Canape

i need a hint to get user shell after getting into the system . i tried many things but with no luck . is it a credentials i need to find or an exploit as i feel i lost my way .

Enumerate system, look what is running and if you cant use something.

i got admin account on the service , but i can’t execute commands using the exploit . thats why am lost :confused:

never mind i was so stupid XD
for all other people don’t fall to the rabbit hole, there is no rce exploit to get user access .

I came to say that this is an awesome box. On every spot epic! Thanks alot

got shell and trying to escalate… any1 wanna discuss/help PM me.

This is the most fun box ever :slight_smile: Got stable RCE, can run ■■■■ as www user, no user access yet… but this is so fun it doesn’t matter much :slight_smile:

anyone want to give a nudge? My RCE is fine, I can see the machine has something locally that smells of help with privesc to user, but I don’t have the creds really to access it…

Could someone with a foothold PM me? I need a nudge on how to exploit Couch + the link I found in the source code. I’m lost on what to do with it.

@Demosz said:
Could someone with a foothold PM me? I need a nudge on how to exploit Couch + the link I found in the source code. I’m lost on what to do with it.

You need to research a bit more on how the service is working in the background to exploit. If you don’t already have the necessarily files, you may need to enumerate a bit more as well.

@An00byss said:

@Demosz said:
Could someone with a foothold PM me? I need a nudge on how to exploit Couch + the link I found in the source code. I’m lost on what to do with it.

You need to research a bit more on how the service is working in the background to exploit. If you don’t already have the necessarily files, you may need to enumerate a bit more as well.

Sorry, I don’t have user or even a shell yet. I’m still struggling with just understanding what I have. Do you mean enumerate the site directory, or did I accidentally give the impression I have a shell.

Pwned user. This machine is cool af. Feel free to PM me too for nudges too.

Hint, (as seems to be the case often) a stable RCE is almost as useful as a shell – I could get everything to pwning user without a shell. Something that can execute commands and give back output is useful enough in this case.

… and root… Can confirm root is quite easy after pwning user.

i receive UnpicklingError: pickle data was truncated or BadPickcleget 111, I’m stuck. hint?

Spoiler Removed - Arrexel

Finally got shell. Not rooted yet, but I’m happy to nudge people still working on the initial foothold

Finally got root. Cool machine, thanks for the hints. If anyone needs a hint, you can PM me.

I have found all that I believe from remote enumeration and I have a few things to track down, but spent a lot of time so far with no luck; currently in a pickle trying to figure it all out. Please PM me if you can help me talk it out?

rooted! learned a lot :slight_smile:

Need some help on getting shell. I understand the exploit, have re-created it on my own machine and have even been able to pop a reverse shell on my own machine but never on Canape.