Canape

YESS YESS YESS i can feel the pain of everyone here. finally rooted!!

Kudos to @overcast to such a delightful machine. Rooted and learned a lot of stuff.

I got the initial foothold as www-data… found an interesting file with what seems to be username and hash but I do not know what to do with it now… I ahve run it thru hashcat and no joy. Some one please help me!!

@H4ck3d5p4c3 said:
I got the initial foothold as www-data… found an interesting file with what seems to be username and hash but I do not know what to do with it now… I ahve run it thru hashcat and no joy. Some one please help me!!

Also stuck in the hash, looks like a rabbit hole

Any hint to escalate from www to user ?

i’ve done the reverse using nc ipaddr port but the connection die istantly. Any other type of reverse doesn’t work.
Any hint?

I had fun on this one! Was so happy when I saw what I was given for root esc. Unpriv to user took a bit, but once I became familiar with the tech and stopped overthinking, it was easy.

@seiyathesinx said:

@H4ck3d5p4c3 said:
I got the initial foothold as www-data… found an interesting file with what seems to be username and hash but I do not know what to do with it now… I ahve run it thru hashcat and no joy. Some one please help me!!

Also stuck in the hash, looks like a rabbit hole

Any hint to escalate from www to user ?

As said before, look at what is going on and what you now have access to.

priv esc to root is ■■■■ bugged, I get it with a very dirty try ;D

Well, i’ve got my low priv shell and the DB admin account, but i can’t manage to escalate to the user … I’ve try RCE on the DB with a well known CVE, but it look like a rabbit hole … Can i get a hint where to look now, i’m a little bit lost !
Edit: i got it :wink:

Got root. Very very interesting machine and very interesting technologies involved. PM if you need help.

hi guys, I managed to get low privelege shell, now i’m trying to get user… I got the db admin account but can’t manage to make RCE work with the well known CVE HomardBoy mentionned. I’m a bit lost because I don’t see any other interesting process or things to do with the db…
Can I get a hint ?

@seniuus said:
hi guys, I managed to get low privelege shell, now i’m trying to get user… I got the db admin account but can’t manage to make RCE work with the well known CVE HomardBoy mentionned. I’m a bit lost because I don’t see any other interesting process or things to do with the db…
Can I get a hint ?

I just found out that “once again” you should not ignore the obvious that might look too easy. Have been stuck on RCE for many hours as well until I used base data :wink:

This is so weird … 3 weeks for the foothold, 3 hours for escalation to user and 30 minutes to root :slight_smile:

Thanks a bunch, entertaining and educating!

@2ol4this said:
3 weeks for the foothold

that’s dedication right there :smiley:

Hello!
I’m a bit stuck at trying to get a initial shell on this box. Would someone mind sending me some helpful reading material to move forward with, or message me about what I have currently and what I’m missing? Thanks!

You need to enumerate more, once you know what you’re looking for, you’ll find plenty of information on google. :slight_smile:

I think I found the sequence necessary for RCE, but I was not able to find anywhere online the sample code that everyone is talking about to run the app locally. What tips or tricks do you suggest using when googling for the local version of something we find on the htb? more specifically what kind of things should I google for to get the local version of this app? is it the /submit endpoint? the /ch*** one? …

@MartyV said:
The best value you get if you make a python script (POC) that does the whole process. Especially if you are not familiar with python. It’s easy. You can easily google all you need.

I have the same idea and wrote one like this. If anyone need a copy, just pm me.

Nice machine, I got root:)
Thanks educating!

Hi, total beginner so thought I’d have a stab at the box. My thinking and please delete this if it spoils anything is that I should probably be utilising the submit quote functionality somehow (possibly grab a session) or the the comment /check

Directory scanning is getting me nowhere but I have the second port. A little hint would be awesome.

Cheers

Got root, learn a lot for this box :slight_smile: