How I Solved HTB: Cap Machine

Disclaimer
This walkthrough is for educational purposes only. All activities were performed on legally authorised Hack The Box systems.
Initial Reconnaissance
I started with a basic Nmap scan to identify open ports and services:
nmap -sC -p- 10.129.3.175
While the scan was running, I checked if there was a website. Yes—there was a security dashboard running. I explored the site, read source code from different pages, tried logging out, but found nothing useful.
The most interesting page let users download a .pcap capture file.
.pcap Download Page → IDOR Vulnerability
I downloaded the file and checked for something valuable, but found nothing. Then I noticed the URL and experimented with it:
- Changing the value to
10→ nothing changed - Changing it to
0→ access to another user’s capture data
This is a classic IDOR (Insecure Direct Object Reference) vulnerability.
I downloaded the other user’s .pcap file and analysed it in Wireshark. After scrolling through the traffic, I found the username and password transmitted in plaintext.
Credentials Extracted from PCAP
The protocol used was FTP. I checked my Nmap results (better image attached since I lost the original screenshot):
Open Ports: (FTP was one of them)
I logged in using the FTP credentials from Wireshark, and YEAH I WAS IN. I checked the user file and found the flag.
Privilege Escalation
Now I needed the root flag. I used Linpeas, a privilege escalation script:
- GitHub: PEASS-ng/linPEAS
- Official Website: linpeas.org — tons of free resources
I tried uploading it via FTP, but it failed due to a permission error.
Instead, I transferred the script over SSH and ran it from there. LinPEAS ran successfully and returned its findings.
LinPEAS Output → CVE-2021–3156
LinPEAS flagged CVE-2021–3156. I started reading about it and was confident it would work (I was so wrong).
What is CVE-2021–3156?
Also known as Baron Samedit, it’s a heap-based buffer overflow in sudo:
- Privilege-escalation bug in sudo
- Once you have local access, you can compromise the entire system
- Particularly serious since it’s in sudo
How it works:
- When you run
sudoin shell mode, it allocates memory to process your command - You give input ending with a single backslash (
\) sudoreads the backslash and skips to the next character, jumping over the “null terminator” (stop sign for text end)- Missing the stop sign,
sudoblindly copies data past its boundaries into neighbouring memory blocks - This overwrites sudo’s internal settings, tricking the system into running malicious code with root privileges
I found an exploit online offering C and Python versions (in case C fails):
GitHub: worawit/CVE-2021-3156
I ran the C version first since the system met the requirements:
File successfully compiled. Let’s go. Now let’s run it.
It failed. Why? This exploit needs to write to /etc/passwd in a tiny window (milliseconds). The default timing (4000ms) wasn’t right. I tried:
2000(faster) → failed5000(slower) → failed
All timings failed.
I switched to the Python version & Here’s what happened
The exploit says the vulnerability is patched. Now I had a choice: Either I debug further why the exploits aren’t working, or I look for another vulnerability because
- C exploit (race condition) — compiled fine, but race timing failed
- Python exploit (heap manipulation) — says target is patched
I decided not to waste time going deeper into the rabbit hole and started looking for another vulnerability.
The Real Vulnerability: Python cap_setuid Misconfiguration
Five minutes of re-reading the LinPEAS output, I spotted what I missed the first time
Python had the cap_setuid capability set.
This is a Linux capability to change your User ID to 0 (System ID / Root).
The Exploit Code
import os
os.setuid(0)
os.system('/bin/bash')
Running this gave me a root shell, and I found the root flag.
Key Takeaways
| Takeaway | Explanation |
|---|---|
| IDOR via URL manipulation | Always test numeric parameters at boundaries (0, -1, sequential IDs) |
| Know when to move on | Spending too long on a failed CVE exploit is a common time sink. If it’s patched, it’s patched |
| Linux capabilities = dangerous as SUID | cap_setuid on Python = instant root shell. Read your LinPEAS output carefully |
Thanks for reading. Happy hacking.