Difficulty: Easy

Operating System: Linux

Recon and Enumeration

We will start this machine by doing a quick nmap, this will give an idea of what is running so that I can begin to tackle it.

nmap cap.htb

PORT  STATE SERVICE 
21/tcp open  ftp 
22/tcp open  ssh 
80/tcp open  http

After this, we can see 3 ports open:

  • An FTP server running on port 21.
  • An SSH server running on port 22.
  • A web server running on port 80.

Let’s start by checking out the web server. Upon doing so, we can see the following page.

image-20260120180731056

The Security snapshot page looks interesting, after running for a few seconds, it gives the following:

image-20260120181135324

Interestingly, inspecting the URL shows a /data/1 , using this, we can see that there are clearly other packet captures stored, so I change this to a 0 to see what we get.

After changing it to 0, we can see a different pcap, with a lot more traffic, so I download this pcap to inspect in Wireshark.

image-20260120181605535

So in the packet, knowing the ports running, I decided to apply an FTP filter and see if we get anything.

image-20260120181813050

Not only can we see a lot of traffic, the screenshot shows a user: nathan and a password in plaintext: Buck3tH4TF0RM3!.

Now there was an SSH server running on port 22, so I am going to try them credentials and see if I can get access to the nathan user.

image-20260120182127937

And as predicted, we now have a foothold on the system.

User Own

Now that we are on the system, let’s look around for the user flag, which can be found with a simple ls:

nathan@cap:~$ ls
user.txt
nathan@cap:~$ cat user.txt
53b7aa6e6fb4a4f7355806f9dab7003f

image-20260120182215595

Root Own

After trying a few other tricks, I try getcap, a command in Linux that can be used to display file capabilities and list specific privileges assigned to executables. To further break down the command:

  • -r - recursive.
  • / - Start from the root directory
  • 2>/dev/null - This redirects our output, using the 2 will represent stderr and it is redirecting them to /dev/null. This means we will essentially get rid of all of the files that this command errors on, revealing the ones we have capabilities to run.

image-20260120182840258

Looking at our output, the one that stands out is /usr/bin/python3.8, we can run this with cap_setuid, meaning we can set our user to root. I then call the python3.8 binary with a simple python paylod:

/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Breaking down this command:

  • /usr/bin/python3.8 - we have privileges to run set our uid with this.
  • -c - command, this runs directly in the terminal, as opposed to saving it in a file and running it.
  • import os - import the os module in Python.
  • os.setuid(0) - set our uid to 0, the uid of the root user.
  • os.system("/bin/bash") - this will execute a bash shell for us.

If I now run a whoami, I can see that command worked as expected and gave us access to the root user.

image-20260120183401119

Now that we are the root user, we can grab the root flag and this box is now complete.

image-20260120183540383

root@cap:~$ ls /root/root.txt
root.txt
root@cap:~$ cat /root/root.txt
1973e3470a98a52f8d52de5c878cee1f