Hack The Box — Cap MachineWriteup
This is my write-up for the ‘CAP’ box found on Hack The Box.
In the Name Of the box there is a trick. Lets Start and solve this machine. Relatively a Easy Machine.
Let’s first add our machine ip into /etc/hosts so its gets resolved as per our domain name.
Now when you ping “cap.htb” it will be reachable which means our machine is live and good to go !
Lets do a nmap scan on the target to see the open ports, services their version running.
Command will be using : nmap -sC -sV -A -T4 <ip>
-sC means Default Scripts, -sV means the Version, -A Means Aggressive Scanning, -T4 to make the scan fast.
Looks like in result Port 21 is Opened FTP and SSH Port 22 , Port 80 running Gunicorn which is Python Web Server Gateway Interface HTTP server.
Since anonymous access is not allowed on port 21. So Its of no use for now..
Since we have ssh but do not have credentials so Now use of this also for now.
Let’s Do some recon part to see any subdirectory which can have admin panel, or Fileupload or senstive secrets files.
So let’s Run FFUF which is a Fast web fuzzer written in Go. we will use for directory bruteforcing on our target.
Command Used : ffuf -w /usr/share/wordlists/dirbuster/list — medium2.txt -u “http://cap.htb/FUZZ” -mc 200,302 -t 70
Here -w is for wordlists specification and -u means url specified -mc means filter status code, and -t means threading.
Looks Like /data, /ip , /netstat , /capture we got from the result.
we can whatweb to know little bit about our target
Okay, So let’s visit to the webserver and explore it.
we have ifconfig, network status , and Security Snapshots tab on the left side.
before that Look to the source code maybe you can find username,password which can be used for ssh. look to JS files, hardcoded credentials can be stored. worth to try ;). So you can get idea to how the website is working and what’s the functionalities they are using. use burp to see the request they are making.
So Lets Visit to Security Snapshot Tab looking interesting.
As we can pcap file is stored. Packet Capture or PCAP (also known as libpcap) is an application programming interface (API) that captures live network packet data from OSI model.
Can you relate the machine name CAP with PCAP ? ;)
but from the Image we can Content Size of the packet is 0 means nothing is stored in Pcap file..
why not to change cap.htb/data/1 to /cap.htb/data/0
Cool ! now we can download this pcap file.
and open it. Visit to Download folder using terminals. type wireshark <pcap_file>. It will open the contents of the packets on the screen.
After analysis the pcap file look what I got the User and Password. See the packets captured are not too much so we have quickly analsysed. but what we have 10000 of packets captured. then we can use the filter to look for interesting stuffs.
Now Just Select The Packets which Contain Request showing Pass and Right Click on It and “Click On Follow the TCP stream”.
This feature allows you to follow a particular TCP conversation between two or more hosts.
Look what we got User Is nathan, and password is Buck….
so we can use this credentials to login and get access to the machine.
Lets do SSH. username=natha… and password=bucke….
Command : sudo ssh <username>@cap.htb
it will prompt for password enter the password.
So we got the access to the machine !
Lets collect some Info about the machine so we can understand its architecture , machine type, kernel version.
Okay lets do the privilege escalation since we are not root till now.
So you can run Exploit Suggester or linpeas. so after running that I found can abuse Linux Privilege Escalation using Capabilities
we can say that they are a little unintelligible but similar in principle to SUID. Linux’s thread privilege checking is based on capabilities.
If you’d like to find out which capabilities are already set on your system command:
getcap -r / 2>/dev/nullafter running looks like that I found empty capability (ep) over suid is given python3 for user nathan that means all privilege is assigned to user for that program, therefore taking advantage of this permission he can escalate into high privilege from low privilege shell.
If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.
Command to run to be root : python3 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’
So We achieved root by “absuing the capabilities”
Resources you can use for learnings :
Twitter : https://twitter.com/shivam24rai
Linked In : https://www.linkedin.com/in/shivam-rai-59611a157/
Keep Learning and Happy learning. ThankYou For Reading my Writeup !.
