Hack The Box -CAP

Hello All,

Let’s scan the open ports available on machine by executing following NMAP command. nmap -A -p- -sV 10.10.10.245

And it gave me the interesting open port list.

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http gunicorn
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Tue, 15 Jun 2021 08:25:26 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 19386

As you can see we have FTP, SSH and HTTP port open. To start with FTP and SSH we don’t have credentials also anonymous login is not allowed.

So i started with HTTP port and got below dashboard which shows network stats and security snapshots.

While exploring all the tabs listed in left, one URL captured my attention which is http://10.10.10.245/data/6

So i tried changing number and observed that by change number after data changes the count of number of packets. Then i tried various numbers and downloaded the pcap file. But no luck. Then “0” gave me large number of packets.

After downloading the pcap file I opened it in wireshark which gave me the packet details.

In which i have found user name and password which are used to authenticate to port 21

Then authenticated to ftp using found credentials. After listing the directories/files in ftp server I found user.txt containing user flag. 😻 😆

Now, Next task is to get root flag. To get in machine we can use SSH service with the same credentials which we got previously.

After doing ls in current directory, didn’t find anything interesting. Lets got to “/” and see which directories are accessible and gives us hint.

So i tried changing directory to root but it got permission denied.It might have something interesting then i tried changing the permissions of root directory but got operation permitted error. but no luck. even we can’t list the directories inside root folder.

Hmmm. Now we need to escalate our privileges as we are normal user. We can escalate privileges using /bin/bash -p command. For doing this i checked if we can execute some code through which we can do it.

Using above code we have created the “setGID” bit which gives execute permission to /bin/bash/ shell.

Now we can see the contents of root folder.

After doing “ls” got the root flag in root folder. Yaaaayyyyyy!!!!! ☺️ ☺️ 🎉

Thanks.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

To Write a Blog on Spring Boot Initializr ,How to create 1st Project using Spring Boot.

Spring Boot and React JS Fullstack Application.

Planning and performing bulk data loading to Snowflake DB with python

Stake $xDITTO and earn $ZETH !

How to Start Your Cloud-Native Kubernetes Journey

How To: Organise a web developer meetup

How To Deploy ML Models on AWS With Elastic Beanstalk

Diagram explaining how Elastic Beanstalk works

Functor from a beginner perspective

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Meow

Meow

More from Medium

Hack The Box: Starting Point — Tier 2

HTB Meow (Telnet)

VTF - CTF Write-up