Hack The Box -CAP

Hello All,

Let’s scan the open ports available on machine by executing following NMAP command. nmap -A -p- -sV 10.10.10.245

And it gave me the interesting open port list.

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http gunicorn
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Tue, 15 Jun 2021 08:25:26 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 19386

As you can see we have FTP, SSH and HTTP port open. To start with FTP and SSH we don’t have credentials also anonymous login is not allowed.

So i started with HTTP port and got below dashboard which shows network stats and security snapshots.

While exploring all the tabs listed in left, one URL captured my attention which is http://10.10.10.245/data/6

So i tried changing number and observed that by change number after data changes the count of number of packets. Then i tried various numbers and downloaded the pcap file. But no luck. Then “0” gave me large number of packets.

After downloading the pcap file I opened it in wireshark which gave me the packet details.

In which i have found user name and password which are used to authenticate to port 21

Then authenticated to ftp using found credentials. After listing the directories/files in ftp server I found user.txt containing user flag. 😻 😆

Now, Next task is to get root flag. To get in machine we can use SSH service with the same credentials which we got previously.

After doing ls in current directory, didn’t find anything interesting. Lets got to “/” and see which directories are accessible and gives us hint.

So i tried changing directory to root but it got permission denied.It might have something interesting then i tried changing the permissions of root directory but got operation permitted error. but no luck. even we can’t list the directories inside root folder.

Hmmm. Now we need to escalate our privileges as we are normal user. We can escalate privileges using /bin/bash -p command. For doing this i checked if we can execute some code through which we can do it.

Using above code we have created the “setGID” bit which gives execute permission to /bin/bash/ shell.

Now we can see the contents of root folder.

After doing “ls” got the root flag in root folder. Yaaaayyyyyy!!!!! ☺️ ☺️ 🎉

Thanks.