# Cap

![](/files/H3VCuehbNIrqAV0D4irB)

## Reconnaissance <a href="#id-491d" id="id-491d"></a>

First we want to run a initial nmap scan to see what ports are open and what services are on those ports.

```hcl
nmap -sC -sV -oA nmap/init 10.129.141.123
```

* **-sC**: run default nmap scripts
* **-sV**: detect service version
* **-oA**: output all formats to *nmap/initial*

We get back the following information:

* **Port 21:** running vsftpd version 3.0.3
* **Port 22:** running OpenSSH version 8.2p1 Ubuntu 4ubuntu0.2
* **Port 80:** running gunicorn web server

{% code title="init.nmap" %}

```hcl
# Nmap 7.92 scan initiated Tue Mar 22 18:25:26 2022 as: nmap -sC -sV -oA nmap/init 10.129.141.123
Nmap scan report for 10.129.141.123
Host is up (0.039s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Tue, 22 Mar 2022 22:25:38 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Tue, 22 Mar 2022 22:25:33 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Tue, 22 Mar 2022 22:25:33 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: GET, OPTIONS, HEAD
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
|     </body>
|_    </html>
|_http-title: Security Dashboard
|_http-server-header: gunicorn
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.92%I=7%D=3/22%Time=623A4CDD%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,1480,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20
SF:Tue,\x2022\x20Mar\x202022\x2022:25:33\x20GMT\r\nConnection:\x20close\r\
SF:nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20193
SF:86\r\n\r\n<!DOCTYPE\x20html>\n<html\x20class=\"no-js\"\x20lang=\"en\">\
SF:n\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x2
SF:0<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\
SF:x20\x20\x20<title>Security\x20Dashboard</title>\n\x20\x20\x20\x20<meta\
SF:x20name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=
SF:1\">\n\x20\x20\x20\x20<link\x20rel=\"shortcut\x20icon\"\x20type=\"image
SF:/png\"\x20href=\"/static/images/icon/favicon\.ico\">\n\x20\x20\x20\x20<
SF:link\x20rel=\"stylesheet\"\x20href=\"/static/css/bootstrap\.min\.css\">
SF:\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/fon
SF:t-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20
SF:href=\"/static/css/themify-icons\.css\">\n\x20\x20\x20\x20<link\x20rel=
SF:\"stylesheet\"\x20href=\"/static/css/metisMenu\.css\">\n\x20\x20\x20\x2
SF:0<link\x20rel=\"stylesheet\"\x20href=\"/static/css/owl\.carousel\.min\.
SF:css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/c
SF:ss/slicknav\.min\.css\">\n\x20\x20\x20\x20<!--\x20amchar")%r(HTTPOption
SF:s,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Tue,\x2
SF:022\x20Mar\x202022\x2022:25:33\x20GMT\r\nConnection:\x20close\r\nConten
SF:t-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20GET,\x20OPTIONS,\x2
SF:0HEAD\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,121,"HTTP/1\.1\x2
SF:0400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type:\x20text
SF:/html\r\nContent-Length:\x20196\r\n\r\n<html>\n\x20\x20<head>\n\x20\x20
SF:\x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x20\x20<body>\
SF:n\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\x20\x20Invali
SF:d\x20HTTP\x20Version\x20&#x27;Invalid\x20HTTP\x20Version:\x20&#x27;RTSP
SF:/1\.0&#x27;&#x27;\n\x20\x20</body>\n</html>\n")%r(FourOhFourRequest,189
SF:,"HTTP/1\.0\x20404\x20NOT\x20FOUND\r\nServer:\x20gunicorn\r\nDate:\x20T
SF:ue,\x2022\x20Mar\x202022\x2022:25:38\x20GMT\r\nConnection:\x20close\r\n
SF:Content-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20232\
SF:r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20
SF:Final//EN\">\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1>
SF:\n<p>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20ser
SF:ver\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20ch
SF:eck\x20your\x20spelling\x20and\x20try\x20again\.</p>\n");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 22 18:27:36 2022 -- 1 IP address (1 host up) scanned in 130.52 seconds
```

{% endcode %}

## Enumeration <a href="#id-000d" id="id-000d"></a>

Checking out the webserver I see that I am logged in as the user Nathan

![Initial view of webpage](/files/B4jdEOoBFsuyx8qLvJ2f)

It also appears that I can see netstat information from the server this is running on

![Netstat page](/files/z73FAtJ4v1aeHf5GOljH)

The IP Config page shows that I am in fact looking at the box I just enumerated and this is not output from another server

![Interface information](/files/Z163NoNmBmRTYhlCU12a)

Looking at the security snapshots page I notice something interesting in the address bar

![Security Snapshots](/files/uX3VyaCnCkzORJsDjviS)

Setting the data value from 1 to 0 I get non-zero values for the number of packets

![](/files/r9YMd0lo6uYfFgtUZAP8)

Opening up the pcap that is downloaded in wireshark I almost immediately spot a username and password

![Username and Password in plaintext](/files/eoYw5YIe7rFk8FbCrPut)

<details>

<summary>Credentials</summary>

Username: nathan\
Password: Buck3tH4TF0RM3!

</details>

## Initial Access

These credentials worked for ssh

![SSH Session](/files/VN05wbKTygGu1oiuGh8J)

I am unable to run sudo as the user nathan on the box so I am going to transfer over [linpeas](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) using [updog](https://github.com/sc0tfree/updog)

![](/files/PmlzH3PQdzUOKPhHaooR)

![](/files/xJbRwXp67H0LjvcwyuDx)

Running linpeas.sh I notice python3.8 has capabilities for setuid

![cap\_setuid](/files/ZE9Hhc1Lc6Mzs3STCR8A)

## Exploitation <a href="#id-714d" id="id-714d"></a>

Going to [gtfobins](https://gtfobins.github.io/gtfobins/python/#capabilities) I can see we have an easy way to root wth python

![](/files/u1muVaCnBuIDz3S6FNwC)

Using this command I was able to get root

![](/files/0IEnPxiZ1FDHpQJ5JJ49)

## Lessons Learned <a href="#id-31ac" id="id-31ac"></a>

1. Never allow binaries that can run another binary to have the linux CAP\_SETUID capability set as it can be used to escalate privileges and maintain persistence
2. SSH Should require more than just a password for login


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.tyler-staut.cloud/writeups/hackthebox/linux/cap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.