Let’s discuss Caption
. Please do not share any flags or writeups.
A hard Linux machine. We’ll beat it!
The creator of the machine is MrR3boot.
He has created more than 7 hardware challenges and 19 pentesting machines. This machine will be his 20th. His machines have an average rating of 4.2/5.
Initial Access
-
Navigate to the Web Interface
Go to http://capstone.htb:8080 to access the Git web application.
-
Log In with Default Credentials
Use username: root and guess the password
Command Injection
-
Execute Command via SQL Injection
Check this resource to learn how to create an alias for command execution:
-
Extract SSH Private Key
Use the command injection to read the SSH key:
CALL EXECVE('cat /home/user/.ssh/id_rsa');
-
SSH into the Machine
Log in using the SSH key:
ssh -i id_rsa user@capstone.htb
Privilege Escalation
-
Inspect
server.go
Review the
server.go
file to find the Thrift service running as root, which is also vulnerable to command injection. It’s source code is available athttp://caption.htb:8080/root/Logservice/blob/main/server.go
. -
Create a Malicious Log File
Create a log file that will trigger the command injection:
127.0.0.1 "user-agent":"'; /bin/bash /tmp/payload.sh #"
-
Exploit the Vulnerability
Interact with port 9090 (server.go) to exploit the vulnerability. I am not including the code for the Thrift client here to avoid spoilers. You can write a Python script to trigger the command injection and exploit the vulnerability. Alternatively, you can use ChatGPT to generate the code for you. Send
server.go
to ChatGPT and ask how to interact with theserver.go
file.
These are general hints if you are stuck at any point and want to move forward. If you need more specific help, feel free to ask!
Exclusive content is now available for Caption
.
What is Exclusive Content? It includes detailed hints and tips to guide you toward a 100% solution for the CTF challenge.
Only donors have access to this exclusive content. If you’d like to donate and gain access, feel free to reach out to me. We accept all cryptocurrencies.
You can still ask for help and specific hints in this thread.
pretty easy one, definitely not hard machine
Please any Hint for initial Foothold, the exploits seems to doesn’t work
find the sql terminal, execute any command you’ll see an error. follow the error and get command injection
I enumerated all , just a little hint please, is the sql terminal on port 80 or 8080?
its on 8080, try again
Yeah got it! thanks mate
Did u execute the python file to interact with the server from your attacking machine or from the user session on caption.htb?
i have installed the pip requirements offline on caption.htb but have trouble with gen_py.log_service import LogService
you are executing from the wrong directory.
├── LogService-remote
├── __init__.py
└── log_service
├── LogService.py
├── __init__.py
├── __pycache__
│ ├── LogService.cpython-310.pyc
│ ├── __init__.cpython-310.pyc
│ └── ttypes.cpython-310.pyc
├── constants.py
└── ttypes.py
this should be the directory structure.
i assume you’re running it from your local machine and tunnel port 9090?
yes, thats right. Its on my local machine
so you’ve build the thrift logservice on your machine with go to have this directory structure or am i undertanding something wrong?
Yes, something like that, I used the thrift compiler in apt and generated necessary files with thrift --gen
i’ve done the same but my directory looks diferent i’ve created this file called log_service.thrift:
namespace py log_service
service LogService {
string ReadLogFile(1: string filePath)
}
and then:
thrift --gen py log_service.thrift
yes, by default the LogService-remote
will be on log_service
You need to copy that to gen-py
ah now i see, my import from is the problem - either i change the folder structure or the code
yeah, Your LogService-remote
is in your log_service
folder. And the script tries to import log_service
and it can’t access it as you are already inside of it.