Canape

13468911

Comments

  • @seniuus said:
    hi guys, I managed to get low privelege shell, now i'm trying to get user... I got the db admin account but can't manage to make RCE work with the well known CVE HomardBoy mentionned. I'm a bit lost because I don't see any other interesting process or things to do with the db...
    Can I get a hint ?

    I just found out that "once again" you should not ignore the obvious that might look too easy. Have been stuck on RCE for many hours as well until I used base data ;)

  • This is so weird ... 3 weeks for the foothold, 3 hours for escalation to user and 30 minutes to root :)

    Thanks a bunch, entertaining and educating!

  • @2ol4this said:
    3 weeks for the foothold

    that's dedication right there :smiley:

  • Hello!
    I'm a bit stuck at trying to get a initial shell on this box. Would someone mind sending me some helpful reading material to move forward with, or message me about what I have currently and what I'm missing? Thanks!

    Arrexel

  • You need to enumerate more, once you know what you're looking for, you'll find plenty of information on google. :)

  • I think I found the sequence necessary for RCE, but I was not able to find anywhere online the sample code that everyone is talking about to run the app locally. What tips or tricks do you suggest using when googling for the local version of something we find on the htb? more specifically what kind of things should I google for to get the local version of this app? is it the /submit endpoint? the /ch*** one? ...

  • > @MartyV said:
    > The best value you get if you make a python script (POC) that does the whole process. Especially if you are not familiar with python. It's easy. You can easily google all you need.

    I have the same idea and wrote one like this. If anyone need a copy, just pm me.
  • Nice machine, I got root:)
    Thanks educating!

  • Hi, total beginner so thought I’d have a stab at the box. My thinking and please delete this if it spoils anything is that I should probably be utilising the submit quote functionality somehow (possibly grab a session) or the the comment /check

    Directory scanning is getting me nowhere but I have the second port. A little hint would be awesome.

    Cheers
  • Got root, learn a lot for this box :)

    I don't have Signature...

  • One of the strangest yet best boxes that I've done.

    The initial foothold on this box has probably taken me longer than any of the others I've completed, where as priv esc to root was really straight forward.

    What I will say is that asking the right questions to the right people definitely helps, watch the videos by ippsec on YouTube, and don't concentrate on what others post on the thread as it can confuse (except this of course!)

  • can I pm someone about privesc to root? can't seem to put 2+2 together or im chasing a rabbit home

    Looking for past Hack the Box write-ups or other security stuff? Feel free to visit: https://dastinia.io <3

  • nvm I got it. Wasn't reading properly, rooted it. Very nice box, Learned a good dev lesson too. :)

    Looking for past Hack the Box write-ups or other security stuff? Feel free to visit: https://dastinia.io <3

  • Root! Very good box))) pm for those who need a hint))

    n01n02h

  • Just got user on this box, that was pretty interesting ! Now on my way to root, let's see how it goes

    melka

  • edited July 2018

    Well, root was easy :)
    As usual, feel free to PM me if you need a nudge

    melka

  • goot root , i love this box <3
  • Great box! Finally got root. Now it's time to curl up on the couch and get some rest.
  • Finally rooted, after a lot of effort and frustration in the end i got my reward and most important armed with new knowledge, as of yet i believe this box is by far the best on HTB
  • So I am thinking this should be a canape RCE. I am stuck on 'is the db somehow exposed via a specific path on the web site?' or 'would a nicely crafted input in one of the submit fields get me a shell?'. Or another option?

  • If it IS a 'canape' RCE, I know of the exploits but those will only work when a direct access to the 'canape' server exists. That's why my questions above...

  • > @XCheck said:
    > If it IS a 'canape' RCE, I know of the exploits but those will only work when a direct access to the 'canape' server exists. That's why my questions above...

    i found nmap useful at the beggining , do your scan with OS detection, there is a single action that needs to be done, dont ignore the results from nmap ;)
  • Great box - no 'obvious guesses' involved, you can build up the 'exploit' step by step.

    Seems I was lucky with the reverse shell - it worked right away and as very stable, so I did not try to work around the 'remaining expected error'. My advice is to 1) build up a non-malicious p****e gradually, so that you can be sure that the server unp****s it nicely. 2) Then add a payload and keep it as simple as possible.

    As others have said, create your own scripts to replicate what the server does. If you review the code see how you can 'activate' / 'deactivate' a payload so that you might tell issues with encoding etc. from issues with the actual payload.

    For escalating to user: Don't be too aggressive with published exploits, just look around :-) Escalation to root - no surprises: Follow the standard procedure, google a bit.

  • @kekra said:
    Great box - no 'obvious guesses' involved, you can build up the 'exploit' step by step.

    Seems I was lucky with the reverse shell - it worked right away and as very stable, so I did not try to work around the 'remaining expected error'. My advice is to 1) build up a non-malicious p****e gradually, so that you can be sure that the server unp****s it nicely. 2) Then add a payload and keep it as simple as possible.

    As others have said, create your own scripts to replicate what the server does. If you review the code see how you can 'activate' / 'deactivate' a payload so that you might tell issues with encoding etc. from issues with the actual payload.

    For escalating to user: Don't be too aggressive with published exploits, just look around :-) Escalation to root - no surprises: Follow the standard procedure, google a bit.
    My payload works fine: Server gives me quote response

    My malicious code works file: I tested with function (the same function in source code)
    My payload with malicious code give me 500 error
    I saw response result and i think i saw the problem but i don't know what to do next. Thanks for hint!

  • Nice weekend at the beach, some head-clearing was necessary. Just wondering if I should 'check' the 'id' to get at something...

  • Got root without any exploits. :+1:

  • I have only found 2 service so far. Tried DIRbust , no result. Do i have to enumerate more on nmap? Seems like theres another service that i am missing out.

    Hack The Box

  • Anybody here to help with the payload..??

  • is the submit form vulnerable or not ?? 1st parameter checks for a regex name matching and the 2nd parameter ...tried many injection techniques ...can't verify its vulnerable or not...any hints pls...))

  • @batman786 said:
    is the submit form vulnerable or not ?? 1st parameter checks for a regex name matching and the 2nd parameter ...tried many injection techniques ...can't verify its vulnerable or not...any hints pls...))

    Enumerate more and then revisit the form. You'll see the light and understand how to check it

Sign In to comment.