Month: June 2021
Protected: pg-cassios-private
Protected: pg-hunit-private
Protected: pg-hepet-private
Protected: pg-postfish-private
Protected: pg-g00g-private
Protected: pg-roquefort-private
htb-cap-private
Hackthebox Cap writeup
Introduction@Cap:~$
Column | Details |
---|---|
Name | Cap |
IP | 10.10.10.245 |
Points | 20 |
Os | Linux |
Difficulty | Easy |
Creator | InfoSecJack |
Out On | 05 Jun 2021 |
Recon
Nmap
There are three ports open 21:ftp 22:ssh 80:http
Let’s start with ftp
let’s check anonymous
login is allowed or not.
Login failed!
now let’s go on with port-80
Port-80
It’s a simple admin-panel
.
After some manual
enumeration i find nothing. let’s find some directories
with help of gobuster
.
/data directory
look interesting let’s go and check
that.
It’s said not found
it’s mean that the directory
is exist but we need to find the file
.
Let’s enumerate
further inside /data
directory with wfuzz
.
There are so many files
found inside /data
directory. after hit and try every file inside directory
i found a interesting
file called 00
.
So let’s go
to this url -> 10.10.10.245/data/00
And in there
we found a download button let’s download
that file.
After downloading
the file we found that it’s a .pcap
file let’s open this file in wireshark
.
And inside wireshark
we see there is good amount of ftp
request going.
I apply a filter
to see only ftp
req and we found a username and password
that’s try to login in ftp
and they got successful
login.
Let’s check
it inside TCP stream
for more clear view.
Now let’s try to login
with these creads inside ftp
.
We see
that we can view inside nathan
home directory it’s mean we can login
inside ssh also.
Let’s try
that.
And we got login
let’s get the user.txt
file.
Privilege escalation
nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
nathan@cap:~$
i found a capabilities tab that has python3.8
.
Let’s check that binary
if they have root privilege
or not.
nathan@cap:~$ ls -la /usr/bin/python3.8
-rwxr-xr-x 1 root root 5486384 Jan 27 2021 /usr/bin/python3.8
nathan@cap:~$
The binary has own by root
let’s run the python3
binary which has symlink
to python3.8.
And we
also change the suid
to 0 because 0 is always root
.
Let’s check first with whoami
command.
And we got the output
root now with root privilege
let’s change the permission to suid
bit set of /bin/bash
binary so any user can execute
that and get root
privilege.
And we pwned
it …….
Resources
Topic | Url |
---|---|
Server Side Template Injection Payloads | https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/… |
XXE Cheatsheet | https://gracefulsecurity.com/xxe-cheatsheet-xml-external-entity-injection/ |
hash = $6$8vQCitG5q4/cAsI0$Ey/2luHcqUjzLfwBWtArUls9.IlVMjqudyWNOUFUGDgbs9T0RqxH6PYGu/ya6yG0MNfeklSnBLlOskd98Mqdm0