Machine IP = 10.10.10.245
OS = Linux
Level = EASY
Points = 20
Write the IP of the machine to your /etc/hosts file
1 echo "10.10.10.245 cap.htb" >> /etc/hosts
1 nmap -sC -sV 10.10.10.245
1 2 3 4 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http gunicorn
FTP anonymous login not available
I found for each time on reload or click on tab
Security Snapshot (5 Second PCAP + Analysis)
the variable ID changed and with each time the
PCAP file changed no one of them usefull so let’s try with the value
Then I downloaded 0.PCAP file and opened it with wireshark here we can found FTP credentials as below:
USER : nathan
PASSSWORD : Buck3tH4TF0RM3!
With these credentials we going to login to the FTP
we got first flag
Let’s use same credentials for
1 ssh [email protected] -> with password: Buck3tH4TF0RM3!
Here we going to clone this script linpeas.sh
Then we found
Files with capabilities (limited to 50):
1 /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
This means that it’s possible to set the effective user id of the created process
Time to privilege escalation
Hi there 👋 Support me!
Life is an echo—what you send out comes back.