Canape

1356711

Comments

  • edited May 2018

    Damn it. The comments here only made me more frustrated. It feels like my payload should be working.... It is working locally :cry:

  • The best value you get if you make a python script (POC) that does the whole process. Especially if you are not familiar with python. It's easy. You can easily google all you need.

  • @fingeron said:
    Damn it. The comments here only made me more frustrated. It feels like my payload should be working.... It is working locally :cry:

    I am stuck where you are. It has something to do with encoding. If I can be more specific when I figure it out without giving it away, I will. The advice I was given was to setup the whole thing locally so that I could test...

  • Any hint on user.txt? I've been trying to make authenticated queries to couchdb.

  • @MartyV said:
    Any hint on user.txt? I've been trying to make authenticated queries to couchdb.

    hint: What will you do next when you controlled the server and couchdb ?

  • Any hints on doing RCE? I've been hitting 500s because of this "char + quote". Any hints on this? Please PM

    anikka

  • @anikka said:
    Any hints on doing RCE? I've been hitting 500s because of this "char + quote". Any hints on this? Please PM

    same probleme but withoiut char its works

    Javox

  • Same, stuck in char + quote. Escaping \n does not work though. Any hints PM please?
  • Wow! That was fun. I'm not very experienced with databases, so I learned a LOT! Great box!

  • @anikka @markopasa @Javox Try different combinations how you can bypass the check.

  • edited May 2018

    Can't root the box. Any nudges on how to use *** or is that a rabbit hole? Please PM

    anikka

  • Rooted! Learned so much about this box. :)

    anikka

  • I would appreciate a PM with any good read related to this exploit if possible.

  • i am stuck at the begining for 2 days now, i have found 2 ports the http and the ssh, brute-forcing dirs is useless. i can't find any hint about where the vuln app is, can anyone pm me please

  • @3ll137hy said:
    i am stuck at the begining for 2 days now, i have found 2 ports the http and the ssh, brute-forcing dirs is useless. i can't find any hint about where the vuln app is, can anyone pm me please

    I found nmap operating system scan useful.

  • a hint on how to escalate to user would be much appreciated.
    I have been stuck there for a while, I found a hash and tried to crack but no luck.
    I have the repo and been through it all the way but can't figure it out

  • NVM got user,
    Now to root

  • Got root and a big lesson learned.

  • Trying to get root.txt for a couple of days, but can't make any progress. Could anyone help with nudge please (DM) ?

  • Rooted.
    @aanndd if you want, you can PM me.

  • tsuller, rooted it today (with a nudge from markopasa). thanks!

  • edited May 2018

    @aanndd said:
    tsuller, rooted it today (with a nudge from markopasa). thanks!

    Awesome! If anybody wants some tip without spoilers, feel free to pm me.

  • i need a hint to get user shell after getting into the system . i tried many things but with no luck . is it a credentials i need to find or an exploit as i feel i lost my way .

    Hack The Box

  • Enumerate system, look what is running and if you cant use something.

  • i got admin account on the service , but i can't execute commands using the exploit . thats why am lost :/

    Hack The Box

  • never mind i was so stupid XD
    for all other people don't fall to the rabbit hole, there is no rce exploit to get user access .

    Hack The Box

  • I came to say that this is an awesome box. On every spot epic! Thanks alot

  • edited May 2018

    got shell and trying to escalate.. any1 wanna discuss/help PM me.

  • This is the most fun box ever :) Got stable RCE, can run shit as www user, no user access yet... but this is so fun it doesn't matter much :)

    osku
    OSCP

  • anyone want to give a nudge? My RCE is fine, I can see the machine has something locally that smells of help with privesc to user, but I don't have the creds really to access it...

    osku
    OSCP

Sign In to comment.