HackTheBox Cap Writeup
Enjoy reading my HTB Cap writeup
Information Gathering & Gaining Access
Open ports:
- 21: vftpd 3.0.3
- 22: OpenSSH 8.2p1 Ubuntu 4ubuntu0.2
- 80: gunicorn
The website contains a dashboard with three functionalities. You can obtain the network status, the IP config and a 5 second PCAP + Analysis.
Browsing the Security Snapshat (5 second PCAP) site redirects to /data/1. Changing /data/1 to /data/0 brings you to a different analysis that can be downloaded.
The pcap for /data/0 (0.pcap) contained a TCP Stream for the FTP protocol. Following that stream in Wireshark revealed an username and a password: nathan:Buck3tH4TF0RM3!
Using these credentials it is possible to log in via FTP and SSH and obtain the user flag.
Privilege escalation
The file /var/www/html/app.py
runs as root and the current user is able to modify the code.
The code was changed like the following:
0if __name__ == "__main__":
1 command = f"""python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'"""
2 os.system(command)
3 #app.run("0.0.0.0", 80, debug=True)
Afterwards the script simply got executed what lead to a root shell (no sudo necessary).