Hack The Box: Cap


Enumeration

box bashed

The nmap scan reveals only one port: Port 80 with a apache web server.

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d๐Ÿ‡ฉ๐Ÿ‡ชb3๐Ÿ‡ฉ๐Ÿ‡ชb2:18 (ED25519)
80/tcp open  http    gunicorn
| fingerprint-strings: 

The website shows a “security dashboard”.

box cap box cap

After looking around a bit, I noticed that we can download PCAP data from /data/1, where the number is incrementing with each request. So with a bit of fuzzying, it turns out that there is also /data/0, with records that were created by some other user. Let’s download it and analyze it in Wireshark.


Initial Foothold

Inside the log data, we find a FTP login by a user “nathan” and the password “Buck3tH4TF0RM3!”. On the FTP server, we find the user flag. The password also works for the SSH login. Next, I ran linpeas. It showed a vulnerability for two CVEs.

โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฃ CVEs Check
Vulnerable to CVE-2021-4034
Vulnerable to CVE-2021-3560   

Also it shows a capability for the python3.8 binary:

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

Since the box is called “cap”, this might be the intended attack vector. On GTFObins, we find the following entry for Capabilities:

If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.

Next, we execute the command as specified and get a root shell.

$ ./python -c 'import os; os.setuid(0); os.system("/bin/sh")'