Caption Discussion [HINTS] [HTB]

Let’s discuss Caption. Please do not share any flags or writeups.

A hard Linux machine. We’ll beat it!

The creator of the machine is MrR3boot.

He has created more than 7 hardware challenges and 19 pentesting machines. This machine will be his 20th. His machines have an average rating of 4.2/5.

Initial Access

  1. Navigate to the Web Interface

    Go to http://capstone.htb:8080 to access the Git web application.

  2. Log In with Default Credentials

    Use username: root and guess the password :slight_smile:

Command Injection

  1. Execute Command via SQL Injection

    Check this resource to learn how to create an alias for command execution:

    Gambler - Hacking and other stuffs

  2. Extract SSH Private Key

    Use the command injection to read the SSH key:

    CALL EXECVE('cat /home/user/.ssh/id_rsa');
    
  3. SSH into the Machine

    Log in using the SSH key:

    ssh -i id_rsa user@capstone.htb
    

Privilege Escalation

  1. Inspect server.go

    Review the server.go file to find the Thrift service running as root, which is also vulnerable to command injection. It’s source code is available at http://caption.htb:8080/root/Logservice/blob/main/server.go.

  2. Create a Malicious Log File

    Create a log file that will trigger the command injection:

    127.0.0.1 "user-agent":"'; /bin/bash /tmp/payload.sh #"
    
  3. Exploit the Vulnerability

    Interact with port 9090 (server.go) to exploit the vulnerability. I am not including the code for the Thrift client here to avoid spoilers. You can write a Python script to trigger the command injection and exploit the vulnerability. Alternatively, you can use ChatGPT to generate the code for you. Send server.go to ChatGPT and ask how to interact with the server.go file.


These are general hints if you are stuck at any point and want to move forward. If you need more specific help, feel free to ask!

4 Likes

Exclusive content is now available for Caption.

What is Exclusive Content? It includes detailed hints and tips to guide you toward a 100% solution for the CTF challenge.

Only donors have access to this exclusive content. If you’d like to donate and gain access, feel free to reach out to me. We accept all cryptocurrencies.


You can still ask for help and specific hints in this thread.

pretty easy one, definitely not hard machine

Please any Hint for initial Foothold, the exploits seems to doesn’t work

find the sql terminal, execute any command you’ll see an error. follow the error and get command injection

I enumerated all , just a little hint please, is the sql terminal on port 80 or 8080?

its on 8080, try again

Yeah got it! thanks mate

Did u execute the python file to interact with the server from your attacking machine or from the user session on caption.htb?

i have installed the pip requirements offline on caption.htb but have trouble with gen_py.log_service import LogService

you are executing from the wrong directory.

├── LogService-remote
├── __init__.py
└── log_service
    ├── LogService.py
    ├── __init__.py
    ├── __pycache__
    │   ├── LogService.cpython-310.pyc
    │   ├── __init__.cpython-310.pyc
    │   └── ttypes.cpython-310.pyc
    ├── constants.py
    └── ttypes.py

this should be the directory structure.

1 Like

i assume you’re running it from your local machine and tunnel port 9090?

yes, thats right. Its on my local machine

1 Like

so you’ve build the thrift logservice on your machine with go to have this directory structure or am i undertanding something wrong?

Yes, something like that, I used the thrift compiler in apt and generated necessary files with thrift --gen

1 Like

i’ve done the same but my directory looks diferent i’ve created this file called log_service.thrift:

namespace py log_service

service LogService {
    string ReadLogFile(1: string filePath)
}

and then:
thrift --gen py log_service.thrift

yes, by default the LogService-remote will be on log_service You need to copy that to gen-py

1 Like

ah now i see, my import from is the problem - either i change the folder structure or the code

yeah, Your LogService-remote is in your log_service folder. And the script tries to import log_service and it can’t access it as you are already inside of it.

2 Likes