Canape

2456711

Comments

  • I have RCE via os.system(), i tested it on sample commands: cat, find etc, it works! However when i tried make backconnect via nc, /dev/tcp or python script nothing happens. There is no connection (( What am I doing wrong?

  • I have a shell and am now targeting user.txt. Can anyone PM please as have a question regarding that. Thx!

  • edited April 2018

    Beating my head on this... Love it

    OSCE | OSCP | WCNA | CCNP | CCDP | ECSAv9 | CEHv8 | CISSP | Sec+

  • Got low priv shell, any hints about user.txt?

  • On machine has no internet connection( Any idea how to load scripts? I tried via nc -l -p 1234 -q 1 > something.zip < /dev/null, but i can't connect to machine.

  • Any tips on getting started with this one. Did the normal stuff see one port and repo . Per a comment earlier i translated and looked into that but stuck

    darkoria

  • @darkoria research what you found @SpicyCrack3r put the files in your web directory and do a wget to your ip/file and download that way. Initial foothold was something new and kind of cool but frustrating, user access was easy once you thought how to do it and now root , well root been enumerating a few hours think I know what I need but still trying to figure out how to get it.

  • edited April 2018
    Trying to get root. Am I in the rabbit hole when playing with p**? NVM got it. This box is interesting.

    kluo

  • Anyone to discuss something about the reverse shell?

    Hack The Box

  • could use some help...found the vector.stuck at creating payload.... how to run multiple commands in the same line for python, plan is to make initial string comment then payload

  • @genxweb said:
    @SpicyCrack3r put the files in your web directory and do a wget to your ip/file and download that way.

    thx, easy way is gone from my eyes

  • Advice for the initial foothold:
    Try working on it locally first and get something basic working.

  • Agreed. Guys, this box is somehow refreshing .... :) Great time.

    Sociaslkas

  • I have the app running locally but I still can't get RCE. When I generate the payload for RCE and the app creates the .p file locally, I try to run it in my own python interpreter with the "vulnerable" library and method I get the following error:

    ImportError: No module named os

    Running dos2unix on the .p file containing the exploit fixes the issue. I still can't get RCE b/c I think my exploit is being generated incorrectly (I'm doing it in Kali so I have no idea why dos2unix has an effect) and this in turn isn't working in the app. If I generate the payload and then execute it in the same script (i.e. non-interactively and bypassing the app altogether) it works fine. This is very frustrating and any help would be appreciated.

  • edited May 2018

    @mikekhusid said:
    I have the app running locally but I still can't get RCE. When I generate the payload for RCE and the app creates the .p file locally, I try to run it in my own python interpreter with the "vulnerable" library and method I get the following error:

    ImportError: No module named os

    Running dos2unix on the .p file containing the exploit fixes the issue. I still can't get RCE b/c I think my exploit is being generated incorrectly (I'm doing it in Kali so I have no idea why dos2unix has an effect) and this in turn isn't working in the app. If I generate the payload and then execute it in the same script (i.e. non-interactively and bypassing the app altogether) it works fine. This is very frustrating and any help would be appreciated.

    at this very moment I am exactly on the same spot, (not with the chars no need dos2unix) also with some modifications I get BadPickleGet: 111, the reason you may have to pass dos2exploit is because you need to understand what format is the data saved to the file.. check cPickle online..

    ReK2

  • This machine is awesome. I did not make a shell via RCE yet, but i love the way to hack it.

  • I've got a shell since yesterday, quite easy in the end. Now, on my way to impersonate another user to get user.txt ... so far, I'm having lots of fun with this one!

    Sociaslkas

  • Well, after a short break , I got back to @canape. P0wned. For those who are struggling with it, here's a tip: it's easy. Once you got a shell, the rest is like a walk in the park. As someone had already said, the first foothold was fun. Then, pretty boring.

    Sociaslkas

  • Any ideas about root? PM please

  • Stuck on Canape for a few days. Getting 500 Internal Server error. Anyone able to give me a nudge?

    darkoria

  • My earlier issue had to do with encoding.

  • @mikekhusid said:
    I have the app running locally but I still can't get RCE. When I generate the payload for RCE and the app creates the .p file locally, I try to run it in my own python interpreter with the "vulnerable" library and method I get the following error:

    ImportError: No module named os

    Running dos2unix on the .p file containing the exploit fixes the issue. I still can't get RCE b/c I think my exploit is being generated incorrectly (I'm doing it in Kali so I have no idea why dos2unix has an effect) and this in turn isn't working in the app. If I generate the payload and then execute it in the same script (i.e. non-interactively and bypassing the app altogether) it works fine. This is very frustrating and any help would be appreciated.

    This incredibly helpful message is usually caused by having the wrong line endings. Submitting multiline text in your browser that has unix line endings /n usually ends up with the browser encoding it and changing the line endings into /r/n (if you look at the web request it probably has a %0D%0A in it, if that's the case just remove the %0D's since you only want unix style line endings and that should fix the problem. Alternatively you can url encode your text first. (sorry for the non-specific answer but trying not to give anything away)

    Feel free to follow me on Twitter @BenGrewell for tutorials, videos and other infosec related posts.

  • can anyone help me out with the initial first step on this box. I have exhausted everything with no luck for hours

  • Stuck at priv to user in local machine. I found a interested file but can not crack the hash in it. Any hints?

  • Can not make RCE work :( I used generator payload from github. Boring is safe :(

  • Feeling Good, got root. Hint for that box do not assume anything and read more. Try Harder !!!

  • @dmknght said:
    Can not make RCE work :( I used generator payload from github. Boring is safe :(

    Not sure if you are talking about the initial foothold or a point further along, in the first case check how you are encoding whatever you have. If possible test it locally using whatever you have found and you will be able to see more info on why it is failing. I can't really post more details here but feel free to message me with any questions about this box and I'll give whatever hints I can (without spoiling anything of course).

    Feel free to follow me on Twitter @BenGrewell for tutorials, videos and other infosec related posts.

  • @Ic3M4n said:

    @dmknght said:
    Can not make RCE work :( I used generator payload from github. Boring is safe :(

    Not sure if you are talking about the initial foothold or a point further along, in the first case check how you are encoding whatever you have. If possible test it locally using whatever you have found and you will be able to see more info on why it is failing. I can't really post more details here but feel free to message me with any questions about this box and I'll give whatever hints I can (without spoiling anything of course).

    I think i did not use right encoder. I did not enumerate the machine and information for exploit enough as well. I am doing other boxes and i will back to this box when I feel ready. Thanks for your help :D

  • DM me if you are stuck at priv esc. I want to discuss it

  • Is anyone online for a quick private message? I am lost in getting the initial foothold. Greatly appreciate it if someone can point me to the right direction

Sign In to comment.