Recon β Poking Around the Web App
OK, let's take a look through the website that has been spun up.
So, it's some sort of security dashboard. Let's look at network status on the left to see if it gives us any clues.
The 10.10.14.14 is our IP address β ports 36710 and 51702 seem interesting. Let's see what that is.
I get bored with Minecraft after about 30 minutes (sorry if that offends you.) Nothing really that gives us any hint hereβ¦ but let's keep this top of mind. There's DNS (port 53) pointed at itself established to 127.0.0.53 β perhaps this is a DNS server?
I clicked "Nathan" in the top right β Hey Nathan, you should log out. Please practice better OPSEC.
None of these menus do anythingβ¦
Let's check the menus on the left as well just to cover bases.
"Security Snapshotβ¦" takes us to a place where we can download PCAP analysis. IP config β let's screenshot this if we need it later.
Let's see if there is anything obvious β let's look at the view source.
Don't see anything really offhand here. But sir, please get back to Ratul β he's probably still eagerly waiting.
Port Scanning β NMAP
Next step β enumerate ports with NMAP.
Hmm β we've got FTP and SSH ports open!
Can I FTP anonymously into this?
Nope. Hm. Let's take another look at that SSH port.
It would appear that we need a public key, then we can SSH into this.
Directory Busting & IDOR Discovery
Let's try brute-forcing directories β let's run gobuster just to see if this allows us to see anything interesting.
/capture redirects to /data/7 β meaning the PCAP download IDs are sequential integers. Classic IDOR setup.
Woah! /capture redirects to /data/7!
Let's try some other ones and see what we see. Here's 1:
There's packets here! Let's download the .pcap and analyze in Wireshark.
Nothing really worth noticing β they're just our own HTTP traffic. Nothing exposed related to FTP.
Recall my VPN is 10.10.14.14.
Hmβ¦ 1, 2, 3, 4, 5, 6, and 7 all contain my probing packets (web) β no screenshots but just take my word for it.
8 redirects me back to the dashboard.
How about 10.129.67.231/data/0?
Hmmβ¦ let's download this one and look at it in Wiresharkβ¦
Oh, Nathan. You made an uh oh.
/data/0 endpoint β accessible without authentication β contains a PCAP of a previous FTP session. FTP sends credentials in plaintext. GG Nathan.
User Flag β We Are Nathan Now
Well, now that we have this, let's go ahead and FTP in and see what Nathan sees. Please call us Nathan from now on.
Privilege Escalation β Linux Capabilities
Now let's pwn root. Let's poke around as Nathan.
Nothing really interesting here.
cap_setuid on the Python binary means we can call os.setuid(0) to become root β no sudo, no SUID bit required.
cap_setuid tells us we should be able to set our ID to 0 (root) β can we do that?
Sigh. That was a little too easy.
π― Takeaways
So "Cap" β the name β is for packet capture, which is exactly how we ended up pwning this box.
The IDOR on /data/0 exposed a PCAP containing Nathan's FTP credentials in plaintext.
FTP is unencrypted, so once that traffic is captured, it's game over.
From there, a misconfigured Linux capability (cap_setuid on Python) handed us root in one line.
Clean box. Great fundamentals lesson. Woo hoo! π