📦 HTB - Cap

Simple easy box, perfect to warmup before the FIC 2021 and get more confidence in 1337 h4ck1n9
TL;DR
Find PCAP file on server, get SSH credentials, execute code as root with Python.
Footholds
I did not even use nmap
here, as we had a web server serving on port tcp:80
. This website looked like this:
It seems to be a security dashboard for a server, we don’t have any info about that. We have multiple endpoints on the server :
/capture
: redirects to/data/{id}
after loading/data/{id}
: we can download{id}.pcap
by clicking a button/ip
: get anetstat
output
What can we do with that?
User
I got to download the file 11.pcap
, and got nothing in it. I recognized that all my interactions with the server were logged in this PCAP, which is odd, I tought the server was serving a particular PCAP.
After playing again with the /capture
endpoint, I figured out that the /data/{id}
correspond to a specific user or IP. So I checked /data/0
and got the following data:
And guess what? Yes we can see credentials in cleartext here:
So we can SSH to the machine with those.
Root
Source code
The server was running in /var/www/html/app.py
which is a Flask server. the user nathan
have rw
rights on it so I checked the source code:
|
|
I removed some code for readability but you get the idea. The important stuff is the os.setuid(0)
part. If you want the complete code, check it here.
Exploit
As you can expect here we can execute code as root with the os.setuid(0)
line. So I just edited this app.py
file and added one route:
|
|
Then I started the server in the SSH connection: nathan@cap: python3 app.py
, and connected on the server on my local machine with firefox http://cap.htb:65000/test
.
And voilà.