Hack the Box Writup for Cap machine

Written by Nicholas Howland on 11/16/2024

Hack the Box is a learning platform for penetration testing. It provides labs, guided lessons, and a community to learn from. This is a mock penetration test preformed against a virtual machine / server designed to test knowledge gained from the introduction course. The following was completed in a little under two hours and includes tooling.

If you are interested in learning more or signing up for an account please use the following referral link https://referral.hackthebox.com/mzA6eHG

Disclaimer: Information contained in this blog neither condones criminal activity but is meant to be an example of what a completed penetration test would looklike as well as provide a walkthrough for lost souls.

Hack the box writeup for retired machine "Cap". I went ahead and redacted the flags and some of the commands I used.

Scope

Target IP: <target-ip>

Attacker IP: <attacking-ip>

This is a credentialed test and a single user account's credentials are provided for testing purposes.

Start Time: Aproximately 11/15/2024 1:00 PM GMT-7

End Time: Aproximately 11/15/2024 3:30 PM GMT-7

Executive Summary

The endpoint used to store and capture packet captures from the network is vulnerable to Insecure Direct Object References that allow for users to download packet captures of other users. The packet captures saved contain sensitive information including usernames and passwords of active system accounts which may be used to gain access to the server. There are also vulnerablities present that allow for regular users to execute custom scripts as root users which if exploited can be used to gain administrative access to the server. If an attacker were to gain valid user credentials to a user account used to view SIEM logs and download packet captures then they may view all packet captures present on the server which can lead to sensitive information exposure.

Objective

Gain an interactive shell by exploiting weakenesses in the web application, escallate privalages if possible.

Steps to Compromise

  • Ran a nmap scan against the following was returned:
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    gunicorn
|_http-server-header: gunicorn
  • Upon visiting the webpage I ran a packet capture with the capture function of the API through the API endpoint: <target-ip>/capture which returned <target-ip>/capture/<ID> where the ID was a numeric value.
  • Next I downloaded the packet capture the download link was the API endpoint http://<tartget-ip/download/ID where ID was the numeric id of the /capture API endpoint from the last step.
  • To test if other files were avaliable from previous captures I tested both navigating to other capture download pages as well as downloading the captures directly.
  • The captures were able to be downloaded directly but the capture page was not able to be viewed
  • I downloaded all available packet captures and began analyzing them for sensitive information in order to determine impact.
  • First I began to do this manually through wireshark but it became time intensive but the following filters were usefull when sorting out the dirbuster traffic and the http 404 pages returned.
http.response.code != 404
http.user_agent != "gobuster/3.6"
  • I used a passive packet capture scanning tool to preform automated scans on the captures to quickly identify alerts/anomilies in the captures.
  • The packet capture of 0, which I initially overlooked, contained a ftp username and password <username>:<password>
  • Using the credentials against nathan's ssh login prooved successful and the flag in the user.txt file was as follows: _____________________2cbb35
  • Next privalage escallation was needed, I did not find any files in the user's directory that could be exploited for privalage escallation and linux privalage escallation enumeration scripts were against the machine with two potential avenues of exploitation: -- Vulnerable to CVE-2021-3560 -- /usr/bin/python3.8 can set their UID (change the user that the program is running as without sudo) /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
  • First I tried the hardest option through an exploitation of the PolKit CVE which uses dbus and polkit services to escallate privilages. The service was marked as vulnerable by the linux enumeration script. It works by using polkit, a front end graphical user interface used to change settings and create users, to create an administrative user by bypassing an administrative password prompt. The exploit I found and ran off of ExploitDB was not successfull even after tweaking the time to execute, possibly because it was being run on a server and therefore no front end GUI was available.
  • The next avenue to explore was the promising context change of a program being run with python3.8 which was discovered through a linux enumeration script but can also be discovered by running the following command <reconnosance command redacted>
  • getcap will get the capabiliteis of executable files and all errors are redirected to a the null device instead of std out.
  • This means that the python interpruter is able to change its UID or the user context which the application is being run. The following command was run to get an interactive shell. <payload command redacted>
  • A shell was presented running as the root user. The flag contained in the root.txt file was: _____________________6844e1

Leasons Learned

  • Privesc is hard but pay attention to all avenues not only the CVE's
  • Exploit code can be finiky explore binaries that can be utalized aka using the path of least resistance
  • IDOR's can lead to credential leaks, use credentials found to test against services running on the endpoint

Resources

CVE Details

Exploit code for CVE-2021-3560https://www.exploit-db.com/exploits/50011

Additional exploit code for CVE-2021-3560https://github.blog/security/vulnerability-research/privilege-escalation-polkit-root-on-linux-with-bug/

Additional Information

Explination of IDOR (Insecure Direct Obejct Referencces)https://portswigger.net/web-security/access-control/idor