Canape

This may help solve “500 error” on the payload compile arbitrary python source code into pickle format. will execute on unpickling · GitHub

@KuroSaru said:
check all version of code you where reviewing. make sure they tell the same story :wink:

This fixed my issues locally now to tweak for htb… It pays to read things more carefully when comparing versions!

Anyone who can help me with my payload, please DM and I show you where I am having problems

Would really love a PM regarding how to get a user shell. I have discovered a vulnerable service running on the box, but the exploit script I found does not work. It tells me that the commands have been executed, but I’m pretty sure they have not been.

Thanks!

@mxchai said:
Would really love a PM regarding how to get a user shell. I have discovered a vulnerable service running on the box, but the exploit script I found does not work. It tells me that the commands have been executed, but I’m pretty sure they have not been.

Thanks!

pm me if u need help

Could someone give a hint about how to bypass the character when making a shellcode ? i’m sure the shellcode works fine locally withoute the character

@Erbooo treat them as one. You cant just bypass it.

Got to say good box, user was the hardest, and I liked IT. Root was not hard, but I truly like they way it was done. Great job @overcast .

I can get reverse shell locally. But with same payload i am getting 500 error on the canape server. Can someone give me a hint??

Tring to get user, An one way I’m trying is using the DB, yes I have got the DB permission, and I’m trying to use some exp scripts to get the user permission. however, I’m stuck at this process. I just want to know am I right ? Took me a week …

@hahcaptain said:
Tring to get user, An one way I’m trying is using the DB, yes I have got the DB permission, and I’m trying to use some exp scripts to get the user permission. however, I’m stuck at this process. I just want to know am I right ? Took me a week …

If you have got the DB permission, I think you should utilize ALL DATA from DB.

anybody can pm for the first step?

@rocux said:
@Erbooo treat them as one. You cant just bypass it.

finally find one works fine . Thanks~

@raouf09 said:
anybody can pm for the first step?

pm me we can do it together

@prajwal15 said:
I can get reverse shell locally. But with same payload i am getting 500 error on the canape server. Can someone give me a hint??

Same here… I took a few days off to reset myself but I’m wondering if the issue might be… 1) the particular thing I’m trying to set up to listen is not installed 2) may be a multi part payload required to write a file then execute it? or 3) I’m out to lunch all together lol but I do get an appropriate response when non malicious input is given then checked so I feel like I’m one small step away

I finally got shell after about a week. The “hints” on this forum were kind of misleading. I’d say very carefully examine what barriers you think exist when you start getting the 500 error messages. Use Python to send your requests to avoid stupid human fingers.

First part of this box is a little bit hard, even with the possibility to see it closer! Second part is funny. Third part is a flash.

I have learned a lot with this machine, and it’s updated … the first vulnerability makes part of the OWASP 2017, and the second part, I never used and never thought that would exist… i mean CanapeDB :smiley:

If anyone need an hint or redirection, feel free to pm me.

i got user flag but need some hint for priv esc

Nvm i got the root

Got into box, got into user, but can’t seem to get root. Can someone dm with some hints? Thanks