Canape

15791011

Comments

  • @TheSecEng said:

    @batman786 said:
    is the submit form vulnerable or not ?? 1st parameter checks for a regex name matching and the 2nd parameter ...tried many injection techniques ...can't verify its vulnerable or not...any hints pls...))

    Enumerate more and then revisit the form. You'll see the light and understand how to check it

    Its couchdb right... Its kinda hard to exploit....))

  • @batman786 said:

    @TheSecEng said:

    @batman786 said:
    is the submit form vulnerable or not ?? 1st parameter checks for a regex name matching and the 2nd parameter ...tried many injection techniques ...can't verify its vulnerable or not...any hints pls...))

    Enumerate more and then revisit the form. You'll see the light and understand how to check it

    Its couchdb right... Its kinda hard to exploit....))

    Use a very popular tool to enumerate the server again...more thoroughly

    drtychai

  • edited July 2018

    @TheSecEng and @dirtychai thanks for help ......found what you were talking about ...should have focused more on vulnhub challenges....))

  • Ah root. Awesome box by @overcast! If you need hints, pm me.

    Hack The Box

  • I can't believe it took me so long to get user.txt after initial foothold. I had access to the right place, but overlooked a crucial and glaring repository of information that was staring me in the face! Don't overlook things just because you're looking for an RCE exploit! You might miss something important. Finally got user!

  • Back at this after a week of taking break. I could recreate the page locally, I can see the history and what seems to be a vulnerable URL. I can get it do the 'correct' thing but I am stuck on that.

  • Rooted at last:))
    Anyone need a hint can PM on every stage

  • I'm sure I enumerated anything I can find, still stuck on foothold... :/ any hint or anyone I can DM to show what I found ?

  • ARGH! :-)

    Can anyone give me a nudge?

    I have a working payload... but the pesky character prefix is giving me a pickling headache!

    da1y

    OSWE | OSCP | eCPPTv2

    I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.

  • @Bear said:
    ARGH! :-)

    Can anyone give me a nudge?

    I have a working payload... but the pesky character prefix is giving me a pickling headache!

    Nevermind... worked it out... xD

    da1y

    OSWE | OSCP | eCPPTv2

    I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.

  • any one pm me for the initinalfoothold :)

    Arrexel
    OSCP | I'm not a rapper

  • Eeek... running the flask.. I see the problem with the reverse shell and the normal methods! Back at it tomorrow!

    da1y

    OSWE | OSCP | eCPPTv2

    I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.

  • Out of ideas how to gain a foothold/get a shell - any hints on PM would be appreciated, don't spoon feed me if you do, just a nudge. Google thinks i'm an automated bot for the amount of searches i've done today...

    Can't really understand how I'm supposed to get something to run when it can't find imports, can't import by filename and it can't find things to do eval as can't find that either... hopefully that's not a spoiler for someone, it could just be that i'm doing it wrong.

    Eyes are burning from the fail.

    da1y

    OSWE | OSCP | eCPPTv2

    I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.

  • Finally.. rooted

  • edited July 2018

    Hint to anyone lurking here who is getting odd results when trying to do the business on the requests... read the comments around dos2unix and the python library for sending requests etc... d'oh!

    da1y

    OSWE | OSCP | eCPPTv2

    I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.

  • Hi there, enumerated this machine and found the 2 services. Also tried to find a vuln in the webapp while going for the s****t form. No success trying to attach the C*****B. Could someone please give me a hint via pm?

  • Hi! I've some problems using python requests to exploit the initial RCE:
    using the same exploit works locally but when sending the payload to the server i get error 500.
    I've also added the header application/x-www-form-urlencoded to the POST.

    I need to add something as header?

    dodo

  • @dodo said:
    Hi! I've some problems using python requests to exploit the initial RCE:
    using the same exploit works locally but when sending the payload to the server i get error 500.
    I've also added the header application/x-www-form-urlencoded to the POST.

    I need to add something as header?

    In exactly the same spot. Would love a nudge on the payload for RCE. Can post and check the result based on the hash. If the *1 string is not found I get a good 200 back with the string; if it is found its 500 each time, but works locally.

  • @Snoe said:

    @dodo said:
    Hi! I've some problems using python requests to exploit the initial RCE:
    using the same exploit works locally but when sending the payload to the server i get error 500.
    I've also added the header application/x-www-form-urlencoded to the POST.

    I need to add something as header?

    In exactly the same spot. Would love a nudge on the payload for RCE. Can post and check the result based on the hash. If the *1 string is not found I get a good 200 back with the string; if it is found its 500 each time, but works locally.

    no need to add headers ....just make a script to automate all required job..

  • @batman786 said:

    @Snoe said:

    @dodo said:
    Hi! I've some problems using python requests to exploit the initial RCE:
    using the same exploit works locally but when sending the payload to the server i get error 500.
    I've also added the header application/x-www-form-urlencoded to the POST.

    I need to add something as header?

    In exactly the same spot. Would love a nudge on the payload for RCE. Can post and check the result based on the hash. If the *1 string is not found I get a good 200 back with the string; if it is found its 500 each time, but works locally.

    no need to add headers ....just make a script to automate all required job..

    I should have mentioned this is all being done in the same python script, leaving me to think its something to do with the payload encoding in the post request.

  • edited July 2018

    Wowsers that took a while to do, great lab...

    If it's encoding, read back through these posts and the mention of dos2unix, would it work with that done? Maybe read it in from a file?

    I can't give too much away... but I spent alot of time struggling at the same point.

    da1y

    OSWE | OSCP | eCPPTv2

    I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.

  • @Snoe said:

    @batman786 said:

    @Snoe said:

    @dodo said:
    Hi! I've some problems using python requests to exploit the initial RCE:
    using the same exploit works locally but when sending the payload to the server i get error 500.
    I've also added the header application/x-www-form-urlencoded to the POST.

    I need to add something as header?

    In exactly the same spot. Would love a nudge on the payload for RCE. Can post and check the result based on the hash. If the *1 string is not found I get a good 200 back with the string; if it is found its 500 each time, but works locally.

    no need to add headers ....just make a script to automate all required job..

    I should have mentioned this is all being done in the same python script, leaving me to think its something to do with the payload encoding in the post request.

    if it works locally ...then it will work remotely but ensure to try all payloads and automate those tasks which are working behind the scenes according to that file( You know which i'm talking about..)

  • rooted,, i didn't submit root or user flag because i feel like i cheated lol

    Arrexel
    OSCP | I'm not a rapper

  • edited July 2018

    just got shell - any point messing with this dot file? john says no thanks, rockyou. any hints will save many cpu cycles kittens

    NVM TOO LATE ALL KITTEH DED NAO

    izzie

  • Relax. Take a rest, have a lay down on a type of sofa/chair and see what's running on the box.

    da1y

    OSWE | OSCP | eCPPTv2

    I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.

  • @Bear said:
    Relax. Take a rest, have a lay down on a type of sofa/chair and see what's running on the box.

    Joking no kitteh ded - got flags already. Loved this box - maybe too easy but 11/10 would pwn again...

    izzie

  • edited July 2018

    Complex.
    Very complex box.
    I would wait for this box to retire and see how to solve it. This one is tougher than other boxes(along with silo).

    pzylence
    OSCP

  • I have a love / hate relationship with this box. I love the things I've had to learn to get onto the box (albeit in a rubbish shell with no privs). I hate the constant failure at getting creds out of the DB.

    Still, when I eventually get user or root, I will cheer me up...

    :smile:

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • So I cracked and came back to this tonight - a bit of time with the DB manpages and I've to usernames and passwords out of the DB. Tomorrow I get the "fun" task of working out where to use them...

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Can anybody give me a clue about RCE? I could not succeed to work it. I am taking badcharerror. I think soource of the error is char, but i could not find to bypass it.

Sign In to comment.