Welcome to another Hack the Box challenge. Today, we are going to try and pwn the Cap machine on Hack The Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs. You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel (https://www.youtube.com/@BoltechTechnologies1) and follow me on LinkedIn (https://www.linkedin.com/in/isiaq-ibrahim-468588156/) for more updates.
About the Machine
The HTB machine "Cap" is an easy-level Linux machine with an HTTP server that allows users to capture non-encrypted traffic. It provides opportunities to exploit vulnerabilities, including an insecure direct object reference (IDOR) on its website. The capture contains plaintext credentials and can be used to gain foothold. A Linux capability is then leveraged to escalate to root.
About the Vulnerability
Cap HTB machine has two security flaws. One, is a website with an insecure direct object reference (IDOR) vulnerability, that stores a Wireshark packet file and also allow you to view and download other users Wireshark packet file by editing the URL header. This vulnerability allow users of the website access FTP credentials of other users, thereby allowing SSH access as that user.
How to Pwn the machine
Like every other machine, the first step is downloading the lab access file on Hack the Box and connecting Kali Linux terminal to Hack the Box server by running the following command in Kali Linux terminal:
0 Comments