🚀Latest post:

Cap writeup

Breaking into my first hackthebox machine


Below are some notes from when I was breaking into my first HackTheBox machine, “Cap”. Don’t expect much commentary on this post as its mostly showing the steps I went through to break into this box/machine 😊

Basic scan

Starting off, a basic scan with nmap reveals the following:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-22 23:52 BST
Nmap scan report for
Host is up (0.028s latency).
Not shown: 997 closed ports
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    gunicorn
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 140.77 seconds

Showing that there is a secure FTP server and OpenSSH server, both of which are not that vunerable past DOS attacks which isn’t the purpose of this, the FTP looks interesting as its the only real thing past hacking into gunicorn or flask/django there is.


Found these .pcap files at https:// where x is the id whilst digging around on the dashboard and used wireshark to view, see sections below:

File 0

  • pcap from “00:50:56:c0:00:08” vmware linux on data/0
  • ftp user: nathan
  • ftp password: Buck3tH4TF0RM3!
  • PORT command for 192,168,196,1,212,140 on ftp
  • saying consider using PASV
  • notes.txt failed to open in ftp

File 1

  • Mostly encrypted requests
  • Response found, enclosed:
                                      <div class="s-swtich">
                                          <input type="checkbox" id="switch5" />
                                          <label for="switch5">Toggle</label>
                                  <p>Use checkboxes when looking for yes or no answers.</p>
          <!-- offset area end -->
          <!-- jquery latest version -->
          <script src="/static/js/vendor/jquery-2.2.4.min.js"></script>
          <!-- bootstrap 4 js -->
          <script src="/static/js/popper.min.js"></script>
          <script src="/static/js/bootstrap.min.js"></script>
          <script src="/static/js/owl.carousel.min.js"></script>
          <script src="/static/js/metisMenu.min.js"></script>
          <script src="/static/js/jquery.slimscroll.min.js"></script>
          <script src="/static/js/jquery.slicknav.min.js"></script>
          <!-- start chart js -->
          <script src="https://cdnjs.cloudflare.com/ajax/libs/Chart.js/2.7.2/Chart.min.js"></script>
          <!-- start highcharts js -->
          <script src="https://code.highcharts.com/highcharts.js"></script>
          <!-- start zingchart js -->
          <script src="https://cdn.zingchart.com/zingchart.min.js"></script>
          zingchart.MODULESDIR = "https://cdn.zingchart.com/modules/";
          ZC.LICENSE = ["569d52cefae586f634c54f86dc99e6a9", "ee6b7db5b51705a13dc2339db3edaf6d"];
          <!-- all line chart activation -->
          <script src="/static/js/line-chart.js"></script>
          <!-- all pie chart -->
          <script src="/static/js/pie-chart.js"></script>
          <!-- others plugins -->
          <script src="/static/js/plugins.js"></script>
          <script src="/static/js/scripts.js"></script>
  • Just looks like creator playing around with some data, here and onwards irrelevant

Entering FTP

Time to look into the FTP files seen previously in wireshark:

  • Entering FTP with username and password found
  • Login successful, see file list:
      ➜  ~ ftp 
      Connected to
      220 (vsFTPd 3.0.3)
      Name ( nathan
      331 Please specify the password.
      230 Login successful.
      Remote system type is UNIX.
      Using binary mode to transfer files.
      ftp> ls
      200 PORT command successful. Consider using PASV.
      150 Here comes the directory listing.
      -rwxrwxr-x    1 1001     1001       462475 Jun 24 14:50 lin
      -rw-rw-r--    1 1001     1001       117748 Jun 24 15:52 linenum.txt
      -rwxrwxrwx    1 0        1001            1 Jun 24 15:29 script.sh
      drwxr-xr-x    3 1001     1001         4096 Jun 24 14:51 snap
      -rw-rw-r--    1 0        1001            1 Jun 24 15:18 test.sh
      -rw-rw-r--    1 0        1001            0 Jun 24 15:22 test1.sh
      -r--------    1 1001     1001           33 Jun 24 14:04 user.txt
      226 Directory send OK.
  • Seems that lin is a large file
  • The snap holdings is just for 1 program, not important by the looks currently[^cur]
  • linenum.txt is a large settings file for a scan for privelage escelations, below are some interesting excerpts:
    • /snap/snapd/8542/usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304) A vunl in snapd which is seen locally as mentioned before
    • An active local ip is for tcp listening, first guess is gunicorn/flask setup
    • Unmounted uuid file system /dev/disk/by-uuid/d3d1cf9e-20c6-450f-b152-9854f6a804ad /boot ext4 found
    • Sudo version 1.8.31 found with a known vunerablity1
  • Going through other files, user.txt contains the following:

    Which seems like a hex-encoded uuid, perhaps belonging to the unmounted disk?


Wow.. seems like that user.txt is actually the flag; guess I’ve just got user access to my first hackthebox machine!

  1. https://www.logpoint.com/en/blog/sudo-privilege-escalation-vulnerability/