Cap

Personal Rating: Easy

Enumeration

A first nmap scan:

sudo nmap -sV <IP>

21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2
80/tcp open  http    gunicorn

• gunicorn webserver, uses popper

• http://10.10.10.245/ip shows ip info

• http://10.10.10.245/netstat shows netstat output

An os command injection was my first idea here.

IDOR Vulnerability

You can start a download here at http://10.10.10.245/download/02. The files 2, 02, 002 etc are the same. Fuzzing for the number, you find some more between 0 and 9 that have a certain size, indicating interesting contents.

I downloaded them with wget and will inspect them with wireshark.

• 1: empty

• 6: empty

• 8: empty

• 0: “ftp login successful”, RETR notes.txt, got nathan:Buck3tH4TF0RM3!

• 8: not so interesting

• 7: looks like a bruteforce on php files, but not interesting

• 9: looks like a bruteforce, but also not interesting

You could ssh onto the server with nathans credentials

Script w/ SetSUID Cap

In /var/www/html there was a file called app.py, which was owned by nathan. It contained os.setuid(0) among some other stuff, which revealed, that you could start a root shell. I did so in Python:

import os; os.setuid(0); os.system("/bin/bash");

The file /usr/bin/python3.8 is owned by root, but it is not an SUID binary. However, if you scan the device with LinPEASS, you find out, that the cap_setuid option is enabled in the Python config.

This also explains the name of the box “cap”, as the privesc uses Linux capabilities, which is a way to allow certain caps as root. capsh is a ultitity related to it.