Canape

Any tips on getting started with this one. Did the normal stuff see one port and repo . Per a comment earlier i translated and looked into that but stuck

@darkoria research what you found @SpicyCrack3r put the files in your web directory and do a wget to your ip/file and download that way. Initial foothold was something new and kind of cool but frustrating, user access was easy once you thought how to do it and now root , well root been enumerating a few hours think I know what I need but still trying to figure out how to get it.

Trying to get root. Am I in the rabbit hole when playing with p**? NVM got it. This box is interesting.

Anyone to discuss something about the reverse shell?

could use some help…found the vector.stuck at creating payload… how to run multiple commands in the same line for python, plan is to make initial string comment then payload

@genxweb said:
@SpicyCrack3r put the files in your web directory and do a wget to your ip/file and download that way.

thx, easy way is gone from my eyes

Advice for the initial foothold:
Try working on it locally first and get something basic working.

Agreed. Guys, this box is somehow refreshing … :slight_smile: Great time.

I have the app running locally but I still can’t get RCE. When I generate the payload for RCE and the app creates the .p file locally, I try to run it in my own python interpreter with the “vulnerable” library and method I get the following error:

ImportError: No module named os

Running dos2unix on the .p file containing the exploit fixes the issue. I still can’t get RCE b/c I think my exploit is being generated incorrectly (I’m doing it in Kali so I have no idea why dos2unix has an effect) and this in turn isn’t working in the app. If I generate the payload and then execute it in the same script (i.e. non-interactively and bypassing the app altogether) it works fine. This is very frustrating and any help would be appreciated.

@mikekhusid said:
I have the app running locally but I still can’t get RCE. When I generate the payload for RCE and the app creates the .p file locally, I try to run it in my own python interpreter with the “vulnerable” library and method I get the following error:

ImportError: No module named os

Running dos2unix on the .p file containing the exploit fixes the issue. I still can’t get RCE b/c I think my exploit is being generated incorrectly (I’m doing it in Kali so I have no idea why dos2unix has an effect) and this in turn isn’t working in the app. If I generate the payload and then execute it in the same script (i.e. non-interactively and bypassing the app altogether) it works fine. This is very frustrating and any help would be appreciated.

at this very moment I am exactly on the same spot, (not with the chars no need dos2unix) also with some modifications I get BadPickleGet: 111, the reason you may have to pass dos2exploit is because you need to understand what format is the data saved to the file… check cPickle online…

This machine is awesome. I did not make a shell via RCE yet, but i love the way to hack it.

I’ve got a shell since yesterday, quite easy in the end. Now, on my way to impersonate another user to get user.txt … so far, I’m having lots of fun with this one!

Well, after a short break , I got back to @canape. P0wned. For those who are struggling with it, here’s a tip: it’s easy. Once you got a shell, the rest is like a walk in the park. As someone had already said, the first foothold was fun. Then, pretty boring.

Any ideas about root? PM please

Stuck on Canape for a few days. Getting 500 Internal Server error. Anyone able to give me a nudge?

My earlier issue had to do with encoding.

@mikekhusid said:
I have the app running locally but I still can’t get RCE. When I generate the payload for RCE and the app creates the .p file locally, I try to run it in my own python interpreter with the “vulnerable” library and method I get the following error:

ImportError: No module named os

Running dos2unix on the .p file containing the exploit fixes the issue. I still can’t get RCE b/c I think my exploit is being generated incorrectly (I’m doing it in Kali so I have no idea why dos2unix has an effect) and this in turn isn’t working in the app. If I generate the payload and then execute it in the same script (i.e. non-interactively and bypassing the app altogether) it works fine. This is very frustrating and any help would be appreciated.

This incredibly helpful message is usually caused by having the wrong line endings. Submitting multiline text in your browser that has unix line endings /n usually ends up with the browser encoding it and changing the line endings into /r/n (if you look at the web request it probably has a %0D%0A in it, if that’s the case just remove the %0D’s since you only want unix style line endings and that should fix the problem. Alternatively you can url encode your text first. (sorry for the non-specific answer but trying not to give anything away)

can anyone help me out with the initial first step on this box. I have exhausted everything with no luck for hours

Stuck at priv to user in local machine. I found a interested file but can not crack the hash in it. Any hints?

Can not make RCE work :frowning: I used generator payload from github. Boring is safe :frowning: