Canape

nvm I got it. Wasn’t reading properly, rooted it. Very nice box, Learned a good dev lesson too. :slight_smile:

Root! Very good box))) pm for those who need a hint))

Just got user on this box, that was pretty interesting ! Now on my way to root, let’s see how it goes

Well, root was easy :slight_smile:
As usual, feel free to PM me if you need a nudge

goot root , i love this box <3

Great box! Finally got root. Now it’s time to curl up on the couch and get some rest.

Finally rooted, after a lot of effort and frustration in the end i got my reward and most important armed with new knowledge, as of yet i believe this box is by far the best on HTB

So I am thinking this should be a canape RCE. I am stuck on ‘is the db somehow exposed via a specific path on the web site?’ or ‘would a nicely crafted input in one of the submit fields get me a shell?’. Or another option?

If it IS a ‘canape’ RCE, I know of the exploits but those will only work when a direct access to the ‘canape’ server exists. That’s why my questions above…

@XCheck said:
If it IS a ‘canape’ RCE, I know of the exploits but those will only work when a direct access to the ‘canape’ server exists. That’s why my questions above…

i found nmap useful at the beggining , do your scan with OS detection, there is a single action that needs to be done, dont ignore the results from nmap :wink:

Great box - no ‘obvious guesses’ involved, you can build up the ‘exploit’ step by step.

Seems I was lucky with the reverse shell - it worked right away and as very stable, so I did not try to work around the ‘remaining expected error’. My advice is to 1) build up a non-malicious pe gradually, so that you can be sure that the server unps it nicely. 2) Then add a payload and keep it as simple as possible.

As others have said, create your own scripts to replicate what the server does. If you review the code see how you can ‘activate’ / ‘deactivate’ a payload so that you might tell issues with encoding etc. from issues with the actual payload.

For escalating to user: Don’t be too aggressive with published exploits, just look around :slight_smile: Escalation to root - no surprises: Follow the standard procedure, google a bit.

@kekra said:
Great box - no ‘obvious guesses’ involved, you can build up the ‘exploit’ step by step.

Seems I was lucky with the reverse shell - it worked right away and as very stable, so I did not try to work around the ‘remaining expected error’. My advice is to 1) build up a non-malicious pe gradually, so that you can be sure that the server unps it nicely. 2) Then add a payload and keep it as simple as possible.

As others have said, create your own scripts to replicate what the server does. If you review the code see how you can ‘activate’ / ‘deactivate’ a payload so that you might tell issues with encoding etc. from issues with the actual payload.

For escalating to user: Don’t be too aggressive with published exploits, just look around :slight_smile: Escalation to root - no surprises: Follow the standard procedure, google a bit.
My payload works fine: Server gives me quote response
My malicious code works file: I tested with function (the same function in source code)
My payload with malicious code give me 500 error
I saw response result and i think i saw the problem but i don’t know what to do next. Thanks for hint!

Nice weekend at the beach, some head-clearing was necessary. Just wondering if I should ‘check’ the ‘id’ to get at something…

Got root without any exploits. :+1:

I have only found 2 service so far. Tried DIRbust , no result. Do i have to enumerate more on nmap? Seems like theres another service that i am missing out.

Anybody here to help with the payload…??

is the submit form vulnerable or not ?? 1st parameter checks for a regex name matching and the 2nd parameter …tried many injection techniques …can’t verify its vulnerable or not…any hints pls…))

@batman786 said:
is the submit form vulnerable or not ?? 1st parameter checks for a regex name matching and the 2nd parameter …tried many injection techniques …can’t verify its vulnerable or not…any hints pls…))

Enumerate more and then revisit the form. You’ll see the light and understand how to check it

@TheSecEng said:

@batman786 said:
is the submit form vulnerable or not ?? 1st parameter checks for a regex name matching and the 2nd parameter …tried many injection techniques …can’t verify its vulnerable or not…any hints pls…))

Enumerate more and then revisit the form. You’ll see the light and understand how to check it

Its couchdb right… Its kinda hard to exploit…))

@batman786 said:

@TheSecEng said:

@batman786 said:
is the submit form vulnerable or not ?? 1st parameter checks for a regex name matching and the 2nd parameter …tried many injection techniques …can’t verify its vulnerable or not…any hints pls…))

Enumerate more and then revisit the form. You’ll see the light and understand how to check it

Its couchdb right… Its kinda hard to exploit…))

Use a very popular tool to enumerate the server again…more thoroughly