HTB — CAP Walkthrough

Step 1 — Port Scanning / Reconnaissance

First step, port scanning. I used NMAP and found that ports 21 (FTP), 22 (SSH) and 80 (HTTP) were open. Let’s visit the website.

Step 2— Website Exploitation

Going through the website I noticed that there was a 1 after data in the address bar. Downloading these initial packets yielded no results in Wireshark. So what if we started changing that number?

Changing the number in the address bar changed how many packets were available to download! Let’s download the pcap file and anylze them in Wireshark.

The username and password were stored in plaintext. Let’s try to login as Nathan.

Step 3— Intrusion

I logged in to the webserver via SSH.

We now have a user shell.

Step 4— User Flag + Privilege escalation

As you can see, the user flag was directly inside the directory. Now we need to find the system flag.

First thing I did, which is not in this screen was search for sudo permissions of Nathan with sudo -l, which did not work. I then stumbled across this blogpost. which gave me the “getcap -r / 2>/dev/null” command.

I saw that this had an SUID so we could use the simple ./python3 command.

We then get a root shell and the flag was in the same directory.

Thanks for reading!