Cap
Personal Rating: Easy
Enumeration
A first nmap scan:
sudo nmap -sV <IP>
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2
80/tcp open http gunicorn
gunicorn webserver, uses popper
http://10.10.10.245/ip shows ip info
http://10.10.10.245/netstat shows netstat output
An os command injection was my first idea here.
IDOR Vulnerability
You can start a download here at http://10.10.10.245/download/02. The files 2, 02, 002 etc are the same. Fuzzing for the number, you find some more between 0 and 9 that have a certain size, indicating interesting contents.
I downloaded them with wget and will inspect them with wireshark.
1: empty
6: empty
8: empty
0: “ftp login successful”, RETR notes.txt, got nathan:Buck3tH4TF0RM3!
8: not so interesting
7: looks like a bruteforce on php files, but not interesting
9: looks like a bruteforce, but also not interesting
You could ssh onto the server with nathans credentials
Script w/ SetSUID Cap
In /var/www/html there was a file called app.py, which was owned by nathan. It contained os.setuid(0) among some other stuff, which revealed, that you could start a root shell. I did so in Python:
import os; os.setuid(0); os.system("/bin/bash");
The file /usr/bin/python3.8 is owned by root, but it is not an SUID binary. However, if you scan the device with LinPEASS, you find out, that the cap_setuid option is enabled in the Python config.
This also explains the name of the box “cap”, as the privesc uses Linux capabilities, which is a way to allow certain caps as root. capsh is a ultitity related to it.
Last updated