RED-CAP MACHINE PENTESTING

REPORT

AUTHOR: SEETHALAM SURYA PRAKASH

REGISTRATION ID: 22B91A04K4
MACHINE AUTHOR: INFOSECJACK
DATE: 23/01/2025

RED-CAP MACHINE:
Cap is an easy difficulty Linux machine running an HTTP server that performs administrative
functions including performing network captures. Improper controls result in Insecure Direct
Object Reference (IDOR) giving access to another user's capture. The capture contains plaintext
credentials and can be used to gain foothold. A Linux capability is then leveraged to escalate to
root.

CONFIDENTIALITY NOTICE

1|Page
 THIS REPORT IS FOR EDUCATIONAL PURPOSE ONLY AND IS
INTENDED FOR AUTHORIZED READERS.

TABLE CONTENTS:

CONFIDENTIALITY-------------------------------------------------------------------------------------------3

INTRODUCTION------------------------------------------------------------------------------------------------3
 PURPOSE OF THE REPORT
 SCOPE OF THE ENGAGEMENT
 ACKNOWLEDGMENT

SUMMARY---------------------------------------------------------------------------------------------------- 3-4
 PROCESS
 SCOPE
 FINDINGS
RED-CAP PENETRATION TESTING ---------------------------------------------------------------- 4-8
 RECONNAISSANCE
 ENUMERATION
 PRIVILEGE ESCALATION

CONCLUSION ------------------------------------------------------------------------------------------------- 9

2|Page
CONFIDENTIALITY:
 This Report has been prepared as part of the practical exercise and learning
activities associated with solving the Hack the box “RED-CAP” MACHINE. The
content within this document, including methodologies, findings, & analysis, is
intended solely for educational purposes and is the intellectual property of the
student who authored this report.
 Any information disclosed within this report must be handled with strict
confidentiality. Unauthorized sharing, reproduction, or distribution of the content
herein is prohibited unless prior consent has been obtained from the author.
 This document may contain simulated vulnerabilities, attack vectors, or sensitive
technical details related to ethical hacking techniques. All such information is
intended for lawful use in controlled environments and should not be employed
for any malicious or unethical activities.
 By reviewing this document, the recipient agrees to uphold its confidentiality and
to use the information responsibly in adherence to ethical guidelines and
applicable laws.
INTRODUCTION:
 Purpose of the report: The purpose of this report is to document the practical
penetration-testing exercise conducted on the "Red-Cap" machine provided by
Hack the Box. This activity was undertaken as part of an educational initiative
to enhance the understanding of ethical hacking techniques, methodologies,
and tools used in real- world scenarios.
 Scope of engagement: The scope of this engagement is limited to the
penetration testing of the "Red-Cap" machine available on the Hack the Box
platform. This activity was conducted within a controlled environment
specifically designed for ethical hacking practice.
 Acknowledgment: I acknowledge the importance of adhering to Hack the Box's
terms of service and ethical guidelines throughout this exercise. This report is
the result of responsible and compliant use of the platform, ensuring that all
activities were conducted within the boundaries of the "Red-Cap" machine and
the principles of ethical hacking.

SUMMARY:
 This report provides a detailed account of the penetration testing exercise
conducted on the "Red-Cap" machine, a challenge hosted on the Hack the Box
platform. The exercise was performed as part of an educational initiative to
develop and enhance practical skills in ethical hacking and cybersecurity.
 The engagement focused on identifying vulnerabilities within the "Red-Cap"
machine, exploiting them to gain unauthorized access, and analyzing the
security pasture of the system. The approach included standard penetration
testing phases: reconnaissance, enumeration, exploitation, and post-
exploitation. Each phase was meticulously documented to ensure transparency
and adherence to ethical hacking guidelines.
 Key findings from the exercise revealed common misconfigurations and
vulnerabilities often encountered in real-world systems. These findings provided

3|Page
 valuable insights into practical exploitation techniques and emphasized the
importance of robust security measures.

PROCESS:
1) Reconnaissance 2) Enumeration 3) Exploitation

SCOPE:
we were to map it conceptually to a domain type; it would fall under:

 Web Application Security: Focusing on analyzing and exploiting web application

vulnerabilities.
 Network Analysis: Involving PCAP (Packet Capture) file analysis to extract sensitive
information like credentials or session tokens.

Host Ip address: 10.10.16.9 – OPENVPN from HTB for Red-cap machine.

FINDINGS:

The findings from the "Red-Cap" machine in Hack the Box can be categorized based
on their impact and exploitability. Below is a breakdown of the severity levels:
 Misconfigured Web Application – Medium
 Network Packet Analysis – High
 Weak Credentials – High
 Web Vulnerabilities -- Medium
 Privilege Escalation – Critical

Red-Cap Penetration Testing Walkthrough:

Reconnaissance:
VICTIM'S IP ADDRESS: 10.10.10.254 (Red-Cap machine Ip address).
i. Techniques used to gather information about the "Cap" machine.
ii. Conducted an initial scan using tools like Nmap to identify open ports, running
services, and the operating system.
iii. Gathered information about the web server and its functionality by browsing the
interface and analyzing HTTP responses.

4|Page
- Results obtained after Nmap scanning were: 1)FTP 2) SSH 3) HTTP (80).
HTTP: According to Nmap, port 80 is running Gunicorn, which is a python-based
HTTP server. Browsing to the page reveals a dashboard.

Enumeration:
Explored the web application thoroughly by analyzing different options provided in web
application and identified 10.10.10.245/data/id 9or 5 or 2 and soon... (IDOR)

5|Page
Analyzed network capture files using tool like Wireshark to extract useful credentials
or tokens.

When in the URL 10.10.10.245/data/0 we got user Nathan credentials an expound

login details into the web application.

Wireshark: packet analysis:

Clicking on Download gives us a packet capture file, which can be examined using
WireShark.

Checked for potential vulnerabilities or misconfigurations in the exposed services such

6|Page
as ftp-vsftpd 3.0.3, ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol
2.0).

Exploitation:

 Used insights from the enumeration phase to exploit vulnerabilities.

 The credentials were found in a captured file, they were used to authenticate or
escalate privileges.

FTP SERVER EXPLOITATION

user Nathan --- pass Buck3Th4TF0RM3!

Secure Shell Protocol (SSH):

 During the enumeration or analysis of the provided PCAP file, sensitive information
such as usernames and passwords was extracted.
 These credentials were identified as valid for accessing the system via SSH.
 With SSH access, the system's file structure, processes, and configurations were
explored to get privilege escalation.

7|Page
  SSH access provides direct entry into the system, allowing an attacker to navigate files,
execute commands, and potentially escalate privileges if further misconfigurations or
vulnerabilities that could lead to root or administrative control
 In Nathan user we have USER.txt file and got one flag about Red-cap machine and also
we have snap directory
User.txt file have flag: 2c6e99b3745363843b445513321bc53e

PRIVILEGE ESCALATION:
 Now using python privilege escalation: Privilege escalation using Python
typically involves leveraging misconfigurations, weak permissions, or
intentionally vulnerable setups where Python is improperly secured.

Linux capabilities are a subset of root privileges that can be applied to executables,
allowing them to perform specific privileged actions without granting full root access.

-bash-5.0 :-$ python3.8-c 'import os; os.setuid(0); os.system("/bin/bash")'

From this we get files and other all directories of Linux system.
From root access we got root.txt file from root directories having flag as
Root.txt file FLAG: 526ba14fb538a0e45a3d1082faab1207.

8|Page
Conclusion:
The findings and observations reveal critical areas that require immediate attention to
ensure the CAP machine's optimal performance, security, and reliability. By
implementing the recommended actions, the organization can achieve:
 Enhanced operational efficiency and reduced downtime.
 Improved system security and resilience against potential threats.
 Streamlined workflows that align with organizational goals.
 Prolonged machine lifespan through proactive maintenance strategies.
A commitment to continuous monitoring and improvement will ensure that the CAP
machine remains a valuable asset, contributing to the organization's overall.

Thank you …
9|Page
10 | P a g e