CAP is a Linux base machine from HackTheBox that required your patient on web searching technique and using privilege escalation using SUID skills.
A statistic website, that saved user's network access records, was deployed. One of the records contained an FTP transaction history that stored the login id and password in cleartext. This credential can be used to access the target machine via ssh protocol.
After getting the initial access, using LinPEAS to search the possible privilege escalation loophole. Finally, it was found that the "Capabilities" of the python was the jump hole to the root access.
# Nmap 7.80 scan initiated Thu Sep 2 22:52:29 2021 as: nmap -p 21,22,80, -sC -sV -o nmap-result.txt 10.10.10.245Nmapscanreportfor10.10.10.245Hostisup (0.35s latency).PORTSTATESERVICEVERSION21/tcpopenftpvsftpd3.0.322/tcpopensshOpenSSH8.2p1Ubuntu4ubuntu0.2 (Ubuntu Linux; protocol2.0)80/tcpopenhttpgunicorn|fingerprint-strings:|FourOhFourRequest:|HTTP/1.0404NOTFOUND|Server:gunicorn|Date:Thu,02Sep202114:58:29GMT|Connection:close|Content-Type:text/html; charset=utf-8|Content-Length:232|<!DOCTYPEHTMLPUBLIC"-//W3C//DTD HTML 3.2 Final//EN">|<title>404NotFound</title>|<h1>NotFound</h1>| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|GetRequest:|HTTP/1.0200OK|Server:gunicorn|Date:Thu,02Sep202114:58:21GMT|Connection:close|Content-Type:text/html; charset=utf-8|Content-Length:19386|<!DOCTYPEhtml>|<htmlclass="no-js"lang="en">|<head>|<metacharset="utf-8">|<metahttp-equiv="x-ua-compatible"content="ie=edge">|<title>SecurityDashboard</title>|<metaname="viewport"content="width=device-width, initial-scale=1">|<linkrel="shortcut icon"type="image/png"href="/static/images/icon/favicon.ico">|<linkrel="stylesheet"href="/static/css/bootstrap.min.css">|<linkrel="stylesheet"href="/static/css/font-awesome.min.css">|<linkrel="stylesheet"href="/static/css/themify-icons.css">|<linkrel="stylesheet"href="/static/css/metisMenu.css">|<linkrel="stylesheet"href="/static/css/owl.carousel.min.css">|<linkrel="stylesheet"href="/static/css/slicknav.min.css">|<!--amchar|HTTPOptions:|HTTP/1.0200OK|Server:gunicorn|Date:Thu,02Sep202114:58:22GMT|Connection:close|Content-Type:text/html; charset=utf-8|Allow:OPTIONS,GET,HEAD|Content-Length:0|RTSPRequest:|HTTP/1.1400BadRequest|Connection:close|Content-Type:text/html|Content-Length:196|<html>|<head>|<title>BadRequest</title>|</head>|<body>|<h1><p>Bad Request</p></h1>|InvalidHTTPVersion'Invalid HTTP Version: 'RTSP/1.0''|</body>|_</html>|_http-server-header:gunicorn|_http-title:SecurityDashboard1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.80%I=7%D=9/2%Time=6130E536%P=x86_64-pc-linux-gnu%r(GetReSF:quest,2FE5,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20TSF:hu,\x2002\x20Sep\x202021\x2014:58:21\x20GMT\r\nConnection:\x20close\r\nSF:Content-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x201938SF:6\r\n\r\n<!DOCTYPE\x20html>\n<html\x20class=\"no-js\"\x20lang=\"en\">\nSF:\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20SF:<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\xSF:20\x20\x20<title>Security\x20Dashboard</title>\n\x20\x20\x20\x20<meta\xSF:20name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1SF:\">\n\x20\x20\x20\x20<link\x20rel=\"shortcut\x20icon\"\x20type=\"image/SF:png\"\x20href=\"/static/images/icon/favicon\.ico\">\n\x20\x20\x20\x20<lSF:ink\x20rel=\"stylesheet\"\x20href=\"/static/css/bootstrap\.min\.css\">\SF:n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/fontSF:-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20hSF:ref=\"/static/css/themify-icons\.css\">\n\x20\x20\x20\x20<link\x20rel=\SF:"stylesheet\"\x20href=\"/static/css/metisMenu\.css\">\n\x20\x20\x20\x20SF:<link\x20rel=\"stylesheet\"\x20href=\"/static/css/owl\.carousel\.min\.cSF:ss\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/csSF:s/slicknav\.min\.css\">\n\x20\x20\x20\x20<!--\x20amchar")%r(HTTPOptionsSF:,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Thu,\x20SF:02\x20Sep\x202021\x2014:58:22\x20GMT\r\nConnection:\x20close\r\nContentSF:-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20OPTIONS,\x20GET,\x20SF:HEAD\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,121,"HTTP/1\.1\x20SF:400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type:\x20text/SF:html\r\nContent-Length:\x20196\r\n\r\n<html>\n\x20\x20<head>\n\x20\x20\SF:x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x20\x20<body>\nSF:\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\x20\x20InvalidSF:\x20HTTP\x20Version\x20'Invalid\x20HTTP\x20Version:\x20'RTSP/SF:1\.0''\n\x20\x20</body>\n</html>\n")%r(FourOhFourRequest,189,SF:"HTTP/1\.0\x20404\x20NOT\x20FOUND\r\nServer:\x20gunicorn\r\nDate:\x20ThSF:u,\x2002\x20Sep\x202021\x2014:58:29\x20GMT\r\nConnection:\x20close\r\nCSF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20232\rSF:\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20FSF:inal//EN\">\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1>\SF:n<p>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20servSF:er\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20cheSF:ck\x20your\x20spelling\x20and\x20try\x20again\.</p>\n");ServiceInfo:OSs:Unix,Linux; CPE:cpe:/o:linux:linux_kernelServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.# Nmap done at Thu Sep 2 22:55:03 2021 -- 1 IP address (1 host up) scanned in 154.69 seconds
Enumeration stratgies
No vulnerability was found on the HTTP server and SSH/FTP service according to the Nmap result. we can only focus on the following two enumeration
1) FTP/SSH
2) Web enumeration
Hacking Process Part 1 – Enumeration
FTP/SSH enumeration
Nothing can be done other than the brute focus attack on the FTP and SSH port. However, the result is negative.
When visiting the website found a download link that pointing to the pcap file. Download the firstpcap file fromhttp://cap.htb/data/18 No useful information was found after reading this file. Base on the result of folder enumeration above, an FTP login credential was found.
Hacking Process Part 2 – Gaining Foothold
Using the credential found at the pcap file, that can be successful ssh to the target machine and read the user.txt file.
After getting the initial access, the next step is to upload the linpeas.sh and start the PE scanning.
Hacking Process Part 3 – Privilege Escalation
Because of the project name "CAP", a finding related to the Capabilities is interesting to me. when the binary has the Linux CAP_SETUID capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.
After read several articles, the paper wrote by Raj Chandel provided a detailed explanation of how this capability can be gain the privilege escalation using the following command.
FTP is an insecure protocol that transfers data in plain text. It is the critical point that helps to gain the foothold. In addition, the user nathan received the privilege to run the python3 program as root is another security loophole.
The system admin should be aware of security loopholes during enabling system service and assigning such capability which can affect the integrity of the kernel that can lead to privilege escalation.