Cap Walk-through: HackTheBox Machine Write-up

Cap is a very simple Linux machine designed for beginners. In this walk-through we will be going understand how to gain user and root access of a machine.

In the above image you can see that IP: 10.10.10.245 is assigned but there could be a chance that you could get a different IP address.

Note: The walkthrough is written for a retired machine and for accessing and solving this machine you need to have VIP access of HacktheBox.

Reconnaissance

In the initial reconnaissance, we started port scan for the machine. Here, I have used nmap for port scanning.

nmap -vv — reason -Pn -T4 -sV -sC — version-all -A — osscan-guess -oN 10.10.10.245

The above exhibit shows the results for nmap scan.

Discovery and Scanning

21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3

22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2

80/tcp open http syn-ack ttl 63 gunicorn

Start enumerating port 80, and we see there is a web application hosted with user Nathan already logged in.

While traversing the application, we were able to see few interesting pages.

http://10.10.10.245/ip

http://10.10.10.245/netstat

http://10.10.10.245/data/1

Here, we can see there is a download button and from there we can downloaded the file. It is PCAP file named 1.pcap. The contents of this file can be viewed using Wireshark.

The above exhibit shows the contents using wireshark.

For seeing the TCP stream, we can right click on the packet captured and click on Follow TCP stream.

Unfortunately, I was not able to find any clue by this file.

Vulnerability Assessment

Tried tweaking a little bit with the URL.

http://10.10.10.245/data/1 → http://10.10.10.245/data/0

The above exhibit shows the page where download option is available for 0.pcap file.

We can open the downladed PCAP file using Wireshark or tcpdump.

The above exhibit shows the contents of 0.pcap file leaking the SSH credentials

I got the SSH credentials and tried logging in.

USER nathan

PASS Buck3tH4TF0RM3!

Exploitation

For logging into SSH, we can use a very simple command and then entering the password.

ssh <username>@<ip-address>

The above exhibit shows the successfully logging into the machine using SSH credentials

Successfully logged into SSH by the credentials we got from the PCAP file.

The above exhibit shows that the user flag is captured

Great! We gained the user level and now it’s time to escalate our privileges.

Privilege Escalation

For privilege escalation we can use linpeas script. You can download the script from the below link

https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS

The above exhibit shows the linpeas script is downloaded and a python server has been created.

For running the script on the remote machine we can send the script by creating a python server and using wget or curl.

The above exhibit shows that the script has been downloaded in tmp folder using wget command

We can run the bash script directly using the command

bash linpeas.sh

The above exhibit shows that the script has been executed

After running the script, a special flaw was observed in capabilities section.

The above exhibit shows the capabilities section from linpeas script output

Here, we can use GTFO bins github repo for exploiting this.

https://gtfobins.github.io/#

We can search for python and capabilities flaw where we can exploit it.

The above exhibit shows that the capabilities flaw in python

We can use this and directly exploit it.

python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

The above exhibit shows that the privileges has been escalated

We were finally able to exploit the capabilities and escalate our privileges.

The above exhibit shows that root flag has been captured.

We successfully pwned the machine.