First things first, the most important part ( or, at least, in my perspective ) of any hack, the recon. Let’s start with an Nmap scan.
From this, we can see that we have 3 important ports open, namely FTP (port 21), SSH (port 22) and HTTP (port 80). Let’s check out the website on port 80.
TIP: head over to your /etc/hosts file and add the CAP’s IP address along with the name of the you want your browser to point it to. e.g:
You can now go to http://cap.htb/ to access the website. Moving on…
The looks likes it’s not meant for the public to see. And definitely not meant for a hacker to see. Let’s head over to http://cap.htb/capture, and here we can download .pcap files. These files can be accessed and read via Wireshark.
NOTE: Make sure to download the .pcap file from this link:
After clicking the download button, a 0.pcap file should start downloading. After that finishes, head over to your terminal and access the file with Wireshark, like so:
Wireshark should open up, and this should be the first you see:
Let’s search for ftp with ctrl-f to see if there are any credentials.
After hitting that Find button a few times, we should come across a username:
Press it a few more times, then we find a password:
So we have a possible username and password. Let’s try logging in using FTP.
And we are in. Let’s use ls to view the files in the FTP server.
That user.txt file looks interesting :-). Let’s download it.
Exit the FTP server, and the user.txt file should be in your current directory.
Now, let’s try getting the root.txt file.
Let’s try logging in with SSH using the same credentials we have.
And we’re in. Again. Let’s see what files we have in this user’s home directory:
Nothing we care about. Let’s move on. Now, for PrivEsc, I tried running sudo -l, but that didn’t work, so i had to sit back, and think for a moment. After a while ( 24 minutes to be exact ), I decided to use getcap to examine file capabilites:
As we can see, we can use python3.8 to get privilege escalation. Head over to GTFOBins and search for python. Here, we see how to manipulate python’s process UID:
And we are root. Let’s head over to root’s home directory.
And just like that, we’ve hacked the box. :-).
Hope you enjoyed this walk-through!!! And remember:
