Surprise, I don't know everything

Captain Machine: Or How I Learned to Stop Worrying and Love Grep

Machine: Captain (Linux)
Difficulty: Easy
Link: https://app.hackthebox.com/machines/Cap

The Setup

It's 9 PM. I've got a Linux box in front of me and way too much confidence. The Captain machine on HTB looked straightforward enough: scan it, enumerate it, and own it. Classic pentesting.

Spoiler: It was not straightforward. I actually had to learn stuff I had never used before

Reconnaissance: The Boring But Necessary Part

First things first: nmap scan. You can't hack what you can't see, and nmap is basically echolocation for networks. Found the usual suspects web server running, some interesting ports open. Also, Nmap is what I know to do always; it's almost a ritual now. Without it, I feel lost, and ye,s I had to check all 65... ports. I used T5 to speed things up, but apparently that was too fast, so we decreased, and at the end there was those 3 ports I had gotten initially, so wtf brro 

Navigated to the website. Poked around. Started manipulating URLs because that's what you do when you're not sure what else to do. And my experience as a web developer means I know not everything is protected, sometimes we just trust you won't do such stuff.

The Pcap Problem

The URL manipulation let me download pcap files. Not a pcap file. Files. Plural. Like, 4 of them.

For the uninitiated: pcap (packet capture) files contain network traffic data. They're basically recordings of everything happening on a network at a given moment. They're also massive, binary, and absolutely miserable to sort through manually.

I could've opened each one in Wireshark and scrolled until my eyes bled. But I remembered something important: grep exists. Or let me be honest Gemini to me about this. So linxu is really fun

Grep: The Unsung Hero

Grep is one of those Linux utilities that's so fundamental you forget it's magic. It searches through files for patterns. The problem? Pcap files are binary, and grep doesn't like binary files by default.

Enter the flags that changed my night:

grep -a -l -iE "password|pass|flag|secret|admin|login" *.pcap

Let's break this down:

-a treats binary files like text. Crucial when you're grep-ing through packet captures that are definitely not text files.

-l only prints the filename, not every matching line. When you've got 100+ files, you don't want grep vomiting thousands of lines at you. You just want to know which file has what you're looking for.

-i makes the search case-insensitive. Finds "Password," "password," "PASSWORD," and "PaSsWoRd" (because someone always does that).

-E enables extended regex, letting you search for multiple keywords at once with the pipe | operator.

Result? One filename: 0.pcap

The Zero Index Prophecy

Here's the funny part: I'd already guessed it would be file 0.

Why? Because computers count from zero, and I figured whoever built this machine was making that exact joke. Sometimes, overthinking can accidentally make you look smart.

FTP: Security Theatre's Worst Nightmare

Found credentials in the pcap file. Tried them on the FTP service because FTP is ancient and terrible and sends everything usernames, passwords, your hopes and dreams in plaintext over the network.

Got into Nathan's account. No encryption, no security, just raw data floating through the ether like it's 1995.

This is why we don't use FTP anymore, kids.

Lateral Movement: Or, Looking Around Like You Own the Place

Now I'm in Nathan's account. Time for basic Linux enumeration:

• ls to see what's here
• cd to move around
• sudo -l to check what Nathan can run with elevated privileges

Found some processes running as sudo that probably shouldn't be. This is where things get interesting.

Privilege Escalation: The Fun Part

Privilege escalation is the art of convincing a system you're more important than you actually are. In this case, certain binaries were running with root permissions and could be manipulated.

Exploited the misconfiguration. Tricked the system into thinking I was root. Navigated to /root, grabbed the flag.

If you're wondering exactly how I did the privilege escalation that's your homework. The machine is still active on HTB, and figuring it out yourself is how you actually learn this stuff.

What I Actually Learned

First time using FTP properly: Understood why it's fundamentally broken (plaintext transmission) and why SSH exists.

First time chaining the full kill chain: Reconnaissance → Initial Access → Lateral Movement → Privilege Escalation. It's one thing to know the theory; it's another to actually execute it.

Grep is absurdly powerful: Seriously, I need to stop sleeping on basic Linux utilities. They're basic for a reason—they work.

This machine forced me to think instead of just following a walkthrough. That's when learning actually happens.

I'm basically a hacker now.