Working with Linux Capabilities | Cap HackTheBox

Linux capabilities allow for a nuanced approach to the security architecture, breaking down the absolute root privilege into specific individual permissions. This division provides a detailed control mechanism as opposed to the generic superuser model.

“Cap” is a HackTheBox machine designed to test one’s grasp of pcap files and SSH, but also emphasizes the importance of understanding Linux capabilities. Dive into the Cap CTF walkthrough to enhance your understanding of these capabilities.

 

Insights

  • Linux capabilities allow detailed security controls by breaking down root privileges.
  • Packet capture (PCAP) files can reveal plain-text data, highlighting encryption’s importance.
  • Understanding Linux capabilities can reveal privilege escalation opportunities in cybersecurity assessments.

User Flag

Scanning

Initiating the box, I began with a straightforward Nmap scan.

nmap -sC -F 10.129.205.117 -oN init-scan
Nmap scan report for 10.129.205.117
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    gunicorn

Observing the results, an HTTP service is active. I proceeded to run gobuster for directory enumeration, aiming to identify potential entry points.

└─$ gobuster dir --url http://10.129.205.117 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Navigating to the /capture directory, there’s a specific endpoint labeled /1. On downloading and inspecting this file using Wireshark, it’s evident that the traffic captured is from our gobuster directory search. Given the “Dashboard” indication, it seems these files represent network traffic snapshots. Naturally, I turned my attention to the earliest generated file.

PCAP Files

The 0.pcap file, when analyzed, reveals an FTP request. One of the notable features of PCAP files is that they can sometimes contain cleartext data, particularly if the protocols captured don’t use encryption. In this case, the FTP request clearly displays both the username and password, offering us potential credentials to utilize elsewhere.

36  4.126500  192.168.196.1  192.168.196.16  FTP  69  Request: USER ****an
40  5.424998  192.168.196.1  192.168.196.16  FTP  78  Request: PASS *********RM3!

With the credentials in hand from the 0.pcap file, I proceeded to access the FTP server. Logging in was straightforward, and soon after, I was able to locate and retrieve the user flag.

Root Flag

With the same credentials as the FTP server, we can log into the SSH service and start to privesc. Initially, I tried to use sudo -l to see if there were any programs we could run as root, but we don’t have sudo permissions. So, after trying a few other techniques, such as inspecting the crontab and searching for SUID bits, I launched linpeas. Unfortunately, I didn’t see anything that stood out, so I searched for further manual privesc techniques.

Linux Capabilities and Getcap

Having been introduced to getcap, it’s crucial to delve deeper into the realm of Linux capabilities to fully appreciate its potential for privilege escalation.

In Linux, capabilities offer a refined way to dictate what privileges a root process or thread holds. Rather than giving omnipotent power to a root process, capabilities dissect this authority into smaller permissions. This approach not only enhances security but also limits the damage a compromised root process can inflict. Each capability serves as a permit, signaling the process or thread about its rights. An instance is the CAP_KILL capability, which, when assigned, enables a process to forcefully terminate other processes.

If you wish to get a comprehensive grasp of all Linux capabilities, the man capabilities command proves handy. Among the myriad of capabilities, some noteworthy ones include:

  • CAP_KILL: Allows a process to send termination signals without permissions.
  • CAP_DAC_OVERRIDE: Bypasses file read, write, and execute permission checks.
  • CAP_CHOWN: Empowers a process to alter the user ID and group ID of files.
  • CAP_SETUID: Grants a process the rights to change user IDs as it pleases.

The getcap utility, a part of this capabilities ecosystem, showcases the capabilities associated with specified files. It’s a potent tool to identify binaries adorned with peculiar capabilities, like blanket read or write permissions.

user@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

I discovered that Python3.8 had the cap_setuid capability. This meant Python3.8 could change its User ID (UID). Essentially, it could allow me to switch to another user, including root, without needing a password.

Given this capability, I realized I could use Python3.8 to initiate a new shell with root privileges. I crafted a specific inline Python command, leveraging this capability to elevate my privileges and successfully gained root access. This find highlighted the importance of understanding and keeping an eye on Linux capabilities.

/usr/bin/python3 -c 'import os;os.setuid(0); os.system("/bin/bash")'

After gaining root access, I simply used the cat command on the root.txt file to retrieve its contents.

Conclusion & Summary

It seemed the name of the box was quite a revealing hint! That concluded my exploration of this box. Kudos to HTB for providing another engaging VM.

Linux capabilities present a segmented approach to security permissions, fragmenting the overarching root privilege into detailed permissions for finer control. “Cap,” a HackTheBox challenge, is an avenue to explore these capabilities while also honing skills with pcap files and SSH.

User Flag Process:

  • An initial Nmap scan revealed FTP, SSH, and HTTP services.
  • Directory enumeration with gobuster unveiled a /capture directory.
  • PCAP files in the directory, when dissected with Wireshark, exposed an FTP request containing plain-text credentials.
  • These credentials granted FTP access, leading to the acquisition of the user flag.

Root Flag Journey:

  • Using the previously discovered credentials, SSH access was achieved.
  • With initial attempts at privilege escalation proving fruitless, attention was turned to understanding Linux capabilities.
  • The getcap utility showcased Python3.8 having the cap_setuid capability, allowing for a User ID change.
  • Leveraging Python3.8’s capability, a new shell was invoked with root privileges, culminating in the retrieval of the root flag.

Key Takeaway: Linux’s nuanced capabilities mechanism underlines the significance of understanding the security permissions at a granular level. This exploration underscores the essence of observing Linux capabilities for potential privilege escalation paths. Kudos to HackTheBox for another immersive experience.

Back To Top