Box 5: HTB - Cap

First time to hit the real machine in HTB. It seems to be easier than series of boxes in Starting Point.

Enumeration

As usual, I start scanning this box with Nmap:

sudo nmap -sV -n -vv -Pn -T4 -p- -A 10.10.10.245 --open

PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63 vsftpd 3.0.3
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 gunicorn

What is gunicorn? A Web technology? I’ve not ever known it

nmap --script vuln -vv 10.10.10.245

I detect that this website may be vulnerable with CSRF attack. Cannot exploit this vulnerability. Then, let’s navigate the web site (port 80).

Dashboard doesn’t have special things. I’ve tried SQLi, checking cookie, viewing source code,… though not have fun. Maybe this is just a statistic page about network access and connections for this machine.

Homepage

The top left-hand corner will have a menu:

Menu

1. Dashboard: you are here!

3. IP Config: information about network adapters on this machine

4. Network Status: display the result from netstat command

You’ll be attracted with the 2nd option. This page allow us to download the traffic capture files. Currently, I am at index 7, so there is no packet to capture.

All of numbers are 0

If you tried modifying the index in range from 0-10, the miracle will happen.

Some difference occurred

Let’s open this .pcap file in Wireshark for analysis and follow TCP stream with FTP traffic (Port 21), you will find the username + password for FTP login:

Open traffic capture files with Wireshark

FTP traffic detection

USER anonymous
PASS IEUser@

Try using this to log in to FTP service on this machine. I hope it will be successful.

Oops, FTP login failed. Maybe this credential was input from other users.

I has found another directory: http://10.10.10.245/data/0. It always exists here and this is a key for us to discover.

http://10.10.10.245/data/0

Yep, the FTP credential is for nathan user, I guess this is things I need.

USER nathan
PASS Buck3tH4TF0RM3!

Try to log in to FTP service once again. Beautiful!

After that, dir command helped me to find user.txt flag. Then, I used get command to download this file and submit it to HTB immediately.

If you use ls -la to list all in this directory, you will find here is home directory. Hmm, I guessed it must be home directory of nathan user. So, I also try to connect SSH with the above credential.

Privilege Escalate

After successful SSH login, I searched for the sudo permissions, SUID binaries and capabilities that could escalate the privileges by giving us the root shell.

In Linux, files may be given specific capabilities. For example, if an executable needs to access (read) files that are only readable by root, it is possible to give that file this 'permission' without having it run with complete root privileges. This allows for a more secure system in general. For more info about this subject, click here: Man page capabilities

Command getcap is used to view capabilities and and setcap is used to set capabilities, respectively. They usually belong to the libcap2-bin package on Debian and Debian-based distributions.

getcap -r / 2>/dev/null

We would start by scanning the file system for files with capabilities using getcap -r / The -r flag tells getcap to search recursively, '/' to indicate that we want to search the whole system. '/' is the root directory, everything on your Linux system is located under the / directory.

Fortunately, we have cap_setuid available or the python3.8 binary on the target.

File capabilities in Linux

So, what’s the meaning of the strange +eip suffix? This requires a brief digression into the nature of capabilities. Each process has three sets of capabilities - inheritable, permitted and effective:

• Effective capabilities are those which define what a process can actually do. For example, it can’t deal with raw sockets unless CAP_NET_RAW is in the effective set.
• Permitted capabilities are those which a process is allowed to have should it ask for them with the appropriate call. These don’t allow a process to actually do anything unless it’s been specially written to ask for the capability specified. This allows processes to be written to add particularly sensitive capabilities to the effective set only for the duration when they’re actually required.
• Inheritable capabilities are those which can be inherited into the permitted set of a spawned child process. During a fork() or clone() operation the child process is always given a duplicate of the capabilities of the parent process, since at this point it’s still running the same executable. The inheritable set is used when an exec() (or similar) is called to replace the running executable with another. At this point the permitted set of the process is masked with the inheritable set to obtain the permitted set that will be used for the new process.

So, the setcap utility allows us to add capabilities to these three sets independently for a given executable. Note that the meaning of the groups is interpreted slightly different for file permissions, however:

• Permitted file capabilities are those which are always available to the executable, even if the parent process which invoked it did not have them. These used to be called “forced” capabilities.
• Inheritable file capabilities specifies an additional mask which can also be used to remove capabilities from the calling process’s set. It applies in addition to the calling process’s inheritable set, so a capability is only inherited if exists in both sets.
• Effective file capability is actually just a single bit rather than a set, and if set then it indicates that the entire permitted set is also copied to the effective set of the new process. This can be used to add capabilities to processes which weren’t specifically written to request them. Since it is a single bit, if you set it for any capability then it must be set for all capabilities. You can think of this as the “legacy” bit because it’s used to allow capabilities to be used for applications which don’t support them.

In summary, the permitted set contains all of the capabilities that a process is ultimately capable of realizing. The effective set is the capabilities a process has elected to utilize from its permitted set. It’s as if you had a huge arsenal of poetry (permitted set) but chose only to arm yourself with Allen Ginsberg for the task at hand (effective set). The inheritable set defines which capabilities may be passed on to any programs that replace the current process image via exec(2). Please note that fork(2) does nothing special with capabilities. The child simply receives an exact copy of all three capabilities sets.

Only capabilities in the permitted set can be added to the effective or inheritable set. Capabilities cannot be added to the permitted set of a process unless CAP_SETPCAP is set. Refer to Taking Advantage of Linux Capabilities.

So, the setcap utility allows us to add capabilities to these three sets independently for a given executable. Reference: http://www.andy-pearce.com/blog/posts/2013/Mar/file-capabilities-in-linux/

With the capability cap_setuid from /usr/bin/python3.8, we can easily escalate up to the root privilege with the command below:

python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Let me explain some things:

import os- The OS module in Python provides functions for interacting with the operating system. OS comes under Python’s standard utility modules. This module provides a portable way of using operating system-dependent functionality. The *os* and *os.path* modules include many functions to interact with the file system.

os.setuid(0)- os.setuid() method is used to set the current process’s real user id. Setuid is a Linux file permission setting that allows a user to execute that file or program with the permission of the owner of that file. This is primarily used to elevate the privileges of the current user.

User ID: In Unix-like operating systems, a user is identified by a unique value called user ID. User ID is used to determine which system resource a user is authorized to access. UID of root user is 0.

os.system("/bin/bash")- os.system() method execute the command (a string) in a subshell. Then, the whole command will help us spawn a tty bash shell with the privileges of UID 0 from Python interactive mode.

DONE! We have get the root’s shell successfully.

More about Privilege Escalation Gold Mine, refer to this: https://gtfobins.github.io/gtfobins/python/

This is the end for the 5th box on my journey to pursue OSCP certification. All feedback from you will help me complement the details much more when possible. It is a long road ahead 💪

THANKS FOR READING AND SUPPORTING!