Canape

Ah root. Awesome box by @overcast! If you need hints, pm me.

I can’t believe it took me so long to get user.txt after initial foothold. I had access to the right place, but overlooked a crucial and glaring repository of information that was staring me in the face! Don’t overlook things just because you’re looking for an RCE exploit! You might miss something important. Finally got user!

Back at this after a week of taking break. I could recreate the page locally, I can see the history and what seems to be a vulnerable URL. I can get it do the ‘correct’ thing but I am stuck on that.

Rooted at last:))
Anyone need a hint can PM on every stage

I’m sure I enumerated anything I can find, still stuck on foothold… :confused: any hint or anyone I can DM to show what I found ?

ARGH! :slight_smile:

Can anyone give me a nudge?

I have a working payload… but the pesky character prefix is giving me a pickling headache!

@Bear said:
ARGH! :slight_smile:

Can anyone give me a nudge?

I have a working payload… but the pesky character prefix is giving me a pickling headache!

Nevermind… worked it out… xD

any one pm me for the initinalfoothold :slight_smile:

Eeek… running the flask… I see the problem with the reverse shell and the normal methods! Back at it tomorrow!

Out of ideas how to gain a foothold/get a shell - any hints on PM would be appreciated, don’t spoon feed me if you do, just a nudge. Google thinks i’m an automated bot for the amount of searches i’ve done today…

Can’t really understand how I’m supposed to get something to run when it can’t find imports, can’t import by filename and it can’t find things to do eval as can’t find that either… hopefully that’s not a spoiler for someone, it could just be that i’m doing it wrong.

Eyes are burning from the fail.

Finally… rooted

Hint to anyone lurking here who is getting odd results when trying to do the business on the requests… read the comments around dos2unix and the python library for sending requests etc… d’oh!

Hi there, enumerated this machine and found the 2 services. Also tried to find a vuln in the webapp while going for the s****t form. No success trying to attach the C*****B. Could someone please give me a hint via pm?

Hi! I’ve some problems using python requests to exploit the initial RCE:
using the same exploit works locally but when sending the payload to the server i get error 500.
I’ve also added the header application/x-www-form-urlencoded to the POST.

I need to add something as header?

@dodo said:
Hi! I’ve some problems using python requests to exploit the initial RCE:
using the same exploit works locally but when sending the payload to the server i get error 500.
I’ve also added the header application/x-www-form-urlencoded to the POST.

I need to add something as header?

In exactly the same spot. Would love a nudge on the payload for RCE. Can post and check the result based on the hash. If the *1 string is not found I get a good 200 back with the string; if it is found its 500 each time, but works locally.

@Snoe said:

@dodo said:
Hi! I’ve some problems using python requests to exploit the initial RCE:
using the same exploit works locally but when sending the payload to the server i get error 500.
I’ve also added the header application/x-www-form-urlencoded to the POST.

I need to add something as header?

In exactly the same spot. Would love a nudge on the payload for RCE. Can post and check the result based on the hash. If the *1 string is not found I get a good 200 back with the string; if it is found its 500 each time, but works locally.

no need to add headers …just make a script to automate all required job…

@batman786 said:

@Snoe said:

@dodo said:
Hi! I’ve some problems using python requests to exploit the initial RCE:
using the same exploit works locally but when sending the payload to the server i get error 500.
I’ve also added the header application/x-www-form-urlencoded to the POST.

I need to add something as header?

In exactly the same spot. Would love a nudge on the payload for RCE. Can post and check the result based on the hash. If the *1 string is not found I get a good 200 back with the string; if it is found its 500 each time, but works locally.

no need to add headers …just make a script to automate all required job…

I should have mentioned this is all being done in the same python script, leaving me to think its something to do with the payload encoding in the post request.

Wowsers that took a while to do, great lab…

If it’s encoding, read back through these posts and the mention of dos2unix, would it work with that done? Maybe read it in from a file?

I can’t give too much away… but I spent alot of time struggling at the same point.

@Snoe said:

@batman786 said:

@Snoe said:

@dodo said:
Hi! I’ve some problems using python requests to exploit the initial RCE:
using the same exploit works locally but when sending the payload to the server i get error 500.
I’ve also added the header application/x-www-form-urlencoded to the POST.

I need to add something as header?

In exactly the same spot. Would love a nudge on the payload for RCE. Can post and check the result based on the hash. If the *1 string is not found I get a good 200 back with the string; if it is found its 500 each time, but works locally.

no need to add headers …just make a script to automate all required job…

I should have mentioned this is all being done in the same python script, leaving me to think its something to do with the payload encoding in the post request.

if it works locally …then it will work remotely but ensure to try all payloads and automate those tasks which are working behind the scenes according to that file( You know which i’m talking about…)

rooted, i didn’t submit root or user flag because i feel like i cheated lol