Hi Guys!! In this blog we will cover the HTB CTF challenge machine named "Cap" which is an easy machine. Capture the flag (CTF) challenge/games can help you understand many aspects of information security. CTF/HTB challenges are full of learning on new vulnerabilities, RCE, Privilege Escalation, etc.
Contents
1. Scanning
2. Enumeration
3. Exploiting
4. Privilege Escalation
- Scanning
First step would be to scan the ports and services running in the target network. One of the most popular port scanner tool is Nmap which allows the attacker to discover all active ports and services running on the target network. Exhibit 1 shows that port 21, 22 and 80 are opened.
nmap -sC -sV 10.10.10.245
Exhibit 1
- Enumeration
If you run script (-sC) in nmap or check anonymous login manually, it shows we don’t have access to anonymous ftp.
Exhibit 2
Let's run Nikto and Dirb to see if we get any additional information.
Nikto is a command-line vulnerability scanner that scans web-servers for dangerous files/CGIs, outdated server software and other problems.
nikto -h http://10.10.10.245/
Exhibit 3
Dirb/Dirbuster is a tool to brute force any directory based on wordlists.
dirb http://10.10.10.245
Exhibit 4
When browsing the website, it displays the result of monitoring of the network. On the left sidebar menu, we can see 5 second PCAP (packet capture) Analysis. The PCAP files contains the data/packets sent over a network.
Exhibit 5
We can also download these files and analysis them later.
Exhibit 6
When browsing http://10.10.10.245/data/4, the application didn’t show any packets. So, I changed the path parameter from 4 to 0.
Exhibit 7
Fortunately, it worked. If it hadn’t worked, we would have start fuzzing rather than testing one by one. Let's downloaded the pcap file and open it in wireshark.
Exhibit 8
We can see the user and password when analysing the 0.pcap.
- Exploiting
Let's use the credentials we found in FTP. Credentials are working and we can see user.txt file as well.
Exhibit 9
Let's try to log in to SSH with the same credentials.
ssh nathan@10.10.10.245
Exhibit 10
Congrats, We got the user access and the user’s flag in the home directory.
cat user.txt
- Privilege Escalation
Next, when enumerating ways for privilege escalation I found setuid capabilities that could escalate the privileges by giving us the root shell. As shown in the below Exhibit we have cap_setuid available or the python3.8 binary on the target.
getcap -r / 2>/dev/null
Exhibit 11
If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.
A quick search on the capabilities led to the command to execute for root shell.
// https://gtfobins.github.io/gtfobins/python/#capabilities
python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'
BINGO!!! As shown in Exhibit 12, we executed the above command and got the root shell.
Exhibit 12
Hope you learned and enjoyed it!!
No comments:
Post a Comment