Cap Walk-through: HackTheBox Machine Write-up
Cap is a very simple Linux machine designed for beginners. In this walk-through we will be going understand how to gain user and root access of a machine.
In the above image you can see that IP: 10.10.10.245 is assigned but there could be a chance that you could get a different IP address.
Note: The walkthrough is written for a retired machine and for accessing and solving this machine you need to have VIP access of HacktheBox.
Reconnaissance
In the initial reconnaissance, we started port scan for the machine. Here, I have used nmap for port scanning.
nmap -vv — reason -Pn -T4 -sV -sC — version-all -A — osscan-guess -oN 10.10.10.245
Discovery and Scanning
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2
80/tcp open http syn-ack ttl 63 gunicorn
Start enumerating port 80, and we see there is a web application hosted with user Nathan already logged in.
While traversing the application, we were able to see few interesting pages.
Here, we can see there is a download button and from there we can downloaded the file. It is PCAP file named 1.pcap. The contents of this file can be viewed using Wireshark.
For seeing the TCP stream, we can right click on the packet captured and click on Follow TCP stream.
Unfortunately, I was not able to find any clue by this file.
Vulnerability Assessment
Tried tweaking a little bit with the URL.
http://10.10.10.245/data/1 → http://10.10.10.245/data/0
We can open the downladed PCAP file using Wireshark or tcpdump.
I got the SSH credentials and tried logging in.
USER nathan
PASS Buck3tH4TF0RM3!
Exploitation
For logging into SSH, we can use a very simple command and then entering the password.
ssh <username>@<ip-address>
Successfully logged into SSH by the credentials we got from the PCAP file.
Great! We gained the user level and now it’s time to escalate our privileges.
Privilege Escalation
For privilege escalation we can use linpeas script. You can download the script from the below link
For running the script on the remote machine we can send the script by creating a python server and using wget or curl.
We can run the bash script directly using the command
bash linpeas.sh
After running the script, a special flaw was observed in capabilities section.
Here, we can use GTFO bins github repo for exploiting this.
We can search for python and capabilities flaw where we can exploit it.
We can use this and directly exploit it.
python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'
We were finally able to exploit the capabilities and escalate our privileges.
We successfully pwned the machine.