@Demosz said:
Could someone with a foothold PM me? I need a nudge on how to exploit Couch + the link I found in the source code. I'm lost on what to do with it.
You need to research a bit more on how the service is working in the background to exploit. If you don't already have the necessarily files, you may need to enumerate a bit more as well.
@Demosz said:
Could someone with a foothold PM me? I need a nudge on how to exploit Couch + the link I found in the source code. I'm lost on what to do with it.
You need to research a bit more on how the service is working in the background to exploit. If you don't already have the necessarily files, you may need to enumerate a bit more as well.
Sorry, I don't have user or even a shell yet. I'm still struggling with just understanding what I have. Do you mean enumerate the site directory, or did I accidentally give the impression I have a shell.
Pwned user. This machine is cool af. Feel free to PM me too for nudges too.
Hint, (as seems to be the case often) a stable RCE is almost as useful as a shell -- I could get everything to pwning user without a shell. Something that can execute commands and give back output is useful enough in this case.
I have found all that I believe from remote enumeration and I have a few things to track down, but spent a lot of time so far with no luck; currently in a pickle trying to figure it all out. Please PM me if you can help me talk it out?
Need some help on getting shell. I understand the exploit, have re-created it on my own machine and have even been able to pop a reverse shell on my own machine but never on Canape.
To everyone stuck at their pickled payload not working when submitted to the site: try using a popular http library for the submission of your pickled code. Copy & pasting the payload from the terminal + bad url encoding fucks up the payload, with the mentioned library it worked flawlessly.
if some gentle soul is willing to guide me through the cursed valley of the couchdb ... I can already look inside but still lost where to look ...
pls pm
Hint on getting foothold: 1) yes it does require research, 2) common public approaches probably won't work 3) but yes there is a public example out there 4) don't copy and paste. If you need to copy and paste, base64 if your friend. 5) probably want to test locally 6) need to be able to read and understand the code
Owned. Great box all around. Thoroughly enjoyed it. Looking back, it's not hard once you know the paths. Root is trivial. You're main difficulties are entirely going to be getting user. Just keep at it. PM for hints.
Anyone mind taking a look at my exploit script, it worked ONCE in a test environment and then went back to triggering 500s. I must have tweaked something bone-headed and broke it.
Comments
Could someone with a foothold PM me? I need a nudge on how to exploit Couch + the link I found in the source code. I'm lost on what to do with it.
You need to research a bit more on how the service is working in the background to exploit. If you don't already have the necessarily files, you may need to enumerate a bit more as well.
Sorry, I don't have user or even a shell yet. I'm still struggling with just understanding what I have. Do you mean enumerate the site directory, or did I accidentally give the impression I have a shell.
Pwned user. This machine is cool af. Feel free to PM me too for nudges too.
Hint, (as seems to be the case often) a stable RCE is almost as useful as a shell -- I could get everything to pwning user without a shell. Something that can execute commands and give back output is useful enough in this case.
OSCP
... and root.. Can confirm root is quite easy after pwning user.
OSCP
i receive UnpicklingError: pickle data was truncated or BadPickcleget 111, I'm stuck. hint?
Spoiler Removed - Arrexel
Finally got root. Cool machine, thanks for the hints. If anyone needs a hint, you can PM me.
I have found all that I believe from remote enumeration and I have a few things to track down, but spent a lot of time so far with no luck; currently in a pickle trying to figure it all out. Please PM me if you can help me talk it out?
rooted! learned a lot
Need some help on getting shell. I understand the exploit, have re-created it on my own machine and have even been able to pop a reverse shell on my own machine but never on Canape.
To everyone stuck at their pickled payload not working when submitted to the site: try using a popular http library for the submission of your pickled code. Copy & pasting the payload from the terminal + bad url encoding fucks up the payload, with the mentioned library it worked flawlessly.
Great box, enjoyed it all the way through lol
Is anyone else receive Bad Request on check endpoint ??
NVM got it
finally working
Finally rooted. Feel free to PM me for vague nudges
rooted!
Need a nudge? PM!
CEH, OSCP
Rooted
Good and learn many new things
root and user was easy after getting first foothold
Lost getting the initial foothold. Anybody can give me a nudge??
pls pm
I need some help for Grammar web challenge
This box was a school !
finally root conquered !
I am feeling stupid for not being able to get the initial foothold.. anyone could PM me?
Hint on getting foothold: 1) yes it does require research, 2) common public approaches probably won't work 3) but yes there is a public example out there 4) don't copy and paste. If you need to copy and paste, base64 if your friend. 5) probably want to test locally 6) need to be able to read and understand the code
Owned. Great box all around. Thoroughly enjoyed it. Looking back, it's not hard once you know the paths. Root is trivial. You're main difficulties are entirely going to be getting user. Just keep at it. PM for hints.
If anyone can help with getting RCE, send me a PM. Been trying a lot of different things, but all have resulted in 500 errors.
> If anyone can help with getting RCE, send me a PM. Been trying a lot of different things, but all have resulted in 500 errors.
PM'd
Anyone mind taking a look at my exploit script, it worked ONCE in a test environment and then went back to triggering 500s. I must have tweaked something bone-headed and broke it.
Got RCE but i'm stuck on user privesc, got hash but can't crack it. Can anyone PM for any hints please?