Canape

Feeling Good, got root. Hint for that box do not assume anything and read more. Try Harder !!!

@dmknght said:
Can not make RCE work :frowning: I used generator payload from github. Boring is safe :frowning:

Not sure if you are talking about the initial foothold or a point further along, in the first case check how you are encoding whatever you have. If possible test it locally using whatever you have found and you will be able to see more info on why it is failing. I can’t really post more details here but feel free to message me with any questions about this box and I’ll give whatever hints I can (without spoiling anything of course).

@Ic3M4n said:

@dmknght said:
Can not make RCE work :frowning: I used generator payload from github. Boring is safe :frowning:

Not sure if you are talking about the initial foothold or a point further along, in the first case check how you are encoding whatever you have. If possible test it locally using whatever you have found and you will be able to see more info on why it is failing. I can’t really post more details here but feel free to message me with any questions about this box and I’ll give whatever hints I can (without spoiling anything of course).

I think i did not use right encoder. I did not enumerate the machine and information for exploit enough as well. I am doing other boxes and i will back to this box when I feel ready. Thanks for your help :smiley:

DM me if you are stuck at priv esc. I want to discuss it

Is anyone online for a quick private message? I am lost in getting the initial foothold. Greatly appreciate it if someone can point me to the right direction

■■■■ it. The comments here only made me more frustrated. It feels like my payload should be working… It is working locally :cry:

The best value you get if you make a python script (POC) that does the whole process. Especially if you are not familiar with python. It’s easy. You can easily google all you need.

@fingeron said:
■■■■ it. The comments here only made me more frustrated. It feels like my payload should be working… It is working locally :cry:

I am stuck where you are. It has something to do with encoding. If I can be more specific when I figure it out without giving it away, I will. The advice I was given was to setup the whole thing locally so that I could test…

Any hint on user.txt? I’ve been trying to make authenticated queries to couchdb.

@MartyV said:
Any hint on user.txt? I’ve been trying to make authenticated queries to couchdb.

hint: What will you do next when you controlled the server and couchdb ?

Any hints on doing RCE? I’ve been hitting 500s because of this “char + quote”. Any hints on this? Please PM

@anikka said:
Any hints on doing RCE? I’ve been hitting 500s because of this “char + quote”. Any hints on this? Please PM

same probleme but withoiut char its works

Same, stuck in char + quote. Escaping \n does not work though. Any hints PM please?

Wow! That was fun. I’m not very experienced with databases, so I learned a LOT! Great box!

@anikka @markopasa @Javox Try different combinations how you can bypass the check.

Can’t root the box. Any nudges on how to use *** or is that a rabbit hole? Please PM

Rooted! Learned so much about this box. :slight_smile:

I would appreciate a PM with any good read related to this exploit if possible.

i am stuck at the begining for 2 days now, i have found 2 ports the http and the ssh, brute-forcing dirs is useless. i can’t find any hint about where the vuln app is, can anyone pm me please

@3ll137hy said:
i am stuck at the begining for 2 days now, i have found 2 ports the http and the ssh, brute-forcing dirs is useless. i can’t find any hint about where the vuln app is, can anyone pm me please

I found nmap operating system scan useful.