Canape

Well, after a short break , I got back to @canape. P0wned. For those who are struggling with it, here’s a tip: it’s easy. Once you got a shell, the rest is like a walk in the park. As someone had already said, the first foothold was fun. Then, pretty boring.

Any ideas about root? PM please

Stuck on Canape for a few days. Getting 500 Internal Server error. Anyone able to give me a nudge?

My earlier issue had to do with encoding.

@mikekhusid said:
I have the app running locally but I still can’t get RCE. When I generate the payload for RCE and the app creates the .p file locally, I try to run it in my own python interpreter with the “vulnerable” library and method I get the following error:

ImportError: No module named os

Running dos2unix on the .p file containing the exploit fixes the issue. I still can’t get RCE b/c I think my exploit is being generated incorrectly (I’m doing it in Kali so I have no idea why dos2unix has an effect) and this in turn isn’t working in the app. If I generate the payload and then execute it in the same script (i.e. non-interactively and bypassing the app altogether) it works fine. This is very frustrating and any help would be appreciated.

This incredibly helpful message is usually caused by having the wrong line endings. Submitting multiline text in your browser that has unix line endings /n usually ends up with the browser encoding it and changing the line endings into /r/n (if you look at the web request it probably has a %0D%0A in it, if that’s the case just remove the %0D’s since you only want unix style line endings and that should fix the problem. Alternatively you can url encode your text first. (sorry for the non-specific answer but trying not to give anything away)

can anyone help me out with the initial first step on this box. I have exhausted everything with no luck for hours

Stuck at priv to user in local machine. I found a interested file but can not crack the hash in it. Any hints?

Can not make RCE work :frowning: I used generator payload from github. Boring is safe :frowning:

Feeling Good, got root. Hint for that box do not assume anything and read more. Try Harder !!!

@dmknght said:
Can not make RCE work :frowning: I used generator payload from github. Boring is safe :frowning:

Not sure if you are talking about the initial foothold or a point further along, in the first case check how you are encoding whatever you have. If possible test it locally using whatever you have found and you will be able to see more info on why it is failing. I can’t really post more details here but feel free to message me with any questions about this box and I’ll give whatever hints I can (without spoiling anything of course).

@Ic3M4n said:

@dmknght said:
Can not make RCE work :frowning: I used generator payload from github. Boring is safe :frowning:

Not sure if you are talking about the initial foothold or a point further along, in the first case check how you are encoding whatever you have. If possible test it locally using whatever you have found and you will be able to see more info on why it is failing. I can’t really post more details here but feel free to message me with any questions about this box and I’ll give whatever hints I can (without spoiling anything of course).

I think i did not use right encoder. I did not enumerate the machine and information for exploit enough as well. I am doing other boxes and i will back to this box when I feel ready. Thanks for your help :smiley:

DM me if you are stuck at priv esc. I want to discuss it

Is anyone online for a quick private message? I am lost in getting the initial foothold. Greatly appreciate it if someone can point me to the right direction

■■■■ it. The comments here only made me more frustrated. It feels like my payload should be working… It is working locally :cry:

The best value you get if you make a python script (POC) that does the whole process. Especially if you are not familiar with python. It’s easy. You can easily google all you need.

@fingeron said:
■■■■ it. The comments here only made me more frustrated. It feels like my payload should be working… It is working locally :cry:

I am stuck where you are. It has something to do with encoding. If I can be more specific when I figure it out without giving it away, I will. The advice I was given was to setup the whole thing locally so that I could test…

Any hint on user.txt? I’ve been trying to make authenticated queries to couchdb.

@MartyV said:
Any hint on user.txt? I’ve been trying to make authenticated queries to couchdb.

hint: What will you do next when you controlled the server and couchdb ?

Any hints on doing RCE? I’ve been hitting 500s because of this “char + quote”. Any hints on this? Please PM

@anikka said:
Any hints on doing RCE? I’ve been hitting 500s because of this “char + quote”. Any hints on this? Please PM

same probleme but withoiut char its works