrypted, so we can see what's happening in plain text and hopefully we can get some interesting finds here.
  • Voila! We found plaintext credentials on authentication traffic!
Capture FTP (File Transfer Protocol) traffic
  • We can see the plaintext password of user! We can now try to login to of user.
  1. FTP Enumeration
  • Logging to the server, we can see what it seems the home directory of .

Files named exploit.c, exploit, linenum.sh are all real user input because of shared instances in the box.

Possible Exploits

  • Password reuse and using unencrypted communications leading to password leak.
  • Insecure Direct Object References in website leading to credential leak.

Exploitation

  • Using IDOR(Insecure Direct Object References), we found unencrypted data hidden on file.
  • We logged in via ssh using the credentials found in FTP communications.

Credentials Found via Wireshark

Privilege Escalation

Internal Enumeration

  • Via logging in through ssh, we can see the directory of which is also the same directory as we saw earlier in FTP.
logged in as nathan in SSH (Secure Shell)
  • file is also here so we can submit it now. :D
  • We start automatic enumeration using LinPEAS.

Vertical Privilege Escalation

  • Using , we see some interesting privilege escalation vector. Linux Capability :D
python3.8 capability shown by LinPEAS
  • You can learn about linux capabilities here.

P.S. I highly recommend the linked webpage above because of knowledge you get in here when it comes to penetration testing!

  • capability allows changing of UID(User Identification).
  • UID 0 is hardcoded UID for user in nix systems. In somenix systems there is 2 root users. (refer to this Discussion here.)

To exploit the capability of a binary with (in this case ):

Syntax:

Explanation: runs python3.8 with a command that imports library and sets the UID to 0 (root) and executes as root.

Exploiting cap_setuid capability of python3.8 binary.
  • Navigate to directory and get your flag!

Congratulations!

STATUS: ROOTED

The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.

Post Exploitation / Maintaining Access

  • Copied the file for user identification and their passwords.
  • Added another root user for backdoor.

Clearing Tracks

  • Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.

Status: Finished

Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated :D

Donation Box

Not required but appreciated :D

"Buy Me A Coffee"
"Buy Me A Coffee"

Socials

Self-taught cybersecurity learner :D