Welcome! In this article, we will try to solve the Cap Machine from HackTheBox and provide as many details as we can so it can be a reference for anyone who wants to recall any part of it.

Here are some details about the machine itself from the official website:
Level: Easy
OS: Linux
Machine URL: Hack The Box: Cap Machine
About: Cap is an easy difficulty Linux machine running an HTTP server that performs administrative functions including performing network captures. Improper controls result in Insecure Direct Object Reference (IDOR) giving access to another user’s capture. The capture contains plaintext credentials and can be used to gain foothold. A Linux capability is then leveraged to escalate to root.

Let’s get started:

Task 1: How many TCP ports are open?

-Pn: if the machine is refusing the ping requests, port scan only.
-p-: if for scanning all ports.
-sC: Scan with default NSE scripts.
-sV: attempts to find the version of the service.
— min-rate 10000: Send packets no slower than 10000 per second.

So, as we can see, it’s 3 ports open: 21 (FTP), 22 (SSH), 80 (HTTP).

Answer: 3

Task 2: After running a “Security Snapshot”, the browser is redirected to a path of the format /[something]/[id], where [id] represents the id number of the scan. What is the [something]?

It’s a web enumeration task, let’s try the http port, so we write this domain in our website: http://10.129.5.192 (knowing that this ip is the target ip), and we get this page:

• with this side menu:

• So we chose the third option as mentioned in the instructions of the task, and we got this page with this URL.

• As we can see, the [something] part is data.

Answer: data.

Task 3: Are you able to get to other users’ scans?

We tried some ids from 0 to 10 on the URL instead of 1, and we found that ID 0 gives some packets in a .pcap file:

• So, we downloaded the file, analysed it and found that it has network logs about the user and password of the account:

Username: nathan
Password: Buc**************
Answer: yes

Task 4: What is the ID of the PCAP file that contains sensitive data?

Answer: 0

Task 5: Which application layer protocol in the pcap file can the sensitive data be found in?

As we can see from the screenshot above from the wireshark analysis, it’s communicating via ftp.

Answer: ftp

Task 6: We’ve managed to collect Nathan’s FTP password. On what other service does this password work?

We’ll try getting access using ssh, by writing this command:

ssh nathan@10.129.5.192

And we got it:

• When writing ls we found a file called user.txt, so we opened it using cat user.txt, and we found the user flag:

Answer: ssh

Task 7: Submit the flag located in the nathan user’s home directory.

Answer: d78******************************ba2

Task 8: What is the full path to the binary on this machine has special capabilities that can be abused to obtain root privileges?

To get the flag from the root’s home directory, we should do privilege escalation.

• Assuming that the machine runs python as a root, we tried to run python commands so we run python3, then importing the os library to use it, choosing the user id 0 by writing this os.setuid(0), checking our privileges with os.system(‘whoami’), then we run the shell using os.system(‘sh’), then we accessed the root privileges so we open the file cat /root/root.txt, and we got the root flag.

Answer: /usr/bin/python3.8

Conclusion

This machine was a great exercise in enumeration and privilege escalation. It reinforced the importance of carefully analysing exposed services and reviewing file permissions for potential escalation vectors.

Thank you for reading this walkthrough. Any feedback or suggestions for improvement are always appreciated.