Canape

I can get reverse shell locally. But with same payload i am getting 500 error on the canape server. Can someone give me a hint??

Tring to get user, An one way I’m trying is using the DB, yes I have got the DB permission, and I’m trying to use some exp scripts to get the user permission. however, I’m stuck at this process. I just want to know am I right ? Took me a week …

@hahcaptain said:
Tring to get user, An one way I’m trying is using the DB, yes I have got the DB permission, and I’m trying to use some exp scripts to get the user permission. however, I’m stuck at this process. I just want to know am I right ? Took me a week …

If you have got the DB permission, I think you should utilize ALL DATA from DB.

anybody can pm for the first step?

@rocux said:
@Erbooo treat them as one. You cant just bypass it.

finally find one works fine . Thanks~

@raouf09 said:
anybody can pm for the first step?

pm me we can do it together

@prajwal15 said:
I can get reverse shell locally. But with same payload i am getting 500 error on the canape server. Can someone give me a hint??

Same here… I took a few days off to reset myself but I’m wondering if the issue might be… 1) the particular thing I’m trying to set up to listen is not installed 2) may be a multi part payload required to write a file then execute it? or 3) I’m out to lunch all together lol but I do get an appropriate response when non malicious input is given then checked so I feel like I’m one small step away

I finally got shell after about a week. The “hints” on this forum were kind of misleading. I’d say very carefully examine what barriers you think exist when you start getting the 500 error messages. Use Python to send your requests to avoid stupid human fingers.

First part of this box is a little bit hard, even with the possibility to see it closer! Second part is funny. Third part is a flash.

I have learned a lot with this machine, and it’s updated … the first vulnerability makes part of the OWASP 2017, and the second part, I never used and never thought that would exist… i mean CanapeDB :smiley:

If anyone need an hint or redirection, feel free to pm me.

i got user flag but need some hint for priv esc

Nvm i got the root

Got into box, got into user, but can’t seem to get root. Can someone dm with some hints? Thanks

@xtech said:

@it4chi said:
I am logged in as user any hints on a stable shell?

python -c ‘import pty;pty.spawn(“/bin/bash”)’

that trick saved my day, thank you indeed :slight_smile:

For user,

  1. Need python knowledge and a bit of creativity to get Remote Command Execution (I think this is the hardest part)
  2. Use RCE to get minimal shell then use the command posted by xtech to get bash shell
  3. Research on a service running there and two very well known vulnerabilities in the version running, that will give you elevated access to the service
  4. With elevated access, check all data that you find and one of them will get you user

For root, check what you are allowed to do with elevated privilege and then find well known methods to use the operation to get privilege escalation

anyone available? stuck on getting a shell. i can RCE but it drops the reverse shell

edit: rooted. not bad this one. Thanks to @iVirus

Great box! Rooted. If you want a non-spoiler nudge then PM me.

So I’m in the same boat as several others when it comes to getting an initial foothold / rce using p****e. I have a working payload WITHOUT the name in the whitelist but I can’t seem to work it into the payload without breaking it. Any hints / pm would be greatly appreciated!

@0xJDow said:
So I’m in the same boat as several others when it comes to getting an initial foothold / rce using p****e. I have a working payload WITHOUT the name in the whitelist but I can’t seem to work it into the payload without breaking it. Any hints / pm would be greatly appreciated!

I know you feeling

Okay guys, I got a local address for couch but I can’t seem to connect to it with a payload, do I have to create an instance of that localhost on my machine?, am stuck here,any hints please

Hello guys, i have tried everything i can, i have mirrored the git repo to my localhost and tried using a python payload to connect to the db but still not working, really out of ideas, hints will be appreciated thanks