Canape

I think I found the sequence necessary for RCE, but I was not able to find anywhere online the sample code that everyone is talking about to run the app locally. What tips or tricks do you suggest using when googling for the local version of something we find on the htb? more specifically what kind of things should I google for to get the local version of this app? is it the /submit endpoint? the /ch*** one? …

@MartyV said:
The best value you get if you make a python script (POC) that does the whole process. Especially if you are not familiar with python. It’s easy. You can easily google all you need.

I have the same idea and wrote one like this. If anyone need a copy, just pm me.

Nice machine, I got root:)
Thanks educating!

Hi, total beginner so thought I’d have a stab at the box. My thinking and please delete this if it spoils anything is that I should probably be utilising the submit quote functionality somehow (possibly grab a session) or the the comment /check

Directory scanning is getting me nowhere but I have the second port. A little hint would be awesome.

Cheers

Got root, learn a lot for this box :slight_smile:

One of the strangest yet best boxes that I’ve done.

The initial foothold on this box has probably taken me longer than any of the others I’ve completed, where as priv esc to root was really straight forward.

What I will say is that asking the right questions to the right people definitely helps, watch the videos by ippsec on YouTube, and don’t concentrate on what others post on the thread as it can confuse (except this of course!)

can I pm someone about privesc to root? can’t seem to put 2+2 together or im chasing a rabbit home

nvm I got it. Wasn’t reading properly, rooted it. Very nice box, Learned a good dev lesson too. :slight_smile:

Root! Very good box))) pm for those who need a hint))

Just got user on this box, that was pretty interesting ! Now on my way to root, let’s see how it goes

Well, root was easy :slight_smile:
As usual, feel free to PM me if you need a nudge

goot root , i love this box <3

Great box! Finally got root. Now it’s time to curl up on the couch and get some rest.

Finally rooted, after a lot of effort and frustration in the end i got my reward and most important armed with new knowledge, as of yet i believe this box is by far the best on HTB

So I am thinking this should be a canape RCE. I am stuck on ‘is the db somehow exposed via a specific path on the web site?’ or ‘would a nicely crafted input in one of the submit fields get me a shell?’. Or another option?

If it IS a ‘canape’ RCE, I know of the exploits but those will only work when a direct access to the ‘canape’ server exists. That’s why my questions above…

@XCheck said:
If it IS a ‘canape’ RCE, I know of the exploits but those will only work when a direct access to the ‘canape’ server exists. That’s why my questions above…

i found nmap useful at the beggining , do your scan with OS detection, there is a single action that needs to be done, dont ignore the results from nmap :wink:

Great box - no ‘obvious guesses’ involved, you can build up the ‘exploit’ step by step.

Seems I was lucky with the reverse shell - it worked right away and as very stable, so I did not try to work around the ‘remaining expected error’. My advice is to 1) build up a non-malicious pe gradually, so that you can be sure that the server unps it nicely. 2) Then add a payload and keep it as simple as possible.

As others have said, create your own scripts to replicate what the server does. If you review the code see how you can ‘activate’ / ‘deactivate’ a payload so that you might tell issues with encoding etc. from issues with the actual payload.

For escalating to user: Don’t be too aggressive with published exploits, just look around :slight_smile: Escalation to root - no surprises: Follow the standard procedure, google a bit.

@kekra said:
Great box - no ‘obvious guesses’ involved, you can build up the ‘exploit’ step by step.

Seems I was lucky with the reverse shell - it worked right away and as very stable, so I did not try to work around the ‘remaining expected error’. My advice is to 1) build up a non-malicious pe gradually, so that you can be sure that the server unps it nicely. 2) Then add a payload and keep it as simple as possible.

As others have said, create your own scripts to replicate what the server does. If you review the code see how you can ‘activate’ / ‘deactivate’ a payload so that you might tell issues with encoding etc. from issues with the actual payload.

For escalating to user: Don’t be too aggressive with published exploits, just look around :slight_smile: Escalation to root - no surprises: Follow the standard procedure, google a bit.
My payload works fine: Server gives me quote response
My malicious code works file: I tested with function (the same function in source code)
My payload with malicious code give me 500 error
I saw response result and i think i saw the problem but i don’t know what to do next. Thanks for hint!

Nice weekend at the beach, some head-clearing was necessary. Just wondering if I should ‘check’ the ‘id’ to get at something…