HackTheBox — Machine Cap Writeup
This is my first machine and system own in Hackthebox. I was more into the challenges but not machines. A fairly easy machine ( the privilege escalation part kinda troubled me ). So I thought it would be really nice to share my approach of pwning the machine.
ENUMERATION
First, I run the Nmap scan on the given IP to see what services are up. I used an aggressive scan here but a normal scan would do. T4 is just for a faster scan.
nmap -A *IP_ADDRESS* -T4
We can see 3 services running. So I quickly go to the http://*IP_ADDRESS*/ for any hints. The side menu has something interesting. It has a PCAP + Analysis in it.
But there are 0 packets captured the first time. So there should be some way trigger this. This part took me some time to understand . Then I refreshed the page I saw the number in the URL changed from “/data/6” to “/data/2”. So it has something related to it. Every time I refresh the page I find the numbers change.
So I started with “/data/0” and to my surprise, I could see some packets captured here. So I downloaded the PCAP file to further analyze it. I used Wireshark to see the content in the packets captured. I found the user name and password. This should be the username and password for FTP or SSH.
Then I logged into FTP and it worked! I used the get command to download the user.txt file. That is our first flag and hash for machine owning.
PRIVILEGE ESCALATION
Next, I ssh into the machine with the same username and password. But unfortunately “the user” is not a root user. So now…. It’s time for some Privilege Escalation!
This is where things get tricky. I thought I could use linpeas.sh here but there was no use as the permission was getting denied. Then after a while I found something called Linux capabilities. For those who are lazy let me paste the definition below
Linux capabilities are special attributes in the Linux kernel that grant processes and binary executable’s specific privileges that are normally reserved for processes whose effective user ID is 0 (The root user, and only the root user, has UID 0).
Made any sense? Let me explain in layman terms. These are nothing but applications or binary which helps us get our root access. How? These binaries have special access which can execute commands which only a root can do!
So while surfing the net I got this detail which helps us find the binary that can give us the root access.
I used the last one and we do get few results. As soon as I saw python3.8 I was happy because it was easy to setuid and get a shell via python. Below is the command
And now we are ROOT!
But we have one more thing left. System pwn ( or own ). We change the directory to root directory and find our next hash!
I know this was simple but understanding Linux capabilities did take some time for me . I hope I made it clear, If you have doubts, feel free to comment below and do give some claps for my write-up ;)
For more write-ups do checkout out my medium page.
Until then GOODBYE!!
