Hack The Box Cap machine dashboard

Disclaimer

This walkthrough is for educational purposes only. All activities were performed on legally authorised Hack The Box systems.

Initial Reconnaissance

I started with a basic Nmap scan to identify open ports and services:

nmap -sC -p- 10.129.3.175

While the scan was running, I checked if there was a website. Yes—there was a security dashboard running. I explored the site, read source code from different pages, tried logging out, but found nothing useful.

The most interesting page let users download a .pcap capture file.

Screenshot_20260614_094248

.pcap Download Page → IDOR Vulnerability

I downloaded the file and checked for something valuable, but found nothing. Then I noticed the URL and experimented with it:

  • Changing the value to 10 → nothing changed
  • Changing it to 0access to another user’s capture data

This is a classic IDOR (Insecure Direct Object Reference) vulnerability.

I downloaded the other user’s .pcap file and analysed it in Wireshark. After scrolling through the traffic, I found the username and password transmitted in plaintext.

image

Credentials Extracted from PCAP

The protocol used was FTP. I checked my Nmap results (better image attached since I lost the original screenshot):

Screenshot_20260614_124343

Open Ports: (FTP was one of them)

I logged in using the FTP credentials from Wireshark, and YEAH I WAS IN. I checked the user file and found the flag.

image

Privilege Escalation

Now I needed the root flag. I used Linpeas, a privilege escalation script:

I tried uploading it via FTP, but it failed due to a permission error.

Screenshot_20260614_095146

Instead, I transferred the script over SSH and ran it from there. LinPEAS ran successfully and returned its findings.

Screenshot_20260614_105002

LinPEAS Output → CVE-2021–3156

LinPEAS flagged CVE-2021–3156. I started reading about it and was confident it would work (I was so wrong).

What is CVE-2021–3156?

Also known as Baron Samedit, it’s a heap-based buffer overflow in sudo:

  • Privilege-escalation bug in sudo
  • Once you have local access, you can compromise the entire system
  • Particularly serious since it’s in sudo

How it works:

  1. When you run sudo in shell mode, it allocates memory to process your command
  2. You give input ending with a single backslash (\)
  3. sudo reads the backslash and skips to the next character, jumping over the “null terminator” (stop sign for text end)
  4. Missing the stop sign, sudo blindly copies data past its boundaries into neighbouring memory blocks
  5. This overwrites sudo’s internal settings, tricking the system into running malicious code with root privileges

I found an exploit online offering C and Python versions (in case C fails):

GitHub: worawit/CVE-2021-3156

I ran the C version first since the system met the requirements:

image

File successfully compiled. Let’s go. Now let’s run it.

Screenshot_20260614_111129

It failed. Why? This exploit needs to write to /etc/passwd in a tiny window (milliseconds). The default timing (4000ms) wasn’t right. I tried:

  • 2000 (faster) → failed
  • 5000 (slower) → failed

All timings failed.

1_jHysF6j-md4JYGYeKOwAUQ

I switched to the Python version & Here’s what happened

image

The exploit says the vulnerability is patched. Now I had a choice: Either I debug further why the exploits aren’t working, or I look for another vulnerability because

  • C exploit (race condition) — compiled fine, but race timing failed
  • Python exploit (heap manipulation) — says target is patched

I decided not to waste time going deeper into the rabbit hole and started looking for another vulnerability.

The Real Vulnerability: Python cap_setuid Misconfiguration

Five minutes of re-reading the LinPEAS output, I spotted what I missed the first time Python had the cap_setuid capability set. This is a Linux capability to change your User ID to 0 (System ID / Root).

The Exploit Code

import os
os.setuid(0)
os.system('/bin/bash')

Running this gave me a root shell, and I found the root flag.

image

Key Takeaways

Takeaway Explanation
IDOR via URL manipulation Always test numeric parameters at boundaries (0, -1, sequential IDs)
Know when to move on Spending too long on a failed CVE exploit is a common time sink. If it’s patched, it’s patched
Linux capabilities = dangerous as SUID cap_setuid on Python = instant root shell. Read your LinPEAS output carefully

Thanks for reading. Happy hacking.