Cracking the HTB Cap Box: A Step-by-Step Walkthrough

1 month ago 14
BOOK THIS SPACE FOR AD
ARTICLE AD

Vignesh P

In this write-up, I’ll take you through the process of solving the Hack The Box (HTB) Cap machine(Retired). This guide is aimed at beginner to intermediate hackers, so I’ll explain each step carefully while focusing on the technical details required to complete the box.

HTB’s Cap machine challenges hackers to combine enumeration skills and basic privilege escalation techniques to capture both the user and root flags. This guide will walk you through each phase of the process, from network scanning to analyzing PCAP files, and finally, exploiting file capabilities to get root access.

CAP

Let’s dive into the technical steps needed to own this box.

We start by running an initial Nmap scan on the target machine to identify open ports:

nmap -T5 -Pn -sV -sC -A -p- <ip>

Note: -p- is used to scan all the ports we can customize it by -p 1–1000 which will scan upto 1000 ports

nmap-results

Scan Results:

Port 22: SSHPort 21: FTPPort 80: HTTP

Since port 80 is open and hosts a web service, this will be our initial attack surface. Since the website is accessible over HTTP, we proceed by binding the target IP to our host file for easy access.

sudo nano /etc/hosts<target-ip> cap.htb

This makes the website available via the domain cap.htb.

Exploring the Website

Next, visit http://cap.htb in your browser. On the homepage, you’ll see a Security Snapshot feature. Selecting this option reveals an interesting part of the URL:

security snapshot

By manually altering the URL to/data/0, we can access a downloadable PCAP file, which is essential for further investigation. so it was Vulnerable to IDOR(Insecure Direct Object Reference)

Download the PCAP file and open it in Wireshark for deeper analysis.

As you sift through the packets, focus on the last few sections(Since I filtered the protocols the FTP came at top). After careful inspection, you’ll discover login credentials in clear text.

This provides us with the username and password to gain access.

tips: if you find any credentials Spam it everywhere

With the credentials from the PCAP file, it’s time to access the machine via SSH:

ssh <username>@<target-ip>
ssh nathan@10.10.10.245

Enter the password from the PCAP file, and you’re in! Alternatively, FTP access is also possible.

via ftp

Once logged in, the user flag can be retrieved.

user flag

Now that we have initial user access, the next step is escalating privileges to root. First, let’s enumerate the system using Linpeas, a powerful enumeration script:

The Linpeas results reveal key findings:

The system is vulnerable to a known CVE-2021–3560.
Vulnerable CVE
File capabilities

We will leverage Linux File capabilities for privilege escalation.

Linux File capabilities enable privilege escalation By leveraging setuid permissions, we can escalate our privileges. Here’s how we exploit this to gain root access:

Start an interactive Python shell:

import os
import pty
os.setuid(0)
pty.spawn("bash")

This spawns a root shell, giving us full root privileges on the machine. Once we have root access, navigate to the root directory and retrieve the root flag.

root flag

By following these steps, you’ll successfully own the Cap machine on HTB. This challenge was a great exercise in enumeration, network analysis, and privilege escalation using Linux file capabilities. It’s a fantastic learning experience for anyone looking to sharpen their skills in penetration testing.

If you’re new to Hack The Box or penetration testing, this box offers a great combination of basic enumeration techniques and intermediate exploitation tactics.

I am actively seeking full-time or internship opportunities in security engineering. Please feel free to reach out if you have any available positions

Reach-out/Connect with me:
Linkedin

Happy hacking!

Read Entire Article