Writeup: HackTheBox Cap - Without Metasploit (OSCP Prep)

xyzchris0

Chris

Posted on October 5, 2021

Writeup: HackTheBox Cap - Without Metasploit (OSCP Prep)

Hello again! I decided to give Cap from Hackthebox a try and providing the below writeup on how to gain access to the box.

Let's go!

Command:

nmap -sC -sV -O -T4 -p- -oN nmap.txt 10.10.10.245

  1. -sV = Probe open ports to determine service/Versions info
  2. -T4 = Set timing for faster output (0-5)
  3. -oN = Output to save it to a file
  4. -p- = Scan all 65535 ports
  5. -O = Operating System Detection
  6. -sC = Default Scripts

Alt Text

Ports Open:

  1. 21 FTP vsftpd 3.0.3, vsftpd, is an FTP server for Unix-like systems, including Linux. It is the default FTP server in the Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux distributions. It is licensed under the GNU General Public License. It supports IPv6, TLS and FTPS.
  2. 22 SSH OpenSSH 8.2p1, OpenSSH is a suite of secure networking utilities based on the Secure Shell protocol, which provides a secure channel over an unsecured network in a client–server architecture.
  3. 80 HTTP Gunicorn, The Gunicorn "Green Unicorn" is a Python Web Server Gateway Interface HTTP server. It is a pre-fork worker model, ported from Ruby's Unicorn project. The Gunicorn server is broadly compatible with a number of web frameworks, simply implemented, light on server resources and fairly fast

I am going to run the Nmap Vuln scan while I check out the website.

Alt Text

Now for the results:

Alt Text

There is a CSRF and a DoS vulnerability being shown from Nmap.

Re-checking out the site we notice a few things.

  1. We are logged in via a person named Nathan
  2. The Dashboard has a few different sections such as (PCAP, IP Config and Network Status)

I ran Dirb on the site but it didnt come up with anything interesting the first time around.

The PCAP option looks like a download, and when I select on the option again while scrolling through it changes the URL from 2 to 3.

There might be some other hidden Directories here, so lets try to give Dirb another chance to find something else.

Command:

dirb http://10.10.10.245/data/

Alt Text

Head over to each one of the Directories found and look at the different PCAP captures.

Now after doing this you should see a big difference between the different PCAPs.

If you haven't already, do the following to review them.

Command:

wireshark 0.pcap

Alt Text

Sort by FTP, then scroll down in the page and you should see a password Buck3tH4TF0RM3!

Alt Text

Now save the password to your local machine.

Command:

Cat > password.txt
Buck3tH4TF0RM3!

Now taking the information we found earlier about a user named nathan and combining it with the new password we found lets give it a go. I first tried the FTP but that failed.

I then turned to the SSH port.

Command:

ssh nathan@10.10.10.245

Insert the password from above

Alt Text

Command:

Sudo -l

We see that with our current permissions we are unable to run the Sudo command.

Alt Text

Let's see if we can snag a userflag while we are here.

Command:
**ls

cat user.txt

Well that was easier than I thought!

Alt Text

Following the link we are going to attempt a Priv Esc link.

Pulled text from the site:

"We would start by scanning the file system for files with capabilities using getcap -r / The -r flag tells getcap to search recursively, ‘/‘ to indicate that we want to search the whole system.

The output is usually filled with tens or hundreds of “Operation not supported” errors, making it hard to read. We can redirect errors to /dev/null to get a cleaner output."

This is checking for the sudo permissions and SUID binaries.

Looking over the *Gtfobins site I come across the following that should help out, for more details take a look at this link.

Alt Text

Command:

/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

whoami && id

Alt Text

Alt Text

Alt Text

💖 💪 🙅 🚩
xyzchris0
Chris

Posted on October 5, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related