Box 5: HTB - Cap
First time to hit the real machine in HTB. It seems to be easier than series of boxes in Starting Point.
As usual, I start scanning this box with Nmap:
sudo nmap -sV -n -vv -Pn -T4 -p- -A 10.10.10.245 --open
PORT STATE SERVICE REASON VERSION21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.322/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)80/tcp open http syn-ack ttl 63 gunicorn
What is gunicorn? A Web technology? I’ve not ever known it
nmap --script vuln -vv 10.10.10.245
I detect that this website may be vulnerable with CSRF attack. Cannot exploit this vulnerability. Then, let’s navigate the web site (port 80).
Dashboard doesn’t have special things. I’ve tried SQLi, checking cookie, viewing source code,… though not have fun. Maybe this is just a statistic page about network access and connections for this machine.
The top left-hand corner will have a menu:
1. Dashboard: you are here!
3. IP Config: information about network adapters on this machine
4. Network Status: display the result from
You’ll be attracted with the 2nd option. This page allow us to download the traffic capture files. Currently, I am at index 7, so there is no packet to capture.
If you tried modifying the index in range from 0-10, the miracle will happen.
Let’s open this .pcap file in Wireshark for analysis and follow TCP stream with FTP traffic (Port 21), you will find the username + password for FTP login:
Try using this to log in to FTP service on this machine. I hope it will be successful.
Oops, FTP login failed. Maybe this credential was input from other users.
I has found another directory:
http://10.10.10.245/data/0. It always exists here and this is a key for us to discover.
Yep, the FTP credential is for
nathan user, I guess this is things I need.
Try to log in to FTP service once again. Beautiful!
dir command helped me to find user.txt flag. Then, I used
get command to download this file and submit it to HTB immediately.
If you use
ls -la to list all in this directory, you will find here is home directory. Hmm, I guessed it must be home directory of
nathan user. So, I also try to connect SSH with the above credential.
After successful SSH login, I searched for the sudo permissions, SUID binaries and capabilities that could escalate the privileges by giving us the root shell.
In Linux, files may be given specific capabilities. For example, if an executable needs to access (read) files that are only readable by root, it is possible to give that file this 'permission' without having it run with complete root privileges. This allows for a more secure system in general. For more info about this subject, click here: Man page capabilities
getcap is used to view capabilities and and
setcap is used to set capabilities, respectively. They usually belong to the
libcap2-bin package on Debian and Debian-based distributions.
getcap -r / 2>/dev/null
We would start by scanning the file system for files with capabilities using
getcap -r / The -r flag tells getcap to search recursively, '/' to indicate that we want to search the whole system. '/' is the root directory, everything on your Linux system is located under the / directory.
Fortunately, we have
cap_setuid available or the
python3.8 binary on the target.
File capabilities in Linux
So, what’s the meaning of the strange
+eip suffix? This requires a brief digression into the nature of capabilities. Each process has three sets of capabilities - inheritable, permitted and effective:
- Effective capabilities are those which define what a process can actually do. For example, it can’t deal with raw sockets unless
CAP_NET_RAWis in the effective set.
- Permitted capabilities are those which a process is allowed to have should it ask for them with the appropriate call. These don’t allow a process to actually do anything unless it’s been specially written to ask for the capability specified. This allows processes to be written to add particularly sensitive capabilities to the effective set only for the duration when they’re actually required.
- Inheritable capabilities are those which can be inherited into the permitted set of a spawned child process. During a
clone()operation the child process is always given a duplicate of the capabilities of the parent process, since at this point it’s still running the same executable. The inheritable set is used when an
exec()(or similar) is called to replace the running executable with another. At this point the permitted set of the process is masked with the inheritable set to obtain the permitted set that will be used for the new process.
setcap utility allows us to add capabilities to these three sets independently for a given executable. Note that the meaning of the groups is interpreted slightly different for file permissions, however:
- Permitted file capabilities are those which are always available to the executable, even if the parent process which invoked it did not have them. These used to be called “forced” capabilities.
- Inheritable file capabilities specifies an additional mask which can also be used to remove capabilities from the calling process’s set. It applies in addition to the calling process’s inheritable set, so a capability is only inherited if exists in both sets.
- Effective file capability is actually just a single bit rather than a set, and if set then it indicates that the entire permitted set is also copied to the effective set of the new process. This can be used to add capabilities to processes which weren’t specifically written to request them. Since it is a single bit, if you set it for any capability then it must be set for all capabilities. You can think of this as the “legacy” bit because it’s used to allow capabilities to be used for applications which don’t support them.
In summary, the permitted set contains all of the capabilities that a process is ultimately capable of realizing. The effective set is the capabilities a process has elected to utilize from its permitted set. It’s as if you had a huge arsenal of poetry (permitted set) but chose only to arm yourself with Allen Ginsberg for the task at hand (effective set). The inheritable set defines which capabilities may be passed on to any programs that replace the current process image via
exec(2). Please note that
fork(2) does nothing special with capabilities. The child simply receives an exact copy of all three capabilities sets.
Only capabilities in the permitted set can be added to the effective or inheritable set. Capabilities cannot be added to the permitted set of a process unless
CAP_SETPCAP is set. Refer to Taking Advantage of Linux Capabilities.
setcap utility allows us to add capabilities to these three sets independently for a given executable. Reference: http://www.andy-pearce.com/blog/posts/2013/Mar/file-capabilities-in-linux/
With the capability
/usr/bin/python3.8, we can easily escalate up to the root privilege with the command below:
python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Let me explain some things:
import os- The OS module in Python provides functions for interacting with the operating system. OS comes under Python’s standard utility modules. This module provides a portable way of using operating system-dependent functionality. The *os* and *os.path* modules include many functions to interact with the file system.
os.setuid(0)- os.setuid() method is used to set the current process’s real user id. Setuid is a Linux file permission setting that allows a user to execute that file or program with the permission of the owner of that file. This is primarily used to elevate the privileges of the current user.
User ID: In Unix-like operating systems, a user is identified by a unique value called user ID. User ID is used to determine which system resource a user is authorized to access. UID of root user is 0.
os.system("/bin/bash")- os.system() method execute the command (a string) in a subshell. Then, the whole command will help us spawn a tty bash shell with the privileges of UID 0 from Python interactive mode.
DONE! We have get the root’s shell successfully.
More about Privilege Escalation Gold Mine, refer to this: https://gtfobins.github.io/gtfobins/python/
This is the end for the 5th box on my journey to pursue OSCP certification. All feedback from you will help me complement the details much more when possible. It is a long road ahead 💪
THANKS FOR READING AND SUPPORTING!