Cap Walkthrough – Hackthebox – Writeup

hackthebox walkthrough cap writeup

Cap is an active machine during the time of writing this post. So, unless you are about to die, I suggest not to proceed. The machine is fairly simple with very few steps to get root access. “Cap Walkthrough – Hackthebox – Writeup”

Note: To write public writeups for active machines is against the rules of HTB. Otherwise, I could protect this blog post using the root flag. Also, I couldn’t find a good content locker that allows custom message for WordPress. So, I couldn’t password protect this blog post using other methods like root hash, root-only readable file contents, etc.

Walkthrough of Prime 2021

As usual, the exploit began with the scan of open ports on the target. This is the first and the most important step while enumerating a machine.

nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log 10.10.10.245 -Pn

Nmap script scan shows we don’t have access to anonymous ftp. So, I opened the web server.

It is a nice dashboard that displays the result of monitoring of the network. On the left sidebar menu, we can see PCAP analysis. PCAP means “packet capture”. This means it contains the data of packets that are sent over network. Furthermore, we can store these files and analysis them later using tools like wireshark. Thus, I clicked the second options.

However, the application didn’t show any packets. So, I changed the path parameter from 28 to 0.

Fortunately, it worked. If it hadn’t worked, I would have started doing fuzzing rather than testing one by one. Next, I downloaded the pcap file and opened in wireshark.

wireshark 0.pcap

I got the credentials for the FTP server.

ftp 10.10.10.245

It looked like, the FTP server serves the home directory of the user. So, I tried to log in to SSH with the same credentials.

ssh nathan@10.10.10.245

Luckily, I got the access and the user’s flag in the home directory.

cat user.txt

Next, I searched for the sudo permissions, SUID binaries and capabilities that could escalate the privileges by giving us the root shell. Fortunately, I have cap_setuid available or the python3.8 binary on the target.

getcap -r / 2>/dev/null

Then, a quick search on gtfobins led me to the root shell.

https://gtfobins.github.io/gtfobins/python/#capabilities

python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Conclusion

I really liked this machine. Although the foothold was easy, the part to get to the root was a bit unheard of. Furthermore, in most of the machines, we get to see sudo abusing or SUID binaries. However, I really liked the idea of exploiting via capabilities of this machine.

Cap Walkthrough – Hackthebox – Writeup
5 2 votes
Article Rating
Subscribe
Notify of
guest
17 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Scroll to top

AdBlock Detected


I am sorry for the popup but it costs me money and time to write these posts.
Please disable the adblocker to proceed.
If you are a regular visitor, you can buymeacoffee too. 😉