| Machine Name | Difficulty | Date Started | Date Completed |
|---|---|---|---|
| Cap | Easy | 04/07/2025 | 04/07/2025 |
Attack Path :
- Exploit a simple IDOR by modifying a URL parameter and identify a downloadable
.pcapfile - Analyze the
.pcapand extract credentials used for FTP authentication - Use the credentials to SSH into the target machine and obtain the user flag
- Run LinPEAS and discover that
python3has Linux capabilities assigned - Exploit the capabilities using GTFOBins’ python technique to gain root access and capture the root flag.
We visited port 80 and found a web page that allowed us to download .pcap files.
We set the data parameter to 0 in the URL (a simple IDOR vulnerability) and were able to access a .pcap file containing data, which we then downloaded to our Kali machine.
Analyzing the downloaded .pcap file, we found credentials that were used to log in to the FTP service.
We used those credentials to SSH into the target machine and successfully retrieved the user flag.
Privilege Escalation
We ran LinPEAS and observed that python3 had Linux capabilities assigned to it.
We followed the guidance from GTFOBins - Python Capabilities and used a simple python3 command to escalate privileges, gaining root access and retrieving the root flag.
nathan@cap:~$ python3
Python 3.8.5 (default, Jan 27 2021, 15:41:15)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.setuid(0)
>>> os.system("/bin/bash")
root@cap:~# pwd
/home/nathan
root@cap:~# cd /root
root@cap:/root# cat root.txt
4b47f03c312e7f60627d7d963b477393