Cap is a fun box where we find a
flask web app which lets us download network log, where we find
SSH credentials for user
The box has
python which has capability to set
UIDs, which lets us access
roots shell, when
UID is set to
Masscan found 3 open ports.
sudo masscan "10.10.10.245" -p1-65535,U:1-65535 --rate=500 -e tun0
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2021-06-19 14:47:10 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 21/tcp on 10.10.10.245 Discovered open port 80/tcp on 10.10.10.245 Discovered open port 22/tcp on 10.10.10.245
NMAP Scan results
We then input the ports we got from masscan to nmap. These are port 22(ssh), 80 & 9090(http), 161(snmp).
sudo nmap -sC -sV -oN 10.10.10.245 10.10.10.245 -p 21,80,22
# Nmap 7.80 scan initiated Sat Jun 19 14:46:38 2021 as: nmap -sC -sV -oA nmap 10.10.10.245 Nmap scan report for 10.10.10.245 Host is up (0.20s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http gunicorn <-- Removed few lines here, as those were of no use --> Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jun 19 14:49:15 2021 -- 1 IP address (1 host up) scanned in 156.80 seconds
So we have:
FTPserver running on port
SSHserver running on port
22, running on Ubuntu Linux.
gunicornweb server is running on port
80. Which means that we have a python application possibly
django(Hint: as mentioned in tweet for CAP’s launch).
As FTP is enabled we try to login as ‘Anonymous FTP’ with credentials:
anonymous | password:
But that does not work.
Next, we head over to the web-server running at
Here we have a dashboard with user “Nathan”, nothing functional though.
The dashboard has 3 urls:
- /a => gives an overview of 'Security Events', 'Failed Login Attempts' and 'Port Scans (Unique IPs)' in last 24 hrs - /capture => gives a XX.pcap file which contains packet cap data, might be `tcpdump` - /data/XX (XX is 2 digit num) - /ip => gives `ipconfig` output - /netstat => gives `netstat` output
/capture redirects to
/data/XX (XX is 2 digit num). Through which we can download a
But here is a catch. We could visit any valid data path and download the corresponding
.pcap file. IDOR here!
http://cap.htb:80/data/0 and download
Then open it up with wireshark1.
We see here an
FTP login is successfull with credentials
✅ FTP user:
nathan | pass:
We do get access for FTP and also get the
Another thing is, we can login using
SSH to this box as same credentials (used for FTP login) are valid!!
So we login via SSH for further enumuration using
For getting root we run
sudo -l, but we get absolutely nothing!
LinEnum.sh on the box, and run it.
We get an interesting results. (Hint: Was also a sub-tweet on Cap’s tweet)
- Specifically here,
- This allows to make arbitrary manipulations of process UIDs 2
- That is
cap_setuidallows changing of the UID (user ID)
We can now set the
0. That means we can run our command as a superuser 3
We already know that this box has
python installed as there is a
flask app running on port 80
Thus, we run the folowing commands to get a root session, and the
And we are