7.7 KiB
HackTheBox-Cap
Rustscan
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 gunicorn
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Server: gunicorn
| Date: Sat, 05 Jun 2021 19:06:17 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Sat, 05 Jun 2021 19:06:10 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 19386
| <!DOCTYPE html>
| <html class="no-js" lang="en">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>Security Dashboard</title>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
| <link rel="stylesheet" href="/static/css/bootstrap.min.css">
| <link rel="stylesheet" href="/static/css/font-awesome.min.css">
| <link rel="stylesheet" href="/static/css/themify-icons.css">
| <link rel="stylesheet" href="/static/css/metisMenu.css">
| <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
| <link rel="stylesheet" href="/static/css/slicknav.min.css">
| <!-- amchar
| HTTPOptions:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Sat, 05 Jun 2021 19:06:11 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Allow: GET, OPTIONS, HEAD
| Content-Length: 0
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Connection: close
| Content-Type: text/html
| Content-Length: 196
| <html>
| <head>
| <title>Bad Request</title>
| <body>
| <h1><p>Bad Request</p></h1>
| Invalid HTTP Version 'Invalid HTTP Version: 'RTSP/1.0''
| </body>
|_ </html>
| http-methods:
|_ Supported Methods: GET OPTIONS HEAD
|_http-server-header: gunicorn
|_http-title: Security Dashboard
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin
PORT 80 (HTTP)
We can enumerate what's on the web page
Then I saw we can download pcap file
But that file was empty
I ran dirsearch to fuzz for files and directories
After running the dirsearch I saw that some packets were captured
I kept banging my head against the wall , I went to thier twitter to see the announcment of this box as that might give a hint
Here It referes to Flask and Cap which they are refering to pcap files , so here I though maybe there's SSTI involved in flask application so I started to try the payload like {{7*7}}
It didn't work ,here I wasted majority of my time thinking it has something to do with flask SSTI exploit but I was going into a rabbit hole
Some time passed and I just started to switch between different numbers on Security Snapshots PCAP files, I tried looking at files /data/1,2,3,4,5,6,... but those pcap files were generated when I was making a request on the machine ,scanning the machine or doing fuzzing so this was a dead end until I send a request /data/0
On opening this file with wireshark
There are some things to note
First , we can see that there are local IP addresses which means this PCAP file is from the target machine,
Second , we can see port 21 which is the port number for FTP (File Transfer Protocl)
Third ,the user name nathan
Fourth,the password Buck3tH4TF0RM3!
And lastly the file being retreived from FTP note.txt
So the creds we found are for FTP so let's try those
PORT 21 (FTP)
And we got the user.txt , now let's these same creds on SSH maybe we can login through this on the machine
PORT 22 (SSH)
And boom we are in the machine, now let's check sudo -l
It seems we are not in sudoers group, so the next thing I wanted to check if web application was actually made on flask as SSTI didn't work so I went to /var/www/html
And this indeed looks like a flask applicaiton ,so I decided to see the source code
Here we can see something intersting , python3 is being used and user id is being set to 0 which is of root user and then it's capturing packets with tcpdump so this made me think that by default we cannot do this with python3 so I tried to look for capabilites on the machine and what these are that ,capabilities are special attributes in the linux kernel that grant processes and binary executables specific privileges that are normally reserved for processes whose effective user ID is 0.
So let's search for capbilites using this command
getcap -r / 2>/dev/null
We can see here that python3 has cap_setuid which manipulates process ID
We could have found this capbility with linpeas as well
Since python3 has a capbility we can easily get a shell from here by setting uid to 0 ( which is root user's id) ,so let's visit gtfobins
