Hello there, fellow Secjuice readers! Welcome to my technical write-up for the Cap challenge over at HackTheBox!
If you would also like to do the Cap challenge yourself, you can go to the link here https://app.hackthebox.eu/machines/Cap This machine is pretty straightforward. All you need to do is think smart like Sherlock Holmes!
In the first phase of any attack, look for open ports and services running.
nmap -A -T5 10.10.10.245
You will get a system admin panel and you can also see some PCAP related things.
So what I found is, you can download PCAPs from the website. Since directory buster didn't give anything to follow, I decided to get the packet files and delve into finding more information.
And luckily I found it in 0.pcap file
Use login credentials from enumeration phase to gain a foothold.
User is finally owned.
So I have tried the following and they didn't work
- suid binaries (
find / -perm -4000 2> /dev/null)
- cron jobs (
- vulnerable applications/processes (
- shared library injection ( depends on sudo permissions)
- kernel exploits (
Now you can go back and check the name of the machine again (cap) and use the 'apropos' command at your disposal. Apropos is a Linux command that allows you to search the Linux man page of a keyword to find out more about it and its functions.
Yes, we now see it has Linux capabilities.
As I dug deeper, I found a binary that has cap_suid set, so calling
setuid(0) will work and elevate me to root permissions. Using
getcap I can find out whether any suspicious binary has this permission or not.
I also obtained the python binary which can help in elevating to root. Now everything is just a piece of cake.
Now that I've given you a walkthrough of Cap, you are free to go get your flag and own this system yourself (of course if you still can access it)!
If you are here and want to connect with me, you can reach me via the following sources: