Canape

Got RCE but i’m stuck on user privesc, got hash but can’t crack it. Can anyone PM for any hints please?

Any tips on the initial foothold? I’ve been studying both the DB found and how to “link” it somehow to the repository, still no clue at all. I’ve never had to deal with these. ■■■■, I don’t even know that’s the way.

Anyone free for me to quiz about exploiting this?

got user.txt, stuck on privesc, can anyone give a hint in PM?

@nscur0 said:
To everyone stuck at their pickled payload not working when submitted to the site: try using a popular http library for the submission of your pickled code. Copy & pasting the payload from the terminal + bad url encoding fucks up the payload, with the mentioned library it worked flawlessly.

Dear baby Jesus this was the best advice in this thread (related to pickle anyways). Thanks nscur0.

Hello folks! Can someone DM me for a nudge on the user.txt? I got some footfold, found a hash and gained admin access to couchdb. Would also appreciate to exchange ideas as well :smiley: .

The best machine so far. Learn a lot, thx @overcast

Got user.txt, can anyone PM me for privesc to root please?

@Neol said:
Got user.txt, can anyone PM me for privesc to root please?

You should try on your own first :slight_smile:

@drtychai said:

@Neol said:
Got user.txt, can anyone PM me for privesc to root please?

You should try on your own first :slight_smile:

I tried it for hours… I don’t want to make spoilers so i prefer via PM.

Hey, Can Anyone help me with the intial foothold. I’ve been able to get a low privileged shell as www-data user but can’t seem to find a way to do privilege escalation as Homer user. Any nudges in the right direction would be appreciated!

Can someone pm me, i have a doubt about the pickle but I dont want to give any spoiler here

I’m struggling with the initial foothold… I found the DB and “hidden link” but cannot seem to get anywhere from there. I have a sense that I am missing something from enumeration. What else am I missing here?

im getting this error
ValueError: insecure string pickle
any help?

just finished canape
pure love for this box, feel free to pm for a nudge

Can anyone give me a hint on how to get user ?
I have a shell on www-data, found a hash and got admin access to the couchdb but stuck at how to priv esc to the user.

@xtech

Start from basic like make it to show sys version and build your command from there. Research the module more, you have that error cos the string does not end with new line.

owned, thanks to @R4yquazID for the help, i’m now also avalaible for any hints :wink:

I am logged in as user any hints on a stable shell?

@it4chi said:
I am logged in as user any hints on a stable shell?

python -c ‘import pty;pty.spawn(“/bin/bash”)’