Looking for light.

Archive

About

Xiaodi

HTB——Cap

Alt text

0x01 信息收集

 _____                             ___  _             
/__   \ ___   ___   __ _  _ __    / _ \| | _   _  ___ 
  / /\// __| / __| / _' || '_ \  / /_)/| || | | |/ __|
 / /   \__ \| (__ | (_| || | | |/ ___/ | || |_| |\__ \
 \/    |___/ \___| \__,_||_| |_|\/     |_| \__,_||___/

https://github.com/TideSec/TscanPlus
TscanClient Version: 2.7.4  NewVersion: 2.7.5  Expired: 2026.01.01
[03:23:58] [INFO] Start IpScan:10.129.130.78
[03:23:58] [INFO] 开始扫描 1 个主机的 65535 个端口,共 65535 个任务

端口扫描   0% [░░░░░░░░░░░░░░░░░░░░] (55/65535) [1s:20m7s][03:23:59] [+] 10.129.130.78:21 open
[03:23:59] [+] 10.129.130.78:22 open
[03:23:59] [+] 10.129.130.78:80 open
[03:24:01] [+] [TCP/FTP]  [Vsftpd 3.0.3] 10.129.130.78:21 [220 (vsFTPd 3.0.3)]
[03:24:01] [INFO] start FTP check 10.129.130.78:21
[03:24:01] [+] 开始 FtpScan 任务: FTP://10.129.130.78:21
[03:24:01] [+] [TCP/SSH]  [OpenSSH 8.2p1 Ubuntu 4ubuntu0.2] 10.129.130.78:22 [SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2]
[03:24:01] [INFO] start SSH check 10.129.130.78:22
[03:24:01] [+] 开始 SshScan 任务: SSH://10.129.130.78:22
[03:24:02] [+] [TCP/HTTP] [200] [gunicorn][jQuery] http://10.129.130.78:80 [Security Dashboard]
                                                          s]
[03:24:33] [+] alive ports is: 3
[03:24:33] [+] Ip扫描结束:10.129.130.78
[03:24:33] [INFO] Start UrlScan:http://10.129.130.78:80
[03:24:34] [+] [TCP/HTTP] [200] [gunicorn][jQuery] http://10.129.130.78:80 [Security Dashboard]
                                                 
[03:24:34] [+] Url扫描结束:http://10.129.130.78:80
[03:24:34] [+] 项目任务完成:Default, Timeuse:35.836201202
[03:24:34] [+] 扫描结束,耗时: 36.508640825s

访问80端口下的Security Dashboard服务,在security snapshot中创建后访问,观察到url为data+数字。此处未作鉴权。我们通过修改数字即可看到其他用户的snapshot情况。通过访问/data/0路由,我们可以下载到0.pcap敏感流量文件。

0x02 流量分析

分析流量,我们可以捕捉到明文账密nathan:Buck3tH4TF0RM3!.使用此账密登录即可获取user.txt

Alt text

Alt text

0x03 python setuid提权

上传linpeas进行检测,扫到python38权限滥用,尝试使用python3进行提权。

Files with capabilities (limited to 50):
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

具体详见python setuid提权细节,请自行上网查找。

Alt text