Cap HacktheBox Walkthrough
nmap scan gives the below ports, so basic FTP, SSH and HTTP
Upon accessing the port 80 we get a network administrator dashboard:
from there upon further browsing we could see some network captured packets files, but there was nothing here, but look at the url it’s something like /data/1 may be try with /data/0
There was some data in the /data/0 lets download the pcap and analyze it using the wireshark.
There the user name and password was clearly visible, may be we can use those to may be FTP or better SSH lol, that would be pretty easy.
Anyway FTP worked let’s see can we also do SSH, otherwise we will need this FTP as the initial foothold to get the low level user.
Well bingo using the same credentials from the pcap file we could ssh also.
Now we own the low level user nathan, browsing through the /home/nathan you will get the user.txt flag
Now, we can use this(nathan)user to perform privilege escalation.
Here we get to come across a kind of privilege escalation called as privilege escalation using capabilities.
For better understanding pleas refer to the below link:
Linux Privilege Escalation using Capabilities
In this article, we will discuss the mechanism of "capability" and Privilege escalation by abusing it. As we know when…
using getcap command we can see python 3.8 as capability for Privilege escalation.
Please search the gtfobin python capabilities and you will come across the below github link:
python | GTFOBins
The payloads are compatible with both Python version 2 and 3. It can be used to break out from restricted environments…
From there we can easily get root shell, using the given command:
A small modification in command might be required depending upon the python version and also in the gtfobin link they are invoking python using./python but here you can directly use pyhton3.8 as below:
Browse to /root directory and capture the root flag also.