Hi everyone, so I wanted to try something different and try some HackTheBox machines and while I still have strong love for TryHackMe I figured I’d try something new.
I hope you all enjoy reading this as much as I enjoyed writing this.
So first lets start with a nmap
Okay so we have FTP (21), SSH(22) and a Webserver (80) being there’s a web server I immediately want to run a gobuster or direarch on this. I usually use dirsearch but I’m using gobuster to try it a little more.
While this was running i tired to login to the FTP and anonymous:anonymous and with no luck so now i want to checkout the website itself.
Okay so this looks like some security dashboard, now from our gobster output we noticed a directory that had some additional data in there so lets thake a look
Right so this allows us to view pcap data from a security dashboard which we are already logged into. Now i noticed in the URL we have a number
So let’s try changing this and see if we can view other data
And we can! so let’s download this file and open it with Wireshark.
Okay so where do we begin? Well if you remember from our portscan we had SSH, FTP and HTTP, So let’s try to look at all (if any) FTP packets. To do this simply type ftp into the apply filters.
The best way to view this is by clicking a FTP packet and Right-Click > Follow > TCP Stream
Well now we have the FTP creds we can login and take a look.
And we have the user.txt
so now lets try these credentials against SSH too!
And we are logged in via SSH now is the privesc part, I checked a few regular things of mine such as, checking for SUID binaries, crontab, sudo -l, and nothing of interest, so I do like to check for file capabilities as this can be overlooked.
We can check for them using this privesc trick I learned from TheCyberMentors Linux Privilege Escalation Course.
getcap -r / 2>/dev/nullWe are looking for any files with cap_setuid+ep
And we can clearly see python3.8 has this exact capability set, now we can exploit this easily with:
/usr/bin/python3.8 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’
And as you can see we are now root, and can get the root flag.
