Hacking
  • Penetration Testing
  • Methodologies
    • Exfil
    • Manual Enumeration
    • Basic Buffer Overflow
    • Basic Internal Network test
    • Basic Mobile Testing guide
    • Basic Subdomain Enumeration guide
  • Guides
    • Build A Raspberry Pi Dropbox
    • Golang
    • Powershell / PowerView
    • PurpleSharp
  • Hack The Box last updated - 2019
    • Legacy
    • Devel
    • Optimum
    • Popcorn
    • Beep
    • Tenten
    • Arctic
    • Cronos
    • Grandpa
    • Granny
    • October
    • Lazy
    • Sneaky
    • Holiday
    • Blocky
    • Shrek
    • Blue
    • Joker
    • Europa
    • Haircut
    • Bank
    • SolidState
    • Mantis
    • Shocker
    • Tally
    • Sense
    • Jeeves
    • Stratosphere
    • Inception
    • Bashed
    • Fluxcapacitor
    • Canape
    • Rabbit
    • Chatterbox
    • Nibbles
    • Sunday
    • Aragog
    • Valentine
    • Silo
    • Olympus
    • Poison
    • Celestial
    • Waldo
    • Jerry
    • Access
    • Active
    • Netmon
  • scriptz
  • Issues
    • gists
    • Boring Issues
Powered by GitBook
On this page
  • Canape - 10.10.10.70
  • Target Enumeration:
  • Vulnerability Exploited:
  • Privilege Escalation:
  • Exploiting the host:
  1. Hack The Box last updated - 2019

Canape

PreviousFluxcapacitorNextRabbit

Last updated 6 years ago

Canape - 10.10.10.70

Target Enumeration:

OS: Linux

IP: 10.10.10.70

User: bce918696f293e62b2321703bb27288d

Root: 928c3df1a12d7f67d2e8c2937120976d

Vulnerability Exploited:

Pickle Code Injection

Privilege Escalation:

User allowed to run pip install as root user.

Exploiting the host:

Nmap (used sparta as I was being lazy)

There is a .git repo.

Lots of false positives with the application

.git repo gives us an address to download the source code.

Add git.canape.htb to our /etc/hosts file and clone the repo.

Now we have the source code we can see it is vulnerable to pickle code injection.

Although I had several issues with getting the reverse shell and had to look online for a working python exploit.

Execute the code to receive a reverse shell.

Now we have a shell as www-data.

Enumerating the system and looking at the initial git code gave us a potential route

We could see it was listening locally:

Reviewing it gave us a version to check

And searchsploit gave us a potential exploit

This did not work so we kept looking online and found

Running the following creates a user for us.

We can now grab the passwords

Upgrade to a full tty to su to the user homer (found via passwd file) or login via ssh

Upgrading current shell:

Grab the user flag

We can run pip install as root as the user homer

Move to /dev/shm/ to stop any other files messing around with your shell.

Create the following basic python reverse shell

Copy to the webserver and rename setup,py to work with pip

Setup a nc listener on port 444

Install the file with sudo pip install .

Now you receive a root shell.

Grab the root flag

Researching the issue lead us to

:)

https://lincolnloop.com/blog/playing-pickle-security/
https://ironhackers.es/en/writeups/writeup-canape-hackthebox-2/
https://www.exploit-db.com/exploits/44498/