Cap – 10.10.10.245
Initial foothold / user
Default scan reveals 3 open ports
Going to the website shows an already logged in gunicorn website.
Browsing it, I found interesting looking links
But messing around with that lead me nowhere.
The PCAP analysis page though was interesting.
Going to /data/0 downloading it and opening in wireshark credentials are found.
Apparantly it should work for ftp. nathan:Buck3tH4TF0RM3! and it works.
And in that directory we get user.txt
Trying to push files into various directories without any success it finally hit me… Why not try ssh?
Of course that worked.
Privilege escalation / root
Browsing around, and of course checking the standard sudo -l got me nowhere. But one file was interesting /var/www/html/app.py since it is writeable by nathan. But after a few attempts I decided to let it go and go back to basic enumeration. Uploaded the suid3num script it found nothing out of the ordinary. Then pushed linpeas onto the box and I found something quite exciting, especially with the box name in mind.
Python has a fun little capability enabled. Exploiting that we get root.
This box was a milestone for me. It’s the first box that takes me less than an hour to complete.