Well - I suck at CTFs. Maybe I just don’t have the CTF mindset, but here’s to trying to do a challenge a day until I start to like it or can them without a walkthrough =p

tl;dr

dcode.fr
- CTF-ism tool when dealing with cipher stuff. You can use the site to identify the type of cipher being used and crack it
- Real world application: Can use it to crack ciphers but there’s a privacy issue, how do I know it’s not saved or something?
enum4linux $IP
- Useful if nmap identifies smb or samba ports open
getcap $BINARY
- Built-in command to identify the capabilities that a binary has.
- Interesting ones are:
  - cap_dac_read_search
    - Read any file, bypassing file permissions
  - cap_net_raw
    - Send raw packetsping (usually harmless)
  - cap_setuid
    - Set UID to 0 (root)
  - cap_sys_admin
    - Do almost anything (like root) Dangerous if found
find $DIR -name “.*” 2>/dev/null
- looks in $DIR for interesting files
- most useful in specific directories vs the entire filesystem
./tar -cf - $FILE | tar -xf -
- in this box the local tar binary had different getcap than the systemwide tar
- created the tarball (tar file) as root and then extracted it without permissions so regular users can read it
MITRE ATT&CK Technique IDs:
- T1595.002 – Active Scanning: Network Scanning
- T1597.001 – Search Open Websites/Domains: Code Repositories
- T1552.001 – Unsecured Credentials: Credentials in Files
- T1110.002 – Brute Force: Password Cracking
- T1087.001 – Account Discovery: Local Account
- T1083 – File and Directory Discovery
- T1548.001 – Abuse Elevation Control Mechanism: Setuid and Setgid
- T1552.001 – Unsecured Credentials: Credentials in Files

Start off with the typical NMAP scan
Received 80, 139, 445, 10000, and 20000
10000 and 20000 not shown
T1595.002 – Active Scanning: Network Scanning

Go to the browser and head to *IP:80*
Hitting the web page with the Source Code and scrolling down we see this
T1597.001 – Search Open Websites/Domains: Code Repositories
T1552.001 – Unsecured Credentials: Credentials in Files

Head to *dcode.fr*
You can use the **CIPHERTEXT TO RECOGNIZE** function
This shows a high confidence of the **Brainfuck** cipher
That gives us a password to use
T1110.002 – Brute Force: Password Cracking (this is the most fitting for decrypting of captured cipher texts)

We don’t have a username, remembering that we saw 139 and 445
Use **enum4linux** to enumerate samba for a username
We find the **cyber** user
So now we have a username and a password
T1087.001 – Account Discovery: Local Account

Hit the *IP:10000* in the web browser
Username and password doesn’t work there
Head to *IP:20000*
Username and password works there!
Going through the menu we see **Command Shell** and we can cat the user.txt
T1083 – File and Directory Discovery

Searching **msfconsole** we find a lot of different exploits with **webmin**
Tried all of them and even with a username and password the exploits weren’t successful (I think?)

Back to the VM, using the **Command Shell** we find the **tar** binary
Using **getcap** we can find what capabilities the binary has
T1548.001 – Abuse Elevation Control Mechanism: Setuid and Setgid

getcap is a Linux command used to check which capabilities are assigned to binaries. Capabilities allow a binary to perform specific privileged actions without needing full root privileges (unlike SUID).

🧭 Summary:

Command: getcap -r / 2>/dev/null
Purpose: Find binaries that may be used for privilege escalation without SUID

🔥 Interesting Capabilities for Privesc:

cap_dac_read_search
- Read any file, bypassing file permissions
cap_net_raw
- Send raw packetsping (usually harmless)
cap_setuid
- Set UID to 0 (root)
cap_sys_admin
- Do almost anything (like root) Dangerous if found

I Suck At CTFs: Breakout - Empire

🧭 Summary:

🔥 Interesting Capabilities for Privesc:

I Suck at CTFs: Breakout - Lupin One

Report Template