Canape

Can someone pm me, i have a doubt about the pickle but I dont want to give any spoiler here

I’m struggling with the initial foothold… I found the DB and “hidden link” but cannot seem to get anywhere from there. I have a sense that I am missing something from enumeration. What else am I missing here?

im getting this error
ValueError: insecure string pickle
any help?

just finished canape
pure love for this box, feel free to pm for a nudge

Can anyone give me a hint on how to get user ?
I have a shell on www-data, found a hash and got admin access to the couchdb but stuck at how to priv esc to the user.

@xtech

Start from basic like make it to show sys version and build your command from there. Research the module more, you have that error cos the string does not end with new line.

owned, thanks to @R4yquazID for the help, i’m now also avalaible for any hints :wink:

I am logged in as user any hints on a stable shell?

@it4chi said:
I am logged in as user any hints on a stable shell?

python -c ‘import pty;pty.spawn(“/bin/bash”)’

That is not what I meant, idk how to explain it here without spoiling it.
Nvm got it, should have scanned all the ports in the beginning.

YESS YESS YESS i can feel the pain of everyone here. finally rooted!!

Kudos to @overcast to such a delightful machine. Rooted and learned a lot of stuff.

I got the initial foothold as www-data… found an interesting file with what seems to be username and hash but I do not know what to do with it now… I ahve run it thru hashcat and no joy. Some one please help me!!

@H4ck3d5p4c3 said:
I got the initial foothold as www-data… found an interesting file with what seems to be username and hash but I do not know what to do with it now… I ahve run it thru hashcat and no joy. Some one please help me!!

Also stuck in the hash, looks like a rabbit hole

Any hint to escalate from www to user ?

i’ve done the reverse using nc ipaddr port but the connection die istantly. Any other type of reverse doesn’t work.
Any hint?

I had fun on this one! Was so happy when I saw what I was given for root esc. Unpriv to user took a bit, but once I became familiar with the tech and stopped overthinking, it was easy.

@seiyathesinx said:

@H4ck3d5p4c3 said:
I got the initial foothold as www-data… found an interesting file with what seems to be username and hash but I do not know what to do with it now… I ahve run it thru hashcat and no joy. Some one please help me!!

Also stuck in the hash, looks like a rabbit hole

Any hint to escalate from www to user ?

As said before, look at what is going on and what you now have access to.

priv esc to root is ■■■■ bugged, I get it with a very dirty try ;D

Well, i’ve got my low priv shell and the DB admin account, but i can’t manage to escalate to the user … I’ve try RCE on the DB with a well known CVE, but it look like a rabbit hole … Can i get a hint where to look now, i’m a little bit lost !
Edit: i got it :wink:

Got root. Very very interesting machine and very interesting technologies involved. PM if you need help.

hi guys, I managed to get low privelege shell, now i’m trying to get user… I got the db admin account but can’t manage to make RCE work with the well known CVE HomardBoy mentionned. I’m a bit lost because I don’t see any other interesting process or things to do with the db…
Can I get a hint ?