012#:HTB - Cap
This room is Cap from Hack the Box. Just another one from the list of most system-owns to kick off my Friday morning.
Looks like we have FTP, SSH, and HTTP. I get a gobuster scan going and then start trying to get anonymous access over FTP.
That was a no-go on the anonymous FTP but we did get some hits in Gobuster. Navigating to the target in our web browser we are greeted with some sort of dashboard. Clicking around here I noticed a few things. It looks to be a security system dashboard and we have a user named Nathan. Exploring the menus and we find we can perform a packet capture, view network information, and some IP config info. When I ran the packet capture it didn’t catch anything but I noticed the URL path had a number in it.
I tried making this number 10 which just refreshed my current page and when I made the number a 2 I got booted back to the main page. When I changed it to a 0 though I could now see a prior packet capture that actually has some data in it.
Opening this pcap file in WireShark we can tell right away this is going to be helpful. Since neither FTP or HTTP are encrypted we are bound to find something useful here. Right away we stumbled on our use Nathan authenticating over FTP which gives us their password.
Even though we have some credentials now I am going to finish skimming this pcap for anything useful. Nothing jumped out at me though so I moved on to trying our new FTP password. I pulled what I could over to my machine and began inspecting.
The file, user.txt, that we get here actually contains the first flag. With that down I went on to logging in over SSH as Nathan. This user doesn’t have any sudo rights or interesting group memberships. I span up a web server and transferred linpeas.sh over to begin scanning the system.
I looked into the sudo version that was flagged but didn’t see anything promising enough to be worth trying. Linpeas flagged with high confidence that this box is vulnerable to CVE-2021-3560. I followed steps in this article but I couldn’t get it working. Checked the sshd_config file it flagged at /usr/share/openssh/ but there was nothing notable. Scrolling on, we come across another high confidence PE path.
With this info in mind I headed over to GTFOBins and looked at their documentation for python. Sure enough, this gets us root and our final flag.
