Image Source-

This is my first writeup of a HackTheBox Machine called Cap.It is an Easy Linux machine and gaining initial foothold is easy whereas the priv esc part is interesting.

We use Dirsearch to find hidden directories.

An interesting one is /data we can bruteforce this directory further, to find more files and we find one such interesting file 0 ….We download it and see that it’s a pcap file.

Open the file using wireshark and we can see all the packets.Apply the filter FTP to find only FTP traffic

ftp filter

We find a packet containing FTP username:password.Right click on it and Click on Follow TCP stream to see all the data.

We Found the FTP username and password

Log in to ftp using the credentials and grab the user flag

Use the same credentials to log in to SSH

We are in, firstly we try running sudo -l to find any SUID binaries but it asks for password.

Lets run Linpeas to find possible privilege escalation vectors.Set up a python http server in your kali machine and transfer to the target. Here are some interesting finds:

The binary python3.8 has capability set.Another hint is the name of this HackTheBox machine- CAP

Sudo version 1.8.31 is vulnerable and we can find a CVE using google-

Lets go with the capabilities option.On GTFO bins we can search for capabilities and we find something.

Lets run the command using our python version which is 3.8….and we are ROOT!!!

root flag

[+]Extra Notes: You can run the command getcap -r / 2>/dev/null in the target system to check if any binary has capability set(cap_setuid) and we indeed find /use/bin/python3.8 having it.

I hope you learned something from this writeup.The privilege escalation part was new and interesting.Make sure to follow me on medium as i share many writeups of OSCP type machines of TryHackMe and HTB. -ZEUS

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube