mmckinnon/chirpy-starter
1
0
Fork 0
mirror of https://github.com/cotes2020/chirpy-starter.git synced 2025-04-21 11:53:27 +10:00
Code Issues Actions Packages Projects Releases Wiki Activity
chirpy-starter/_posts/2021-05-06-cap.md
racc0x 6278b1b310 update-2025
2025-02-03 22:22:27 -06:00

135 lines
4.0 KiB
Markdown
Raw Blame History

---
title: HTB - Cap
date: 2021-05-06 00:00:00 +8000
categories: [hackthebox ]
tags: [HackTheBox, Information Disclosure, CVE-2021-4034, tcpdump]
image:
path: /assets/img/post/cap/Cap.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Cap.
---
## Box Info
| Name | Cap |
| :-------------------- | ---------------: |
| Release Date | 5 Jun, 2024 |
| OS | Linux |
| Rated Difficulty | Easy |
## Ping
```bash
ping -c 3 10.10.10.245
PING 10.10.10.245 (10.10.10.245) 56(84) bytes of data.
64 bytes from 10.10.10.245: icmp_seq=1 ttl=63 time=55.6 ms
64 bytes from 10.10.10.245: icmp_seq=2 ttl=63 time=55.9 ms
64 bytes from 10.10.10.245: icmp_seq=3 ttl=63 time=54.8 ms
```
`ttl=63 -> Linux System`
## Nmap
```bash
nmap -p- --open --min-rate 5000 -n -sS -vvv -Pn 10.10.10.245
```
```bash
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http gunicorn
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Server: gunicorn
| Date: Sat, 22 May 2021 10:51:48 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Sat, 22 May 2021 10:51:42 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 19386
| <!DOCTYPE html>
| <html class="no-js" lang="en">
| <head>
...[snip]...
SF:eck\x20your\x20spelling\x20and\x20try\x20again\.</p>\n");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```
![Image](../assets/img/post/cap/image.png)
data/1
![Image](../assets/img/post/cap/image-1.png)
I starter with a scan directoriy but dont foudn anything interesting
![Image](../assets/img/post/cap/image-2.png)
## Information Disclosure
```bash
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u 'http://10.10.10.245/data/FUZZ' -fs 208
```
![Image](../assets/img/post/cap/image-3.png)
I download those and i test one by one to found sensitive data
![Image](../assets/img/post/cap/image-4.png)
```bash
tcpdump -qns 0 -X -r 0.pcap
```
**User:**
![Image](../assets/img/post/cap/image-5.png)
**Password:**
![Image](../assets/img/post/cap/image-6.png)
`nathan`
`Buck3tH4TF0RM3!`
**Login with ssh**
![Image](../assets/img/post/cap/image-7.png)
## Escalation Privilege | CVE-2021-4034
```BASH
find / -perm -4000 2>/dev/null
```
![Image](../assets/img/post/cap/image-8.png)
We found a bin interesting called pkexec. Looking if the pkexec has a vulnerability, i find a CVE-2021-4034
https://github.com/ly4k/PwnKit
We upload the file PwnKit and exploit as nathan and BOOM!
![Image](../assets/img/post/cap/image-9.png)
Pwned!!
Reference in New Issue View Git Blame Copy Permalink