An interesting one is /data we can bruteforce this directory further, to find more files and we find one such interesting file 0 ….We download it and see that it’s a pcap file.
Open the file using wireshark and we can see all the packets.Apply the filter FTP to find only FTP traffic
We find a packet containing FTP username:password.Right click on it and Click on Follow TCP stream to see all the data.
Log in to ftp using the credentials and grab the user flag
Use the same credentials to log in to SSH
We are in, firstly we try running sudo -l to find any SUID binaries but it asks for password.
Lets run Linpeas to find possible privilege escalation vectors.Set up a python http server in your kali machine and transfer Linpeas.sh to the target. Here are some interesting finds:
The binary python3.8 has capability set.Another hint is the name of this HackTheBox machine- CAP
Sudo version 1.8.31 is vulnerable and we can find a CVE using google-https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit
Lets go with the capabilities option.On GTFO bins we can search for capabilities and we find something.
Lets run the command using our python version which is 3.8….and we are ROOT!!!
[+]Extra Notes: You can run the command getcap -r / 2>/dev/null in the target system to check if any binary has capability set(cap_setuid) and we indeed find /use/bin/python3.8 having it.
I hope you learned something from this writeup.The privilege escalation part was new and interesting.Make sure to follow me on medium as i share many writeups of OSCP type machines of TryHackMe and HTB. -ZEUS