HackTheBox Cap is a lab machine built around Web authorization bypass, traffic forensics, and Linux capability-based privilege escalation. The core attack chain is: exploiting an IDOR to access packet capture files, extracting cleartext FTP credentials from a PCAP, reusing those credentials over SSH, and escalating privileges with
cap_setuid. Keywords: IDOR, PCAP, Linux Capabilities.
Technical Snapshot
| Parameter | Details |
|---|---|
| Machine Name | HackTheBox Cap |
| Target System | Ubuntu |
| Main Languages/Stack | Python, Gunicorn, vsFTPd, OpenSSH |
| Protocols Involved | HTTP, FTP, SSH |
| Key Vulnerabilities/Techniques | IDOR, cleartext traffic analysis, credential reuse, capabilities-based privilege escalation |
| Core Tooling | rustscan, nmap, Wireshark, ssh, getcap, GTFOBins |
| Platform Popularity | A classic HTB machine; the original source does not provide a star count |
This machine demonstrates a low-complexity but highly complete exploitation chain
The difficulty in Cap does not come from a single critical vulnerability. Instead, it comes from chaining several medium- and low-severity issues into a practical attack path. The Web-side IDOR enables unauthorized access, FTP exposes credentials because it is a cleartext protocol, SSH credential reuse provides a stable foothold, and a misconfigured Linux capability completes the final privilege escalation.
AI Visual Insight: The image shows the machine homepage or article cover screenshot. Its main purpose is to introduce the Cap lab context, including the machine name, entry point, and testing scenario, rather than revealing an exploit path directly.
Initial port reconnaissance quickly identified the attack surface
Start with a full TCP scan to identify exposed services. In this case, ports 21, 22, and 80 are open. Port 80 runs Gunicorn, which strongly suggests a Python-based Web application. The presence of both 21 and 22 also makes credential reuse a high-priority hypothesis from the beginning.
sudo rustscan -a 10.129.35.25 -r 1-65535 -- -sV -O -Pn -n
# -sV: Detect service versions
# -O: Attempt OS detection
# -Pn: Skip host discovery to avoid ICMP filtering issuesThis command quickly identifies open ports, service versions, and the operating system, which helps prioritize the next steps in the attack path.
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu
80/tcp open http GunicornThe UDP scan confirmed that the practical entry point was still on the TCP side
After running a supplemental top-20 UDP scan, no high-value responses appeared that were directly exploitable. That means the investigation should stay focused on Web, FTP, and SSH. The key lesson here is not to scan everything forever, but to stop low-yield exploration early.
AI Visual Insight: The image corresponds to the machine information page, which typically includes the machine name, difficulty, tags, or lab hints. For an attacker, this kind of metadata can help determine whether to prioritize Web vulnerabilities, traffic analysis, or privilege escalation techniques.
Failed anonymous FTP login meant the focus had to shift to the Web entry point
Anonymous login is a standard validation step against vsFTPd, but it is explicitly denied on this target. While this did not immediately produce access, it ruled out the cheap path of default FTP misconfiguration and made port 80 the primary focus.
ftp [email protected]
# Use anonymous as the username
# Leave the password blank or try an email-style stringThis test checks whether FTP allows anonymous access. Since it fails, valid credentials must be obtained from another service.
The Security Snapshot feature was the most valuable part of the Web dashboard
Browsing port 80 reveals a monitoring dashboard with a sidebar. Front-end elements such as the search box and user controls do not trigger meaningful requests and have no real security value. The features worth analyzing are Security Snapshot, IP Config, and Network Status, because they are more likely to map to backend commands or generated files.
AI Visual Insight: The image shows the Web dashboard homepage, including a navigation bar, status panels, and a side menu. From a technical perspective, this suggests an operations-oriented application that may expose system command output, packet captures, or diagnostic data through the front end.
AI Visual Insight: The image suggests that the search or interaction component has no real backend integration, which marks it as visual noise. During a penetration test, you should prioritize features that trigger requests, downloads, parameter changes, or file generation.
AI Visual Insight: The image further confirms that some front-end buttons trigger no network activity. This helps eliminate false entry points and prevents wasted effort on static UI components.
The URL design exposed an IDOR attack surface
On the capture page, the download link takes the form /data/2. Routes that reference resources directly by integer ID are often vulnerable to IDOR if the backend does not enforce authorization checks. Further enumeration shows that /data/0 returns a more valuable packet capture, which indicates that different numeric IDs map to data generated by different users or tasks.
curl -I http://10.129.35.25/data/0
# Test whether the direct object reference is accessible
# If the resource exists, download it and inspect the contentsThis verification confirms whether object identifiers can be enumerated without authorization, which is a standard way to identify IDOR.
AI Visual Insight: The image shows expanded sidebar menu items, indicating that the application consolidates system information, network status, and packet-capture analysis in a single console. This kind of design often comes with backend command wrappers or file-indexing logic.
AI Visual Insight: The image presents the IP Config or a similar diagnostic page, suggesting that the backend may run fixed system commands and render the results. This means the application interacts directly with the host system, although no command injection point is visible at this stage.
AI Visual Insight: The image corresponds to the Network Status or packet-analysis page, where the relationship between the URL and the feature name is relatively clear. Technically, this suggests simple route binding, which often leads developers to miss authorization checks on resource IDs.
The PCAP file directly exposed cleartext FTP authentication data
After downloading the packet capture returned by /data/0, you can open it in Wireshark and quickly spot the FTP login sequence. Because FTP does not encrypt authentication traffic, both the username and password appear in cleartext in the protocol stream. This is the most important data exposure point in the machine.
AI Visual Insight: The image shows packet capture data opened in Wireshark, with packet lists, protocol columns, and session details visible. The key technical goal is to identify the authentication protocol quickly and determine whether cleartext credentials can be extracted directly.
AI Visual Insight: The image shows differences in the results returned by various `/data/
` pages, confirming that object IDs map directly to specific packet-capture content. This is important supporting evidence that the IDOR is real.  **AI Visual Insight:** The image shows that the traffic file downloaded from `/data/0` contains valid communication records rather than an empty capture. In the attack chain, this is the step that converts unauthorized access into actual sensitive data exposure. “`text USER nathan PASS Buck3tH4TF0RM3! # FTP transmits credentials in cleartext, so they can be recovered directly “` This protocol excerpt shows that the packet capture contains usable account credentials. The next step should prioritize SSH instead of FTP. ## Credential reuse made SSH the best foothold Although logging in through FTP is theoretically possible, an SSH shell is far more valuable. In real environments, when both FTP and SSH are exposed on the same host, you should first test whether a recovered credential pair is reused on SSH, because success often gives you direct interactive system access.  **AI Visual Insight:** The image shows authentication details in Wireshark, especially visible FTP `USER` and `PASS` fields. It clearly demonstrates how unencrypted protocols expose credentials when captured. “`bash ssh [email protected] # Log in with the password extracted from the PCAP # If successful, this provides a stable shell “` This command tests whether the recovered password is reused on SSH. It is the key step that turns exposed data into host access.  **AI Visual Insight:** The image shows a successful SSH login terminal session, confirming that credential reuse is valid. At this point, the attack has moved from Web exploitation to post-exploitation on the host.  **AI Visual Insight:** The image shows the user directory and successful reading of `user.txt`, proving that standard user access has been obtained and the first-stage objective is complete. ## The final privilege escalation depended on Python being misconfigured with cap_setuid Once inside the system, the machine name, `Cap`, already hints that Linux Capabilities matter. Running `getcap -r /` reveals that `/usr/bin/python3.8` has the `cap_setuid` capability. That means a Python process can deliberately switch its own UID to 0 and spawn a root shell directly. “`bash getcap -r / 2>/dev/null # Recursively enumerate files with configured capabilities # Pay close attention to high-risk binaries such as interpreters, shells, and networking tools “` This command is a fast and effective way to detect capability misconfigurations during Linux privilege escalation.  **AI Visual Insight:** The image shows the GTFOBins entry for exploiting Python capabilities, indicating that this privilege-escalation method is publicly documented. The issue is not a zero-day vulnerability, but incorrect system configuration. “`python import os os.setuid(0) # Switch the current process UID to root os.system(“/bin/bash”) # Spawn a root shell “` This Python code uses the `cap_setuid` capability to elevate a normal user process to root and start an interactive shell.  **AI Visual Insight:** The image shows the root terminal after escalation. You would typically see `UID=0`, a root shell prompt, or successful access to `root.txt`, confirming that the capability-based privilege escalation chain is complete. ### The defensive lessons from this attack chain are straightforward First, every object access must be enforced with server-side authorization checks rather than relying on numeric IDs alone. Second, cleartext protocols such as FTP should not be exposed in production environments. Third, SSH must not share passwords with other services. Fourth, you should regularly audit `setcap` assignments, especially on interpreters such as Python, Perl, and Ruby that can execute arbitrary system calls. ## FAQ ### Q1: Why is `/data/0` a classic IDOR case? Because the resource is referenced directly through a predictable numeric identifier, and the server does not verify whether the current user is authorized to access that object. An attacker only needs to modify the ID in the URL to download another user’s packet capture. ### Q2: Why try SSH first after recovering FTP credentials? Because successful SSH access immediately provides an interactive shell, which is far more valuable than FTP file access. In real environments, password reuse across services is common, so you should test the higher-value, higher-control entry point first. ### Q3: Why is `cap_setuid` alone enough to escalate privileges? `cap_setuid` allows a process to change its own UID. If the Python interpreter has that capability, an attacker can call `os.setuid(0)` from Python to switch to root and then launch a shell, achieving privilege escalation without a kernel exploit. > [AI Readability Summary] > > This walkthrough reconstructs the full HackTheBox Cap attack chain: port reconnaissance identifies Gunicorn, FTP, and SSH; an IDOR allows unauthorized PCAP download; packet analysis reveals cleartext FTP credentials; credential reuse grants SSH access; and Python 3.8 with `cap_setuid` enables the final privilege escalation to root.