CAP
IDOR vulnerability in network monitoring dashboard to access PCAP files containing plaintext credentials. FTP/SSH credential reuse, then Linux capabilities abuse for privilege escalation to root.
Port Scanning and Reconnaissance
First step, port scanning. I used Nmap and found that ports 21 (FTP), 22 (SSH), and 80 (HTTP) were open. Let's visit the website.
Website Exploitation
Going through the website I noticed a Security Dashboard — a network monitoring tool logged in as Nathan. The URL path had a number after /data/ in the address bar. Downloading these initial packets at /data/1 yielded limited results in Wireshark.
So what if we started changing that number? This is an IDOR (Insecure Direct Object Reference) vulnerability — by modifying the ID in the URL, we can access other users' packet captures. Changing it to /data/0 revealed a capture with 72 packets — significantly more interesting.
I downloaded the PCAP file and analyzed it in Wireshark. Filtering for FTP traffic revealed the jackpot — Nathan's username and password stored in plaintext. The FTP USER and PASS commands are clearly visible in the packet capture.
Intrusion
I used the credentials found in the PCAP to log in to the server via SSH as Nathan.
User Flag and Privilege Escalation
The user flag was directly inside Nathan's home directory.
For privilege escalation, I first tried sudo -l to check Nathan's sudo permissions — no luck. I then used the getcap command to search for binaries with Linux capabilities set:
getcap -r / 2>/dev/nullThis revealed that /usr/bin/python3.8 had cap_setuid and cap_net_bind_service capabilities — meaning Python can change its UID. With cap_setuid, we can simply set our UID to 0 (root) and spawn a shell:
python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'Root shell acquired. The root flag was in /root. Box pwned.
