Cap HackTheBox WalkThrough
This is Cap HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted
Cap HackTheBox machine. Before starting let us know something about this box. It is a
Linux OS box with IP address
10.10.10.245 and difficulty level
Easy assigned by its maker.
First of all, connect your PC with
HackTheBox VPN and make sure your connectivity with Cap machine by pinging its IP
10.10.10.245. If all goes correct then it is time to start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. I have used nmap for this task and the result is given below: –
$ sudo nmap -sV -sT -p- -oN full-port.nmap 10.10.10.245
Nmap found ports 21, 22 and 80 as open.
vsftpd 3.0.3 on port
OpenSSH 8.2p1 on port
gunicorn web server on port
80 are running. Since ftp server is running so firstly, I tried to check whether
anonymous login is allowed or not. There is no anonymous login allowed. Then I googled
vsftpd 3.0.3 exploit for any exploit related to this version but no any exploit found.
After that I began to enumerate on port 80. Since web server is running on port 80 so there must be some website present that can be accessed through the URL http://10.10.10.245/. So let us see what is present at this URL. The website at http://10.10.10.245 is a
Security Dashboard that gives the statistics of all the Security Events occurred at IP 10.10.10.245.
Nathan is a user already
logged in into this website so he can be our potential user when we will be inside this machine.
Since we have username
nathan so I started
ftp login and put them to run in background. Meanwhile I tried to check for
command injection vulnerability at the URL http://10.10.10.245/netstat and http://10.10.10.245/ip because this application is executing OS command here. But no Command Injection vulnerability found. After some further enumeration when I didn’t get anything interesting then as usual, I tried
$ sudo dirsearch -u http://10.10.10.245/ -e all -t 100 -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt | tee dirsearch.out
$ sudo dirsearch -u http://10.10.10.245/data/ -e all -r 4 -t 100 -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt | tee dirsearch-data.out
Directory bruteforcing found many numbers of files. When we access each path, we will get different sniffed file. Then I downloaded file from URL http://10.10.10.245/data/0 and opened this file with
$ wireshark (a network protocol analyzer) to analyze the traffic captured into it.
$ wireshark 0.pcap
This file contains the login credentials of nathan’s ftp account. We can clearly see the handshake because
ftp transfers the credential in cleartext format. This is the reason ftp is now replaced with
sftp (secure ftp) where
login requests are encrypted and any user capturing the traffic won’t be able to see the credentials in cleartext format.
From above the captured ftp credential is
When I tried to use this credential to login into nathan’s ftp account I could login and I can also login into the
SSH account of user nathan. This is due to the reuse of same credential in two different accounts. So let us SSH into nathan account.
Getting User Shell
$ ssh [email protected]
$ whoami && id
We are successfully logged in into nathan account. Let us capture user flag.
Capture User Flag
$ cat user.txt
To escalate the privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation. We can find PrivEsc vector either manually or using some post exploitation enumeration scripts like linpeas.sh, LinEnum.sh and there are a lot more. I have used
linpeas.sh for this task.
Finding PrivEsc Vector
Linpeas found that
cap_setuid capability is set to
python3 binary. Capabilities are some special rights given to particular program or command. Here,
cap_setuid capability is assigned to python3 which means python3 can change the
UID (User ID) of any user without being asked for root permission. So here our potential privilege escalation vector can be
getting root by exploiting Capabilities if we would be able to change the UID of user
0 (viz. UID of root).
When I tried to change the UID of user nathan using python3 I could easily upgrade user nathan to root. So, indeed here our privilege escalation vector is
Capability Exploitation to get root. If you don’t know anything about capability then this article can be a boon for you.
To get root shell follow the given steps.
Getting Root Shell
$ /usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# whoami && id
We have successfully got root. Let us capture root flag.
Capture Root Flag
$ cat /root/root.txt
This was how I rooted Cap HackTheBox machine. Learnt a lot after this challenge, hope you will have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the walkthrough feel free to write us at [email protected].