Link: https://app.hackthebox.eu/machines/Cap

Enumeration

Our port scan reveals an vsftpd 3.0.3 server on port 21, ssh on 22 and a webserver on 80.

NOTE: There is a DoS exploit for this version of vsftpd: https://www.exploit-db.com/exploits/49719

Web Server

We have a dashboard with a few tabs. The first tab, /netstat shows the netstat command. The /ip shows the ifconfig command. Finally we have a 5 second pcap /capture that we can download. A gobuster scan only returns the four endpoints we have already discovered (/data is where the output of the pcap is stored.)

When we run the pcap, the first one we get is /data/1. trying to access /data/2 redirects back to main page. However, there is a file at /data/0.

When we inspect this file, we see that nathan logged into the FTP server during the PCAP test and the credentials are passed as plaintext in the pcap log:

Connecting to the ftp using those credentials, I ran get user.txt /home/kali/user.txt to grab and read the first flag.

Privilege Escalation

It turns out nathan also uses these same credentials for his ssh login, so now we have access to the machine.

I started with my first test of sudo -l but unfortunately we do not have any sudo permissions.

Using the one-liner from this page, we can see if any binaries have a suid bit checked, but nothing of interest turns up.

I started a web server and put LinEnum.sh on the machine but I didn’t see anything interesting in there.

I kept searching online and found this article. It mentions using getcap as a priv escalation vector. One of the results returned is /usr/bin/python3.8 with cap_setuid capability. This means we can set our UID to 0, root, and gain a shell from the python commandline:

/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'

Now grab the root flag!