HTB: Cap Walkthrough

 

Writeup — Cap By Araiz Naqvi

Overview

- Difficulty: Easy
- Operating System: Linux
- Objective: Capture User and Root flag.
- Tools Used: nmap, ftp, sshclient, whatweb, gunicorn, wireshark, openvpn, python3

If you’re unable to view it fully due to Medium Subscriptions, you can view it at 

Nmap Scanning

As in most times the first step is to scan the target IP to check for open ports and service and service versions running on them:

Nmap Scan

As can be seen the services running are FTP, SSH and HTTP.
Also, Linux seems to be running on the target.

Trying Logging in FTP and SSH

Let’s try to use anonymous login for FTP:

FTP Login Attempt

Does not allow anonymous login.
Similarly, even SSH was not accepting common usernames and passwords.

Clearly, I might find credentials somewhere.

This is really valuable information, but let’s still get information on other aspects of the target. Let’s continue by Web Fingerprinting.


Enumerating Web Fingerprint

Let’s start with good old, whatweb:

Enumerating Web Technologies in use.

Immediately, it’s imminent that something known as gunicorn is being used which looks like a CMS, but its actually like Apache just works on Python.

From here I went searching for to see if there would be exploits available for `gunicorn`:

Gunicorn CVE

But looking at this I wanted to give a look at what this webpage might look like, and oh boy! here is where it gets interesting.

Browsing 10.10.10.245

When I browsed, here’s what I first saw:

Nothing too interesting at first.
Let’s go to the Security Snapshot page:

So, I downloaded the .pcap, at the time I did it it was called 5.pcap but when i’m writing this walkthrough it’s called 6.pcap.
Now, open the 6.pcap:

I even tried to follow TCP stream (right-click > Follow > TCP Stream), but it showed nothing very special:

Usually, with URL’s like these there’s an IDOR vulnerability, so I next tried to change the numbers and damn, I was able to get information from other pcaps possibly created by someone else.
As I went to the first pcap’s (I mean 0), obviously there’s no negatives.
If these pcaps are being created in an order, the very first pcap i.e. 0.pcap should contain something special!

Working on 0.pcap

Upon opening 0.pcap:

I usually with a packet capture, would just first filter for HTTP:

I’ll save you the time, I followed the TCP stream for each and there was nothing special but a bunch of HTML and CSS.
So, I decided to scroll through some random pcaps with no filters and here’s where the gold was found (although a little bs I did but… deal with it :_ ))


Let’s follow the TCP stream:

Voila! We’ve been able to find the username and password.
(It was in the next minute I realised I already read the password on the packet itself…)
Let’s use this information to login to FTP and SSH.

Logging into FTP and SSH

Let’s use the username: nathan and password: Buck3tH4TF0RM3! as:

Connecting FTP with creds found

And, we’re in!
Let’s go looking for our flags next.

There’s our user flag!

There it is, user.txt. Let’s get it using the get command:

Let’s also login to SSH to see if the creds work:

SSH successful login!

And, i’m in!
I’m going to work towards getting the root flag next.
I then run linpeas.sh which was already installed as if the target wants us to hack them, but nevertheless, quite frankly this is where I realized my knowledge of Linpeas is quite poor.

I saw this file called exploit.py.
I first cat to see what’s inside:

Exploiting Root Priv File

Damn it! The file literally reads the /root/root.txt line by line and that’s what we’re looking for. So, let’s just run it:

Root Flag

We now have both flags.

Flag

The user.txt flag is 91b95f2f01723cee1a5ea4fe0f336a40.
The root.txt flag is 394670b7448360ea0e8c9ba29dab8da2.

Prepared by Araiz Naqvi

Comments

Post a Comment

Popular posts from this blog

HTB: Nibbles Walkthrough

Image
  Writeup — Nibbles By Araiz Naqvi Overview Difficulty: Easy - Operating System: Linux - Objective: Understand potential breaking points in nibble machine. - Tools Used: nmap , nc , whatweb , searchsploit , metasploit , gobuster , SecsList , linpeas Prepared by Araiz Naqvi Starting Enumeration with Nmap The very first step is to get an idea of the open ports and services running. To do this we will start with nmap scans: Nmap Scanning for open ports Here, two ports are open, SSH and HTTP which also show that the target is running Linux Ubuntu 2.2 version and an Apache httpd 2.4.18 server. But, before we go deeper into these open ports, let’s run an all ports TCP scan and leave it in the background cause usually it takes forever to happen. Leaving the everlong TCP all port scan in the background I actually did some banner grabbing in the meanwhile, but for consistency sake, I also immediately did a few other nmap scans to try and get as much information as p...
Read more

HTB: Crocodile Walkthrough

Image
Writeup — Crocodile By Araiz Naqvi Prepared By Araiz Naqvi . Overview - Difficulty : Easy - Operating System: Linux - Objective : Find a way to break in. - Tools Used : nmap , FTP , curl , gobuster I tend to start enumerating as much basic information as I need before dwelving deeper. Performing Nmap Scans As usual the very first step is to figure out what ports and hence what services are actually open. This will set the stage for how we will try to break in. Let’s start with a stealth scan with disabled arp pings to figure out what ports are open: It is clear that the following ports are open: - 21 ~ FTP - 80 ~ HTTP Now, let’s move further and scan for service versions and run the default scripts on these three ports: From this I interpreted the following information: - FTP runs on 21 exposing a ProFTPD server which allows for anonymous login - This FTP server is also giving unrestricted access to two what seem to be important files holding credentials. - HTTP runs o...
Read more