Hello everyone , I hope you are doing well , in this post I will be sharing my writeup for HTB Cap machine , which was an interesting easy linux box , as the name “cap” it was related to analyzing pcap files. There were three ports open on this box http,ssh and ftp, on the web server we saw that there’s a option “security snapshot”which would allow us to download a pacp file , but mostly the files we were getting had either no data or just data of our tcp handshake , so here it lies an IDOR as we could see the link /data/<number>/ so by changing the number we can get a different pcap file . In this way we got the correct file which had creds for nathan user and it allowed us to ssh into the machine. We then could just look at the source code for the web application or run linpeas to know that cap_setuid capability is set on python3 so we can spawn bash by setting uid to 0 which is of root user.
Rustscan
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 gunicorn
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Server: gunicorn
| Date: Sat, 05 Jun 2021 19:06:17 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Sat, 05 Jun 2021 19:06:10 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 19386
| <!DOCTYPE html>
| <html class="no-js" lang="en">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>Security Dashboard</title>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
| <link rel="stylesheet" href="/static/css/bootstrap.min.css">
| <link rel="stylesheet" href="/static/css/font-awesome.min.css">
| <link rel="stylesheet" href="/static/css/themify-icons.css">
| <link rel="stylesheet" href="/static/css/metisMenu.css">
| <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
| <link rel="stylesheet" href="/static/css/slicknav.min.css">
| <!-- amchar
| HTTPOptions:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Sat, 05 Jun 2021 19:06:11 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Allow: GET, OPTIONS, HEAD
| Content-Length: 0
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Connection: close
| Content-Type: text/html
| Content-Length: 196
| <html>
| <head>
| <title>Bad Request</title>
| <body>
| <h1><p>Bad Request</p></h1>
| Invalid HTTP Version 'Invalid HTTP Version: 'RTSP/1.0''
| </body>
|_ </html>
| http-methods:
|_ Supported Methods: GET OPTIONS HEAD
|_http-server-header: gunicorn
|_http-title: Security Dashboard
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-binPORT 80 (HTTP)
We can enumerate what’s on the web page
Then I saw we can download pcap file
But that file was empty
I ran dirsearch to fuzz for files and directories
After running the dirsearch I saw that some packets were captured
I kept banging my head against the wall , I went to thier twitter to see the announcement of this box as that might give a hint
Here It refers to Flask and Cap which they are refering to pcap files , so here I though maybe there's SSTI involved in flask application so I started to try the payload like {{7*7}}
It didn’t work ,here I wasted majority of my time thinking it has something to do with flask SSTI exploit but I was going into a rabbit hole
Some time passed and I just started to switch between different numbers on Security Snapshots PCAP files, I tried looking at files /data/1,2,3,4,5,6,… but those pcap files were generated when I was making a request on the machine ,scanning the machine or doing fuzzing so this was a dead end until I send a request /data/0
On opening this file with wireshark
There are some things to note
First , we can see that there are local IP addresses which means this PCAP file is from the target machine,
Second , we can see port 21 which is the port number for FTP (File Transfer Protocol)
Third ,the user name nathan
Fourth,the password Buck3tH4TF0RM3!
And lastly the file being retrieved from FTP note.txt
So the creds we found are for FTP so let’s try those
PORT 21 (FTP)
And we got the user.txt , now let’s these same creds on SSH maybe we can login through this on the machine
PORT 22 (SSH)
And boom we are in the machine, now let’s check sudo -l
It seems we are not in sudoers group, so the next thing I wanted to check if web application was actually made on flask as SSTI didn’t work so I went to /var/www/html
And this indeed looks like a flask applicaiton ,so I decided to see the source code
Here we can see something interesting , python3 is being used and user id is being set to 0 which is of root user and then it's capturing packets with tcpdump so this made me think that by default we cannot do this with python3 so I tried to look for capabilities on the machine and what these are that ,capabilities are special attributes in the linux kernel that grant processes and binary executable specific privileges that are normally reserved for processes whose effective user ID is 0.
So let’s search for capabilities using this command
getcap -r / 2>/dev/nullWe can see here that python3 has cap_setuid which manipulates process ID
We could have found this capbility with linpeas as well
Since python3 has a capability we can easily get a shell from here by setting uid to 0 ( which is root user’s id) ,so let’s visit gtfobins
