Canape

Rooted after more than 2 weeks. Very defiant, complex but also educational machine that requires mandatory basic knowledge of python… for initial foothold output of nmap scan is pretty useful and then you’ll have a long way to go (for me 2 weeks)… then User and root was not that hard… PM if u need help

Making some progress here but slowly pretty interesting so far!

Nice box.

Spent the most time on “the” 500 error, until I found out the RCE was working despite it :slight_smile:

I can only find service 80 and reference to a db I can’t find a connection for… What am i missing? any help would be appreciated! :slight_smile:

Please someone DM the hint of running the thing on my machine

Spoiler Removed - Arrexel

Can someone help me or give me a hint for initial step of the box? I have done some enumeration and dir busting to no avail. Any help or a link that refers to vulnerability is much appreciated. Please pm me.

@rocux said:
Can someone help me or give me a hint for initial step of the box? I have done some enumeration and dir busting to no avail. Any help or a link that refers to vulnerability is much appreciated. Please pm me.

Have a look at the source code of the web page

I think I am beginning to see the light

HI all , im on this box from few days now, nothing of my try work … ,i found some hole but i dont know how to begin … any help is much appreciated. please pm

If anyone could PM me for a nudge on where to go from www-data that would be amazing.

Rooted. Had the most fun on this box so far, and learned a few new things too :slight_smile:

Anyone available for a PM? Been working on this for a few days now, got running locally and see what’s going on and able to execute the vulnerability using script that mirrors check but unable to envoke via app…

Finally! User took 8 days, Homer took 2 days, and root took 15 minutes…

This box 100% does not match the difficulty level IMHO…

Nonetheless great fun - If anyone needs help drop me a PM.

anybody getting urllib3 error while trying to escalate to root? is there a way around it?

This box has been endless frustration… Able to get payload up locally but get posix error unless running dos2unix on the file, then it works using the check() function copied into a file check.py but every time I try with /check in browser I get bad request 400… I feel like I’m close but feel like a dog chasing his tale

could do with help to get a foothold on the box. any help will be appreciated

If someone could drop me a DM please take a look at my script to “check” input, I’d really appreciate it! My very similar script to submit is working great, no more pickle errors etc when I run it with code pulled from app used to check

check all version of code you where reviewing. make sure they tell the same story :wink:

■■■■, it took me 1 hour to get the first shell, 3 days to find a checkbox in a f***ing web interface and 5 min to get root… shame on me :'D