Post

Write-Up: CAP Machine Walkthrough Practice OSP/CEH

Posted
By Ans Inayat
2 min read
Write-Up: CAP Machine Walkthrough Practice OSP/CEH

1_ZI68WzEQraOMcF1Y6tcElA

Introduction

The CAP machine is an easy Linux-based challenge focused on web enumeration, packet analysis, and exploiting Insecure Direct Object Reference (IDOR) vulnerabilities. This walkthrough demonstrates how improper controls can expose sensitive data and explores how Linux capabilities can be exploited for privilege escalation.

Skills Required

  • Web enumeration
  • Packet capture analysis

Skills Learned

  • Understanding and exploiting IDOR
  • Leveraging Linux capabilities for privilege escalation

Step 1: Enumeration with Nmap

We begin by scanning all TCP ports on the target machine (10.10.10.245) to identify open services. Here’s the command used:

1
2

ports=$(nmap -p- --min-rate=1000 -Pn -T4 10.10.10.245 | grep '^[0-9]' | cut -d'/' -f1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -Pn -sC -sV 10.10.10.245

Result: Three open ports

  • 21: FTP
  • 22: SSH
  • 80: HTTP
    1_LaRSiUkfz2Hz9nFavtrXdQ

Step 2: FTP Enumeration

We tested FTP for anonymous access, but it was disabled. So, we moved on to exploring the HTTP service. 1_38m5Uq3FaJbcqy8IWM-W7A

Step 3: HTTP Service Exploration

Port 80 is running Gunicorn, a Python-based HTTP server. The website displayed a dashboard with system and network information, hinting at system commands being executed in the backend.

  • IP Config page: Displays ifconfig output.
  • Network Status page: Displays netstat output. 1_Sxa7CFB5CUNf1d4-jqkYIg

Clicking on the Security Snapshot menu item pauses the page for a few seconds and returns a downloadable packet capture file. 1_DlE48pR6EpqKRq8dDeS2tA 1_j121MnkzIGuS_ATEnsm33w 1_A1YEcjsdHa7h6YtxMr8Xlg

Step 4: Exploiting IDOR

While browsing, we noticed the application generating packet captures at /data/<id> with incremental IDs. By manually navigating to /data/0, we accessed a previous user’s capture file. 1_XACOGZN1jHQfgA7XKneqWg

This vulnerability is known as Insecure Direct Object Reference (IDOR), where insufficient access controls allow users to access others’ data.

Step 5: Foothold

Downloading and analyzing the packet capture with Wireshark revealed FTP credentials transmitted in plaintext:

1
2

Username: nathan
Password: Buck3tH4TF0RM3!

1_ap2ySbSpRPeXgQTQHabdxw 1_NrRyvC-Lkth8M-dJSWY9Uw

These credentials worked for both FTP and SSH. We used SSH to gain access.

1

python -m http.server

1_hckR8k0HpZvYRuH8-czz4w

Step 6: Privilege Escalation

Using the linPEAS script, we identified an unusual Linux capability set on /usr/bin/python3.8: 1_PhMlsVSD_ULSK1wYgyUwJg 1_PhMlsVSD_ULSK1wYgyUwJg 1_5HG4GQFIlyO6oCDE2yvIUA

1

CAP_SETUID: Allows switching to UID 0 (root).

Python was likely granted this capability for non-root users to capture traffic. Using the following script, we escalated privileges to root:

1
2
3

import os
os.setuid(0)
os.system("/bin/bash")

1_AyWLqGfMnPwIjiQZzW_H_Q

The os.setuid(0) function modifies the process user identifier (UID), granting root access.

Conclusion

This machine reinforced the importance of proper access controls (to prevent IDOR) and secure Linux capability settings. The challenge highlights common oversights in web application and system configurations.

Key Takeaways:

  • Test all potential vulnerabilities during web enumeration.
  • Be vigilant about sensitive data exposed in network traffic.
  • Monitor and restrict Linux capabilities effectively.
Write-Ups
penetration-testing IDOR privilege-escalation Linux cybersecurity
This post is licensed under CC BY 4.0 by the author.