Hack the Box - CAP
1. Recon
We start off with running rustscan to find any open ports on the box.
|
|
Afterwards we can start a gobuster scan to find any directories while we look at the site.
2.1 Website
The website appears to be a monitoring tool that already has a user logged in.
If we go to /data we can see that network packets are being captured and we are able to download the PCAP file to view them in wireshark.
Notice how the site is numbered so common sense says to try lower numbers than what we arrive at in the hopes of finding other PCAP files. /0 is valid and allows us to download a file from when Nathan had logged into the FTP server.
If we load the PCAP file into wireshark we can view Nathan’s username and password.
3. Foothold
Nathan’s credentials work on the FTP server as well as allowing us to SSH into the box and grab the user flag.
4. Privilege Escalation
From there we can upload LinPEAAS to the box by hosting a python web server and using the wget command to grab it from our attack box. Running linpeas.sh shows us that the python3 CAP-SETUID capability is allowed.
|
|
Head over to www.gtfobins.com and we see that we can get a root shell since this capability is enabled.
Using the GTFObins command we’re able to get a root shell and grab the root flag.
|
|