Canape

@2ol4this said:
3 weeks for the foothold

that’s dedication right there :smiley:

Hello!
I’m a bit stuck at trying to get a initial shell on this box. Would someone mind sending me some helpful reading material to move forward with, or message me about what I have currently and what I’m missing? Thanks!

You need to enumerate more, once you know what you’re looking for, you’ll find plenty of information on google. :slight_smile:

I think I found the sequence necessary for RCE, but I was not able to find anywhere online the sample code that everyone is talking about to run the app locally. What tips or tricks do you suggest using when googling for the local version of something we find on the htb? more specifically what kind of things should I google for to get the local version of this app? is it the /submit endpoint? the /ch*** one? …

@MartyV said:
The best value you get if you make a python script (POC) that does the whole process. Especially if you are not familiar with python. It’s easy. You can easily google all you need.

I have the same idea and wrote one like this. If anyone need a copy, just pm me.

Nice machine, I got root:)
Thanks educating!

Hi, total beginner so thought I’d have a stab at the box. My thinking and please delete this if it spoils anything is that I should probably be utilising the submit quote functionality somehow (possibly grab a session) or the the comment /check

Directory scanning is getting me nowhere but I have the second port. A little hint would be awesome.

Cheers

Got root, learn a lot for this box :slight_smile:

One of the strangest yet best boxes that I’ve done.

The initial foothold on this box has probably taken me longer than any of the others I’ve completed, where as priv esc to root was really straight forward.

What I will say is that asking the right questions to the right people definitely helps, watch the videos by ippsec on YouTube, and don’t concentrate on what others post on the thread as it can confuse (except this of course!)

can I pm someone about privesc to root? can’t seem to put 2+2 together or im chasing a rabbit home

nvm I got it. Wasn’t reading properly, rooted it. Very nice box, Learned a good dev lesson too. :slight_smile:

Root! Very good box))) pm for those who need a hint))

Just got user on this box, that was pretty interesting ! Now on my way to root, let’s see how it goes

Well, root was easy :slight_smile:
As usual, feel free to PM me if you need a nudge

goot root , i love this box <3

Great box! Finally got root. Now it’s time to curl up on the couch and get some rest.

Finally rooted, after a lot of effort and frustration in the end i got my reward and most important armed with new knowledge, as of yet i believe this box is by far the best on HTB

So I am thinking this should be a canape RCE. I am stuck on ‘is the db somehow exposed via a specific path on the web site?’ or ‘would a nicely crafted input in one of the submit fields get me a shell?’. Or another option?

If it IS a ‘canape’ RCE, I know of the exploits but those will only work when a direct access to the ‘canape’ server exists. That’s why my questions above…

@XCheck said:
If it IS a ‘canape’ RCE, I know of the exploits but those will only work when a direct access to the ‘canape’ server exists. That’s why my questions above…

i found nmap useful at the beggining , do your scan with OS detection, there is a single action that needs to be done, dont ignore the results from nmap :wink: