Cap

Cap is an easy difficulty Linux machine running an HTTP server that performs administrative functions including performing network captures. Improper controls result in Insecure Direct Object Reference (IDOR) giving access to another user’s capture. The capture contains plaintext credentials and can be used to gain foothold. A Linux capability is then leveraged to escalate to root.

Our Nmap scan results

80 is open so lets navigate to the webpage

The security snapshots page gives us an interesting URL

This appears to be an IDOR vulnerability

Switch to user 0, we can download the PCAP and analyze the results.

Following the TCP stream, we can see some credentials.

username: nathan
password: Buck3tH4TF0RM3!

Testing those credentials against SSH, we are able to access

Here was can see the first flag

From here we’re going to try and escalate. Going to start with running linpeas.sh

We found an interesting file.

Using GTFO bins, we can abuse python by using the following command

python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

punching this in gives us root access!