Hacking
Github
Twitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
PurpleSharp
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By
GitBook
Canape
Canape - 10.10.10.70
Target Enumeration:
OS: Linux
IP: 10.10.10.70
User: bce918696f293e62b2321703bb27288d
Root: 928c3df1a12d7f67d2e8c2937120976d
Vulnerability Exploited:
Pickle Code Injection
Privilege Escalation:
User allowed to run pip install as root user.
Exploiting the host:
Nmap (used sparta as I was being lazy)
There is a .git repo.
Lots of false positives with the application
.git repo gives us an address to download the source code.
Add git.canape.htb to our /etc/hosts file and clone the repo.
Now we have the source code we can see it is vulnerable to pickle code injection.
Researching the issue lead us to
https://lincolnloop.com/blog/playing-pickle-security/
​
Although I had several issues with getting the reverse shell and had to look online for a working python exploit.
​
https://ironhackers.es/en/writeups/writeup-canape-hackthebox-2/
:)
Execute the code to receive a reverse shell.
Now we have a shell as www-data.
Enumerating the system and looking at the initial git code gave us a potential route
We could see it was listening locally:
Reviewing it gave us a version to check
And searchsploit gave us a potential exploit
This did not work so we kept looking online and found
​
https://www.exploit-db.com/exploits/44498/
​
Running the following creates a user for us.
We can now grab the passwords
Upgrade to a full tty to su to the user homer (found via passwd file) or login via ssh
Upgrading current shell:
Grab the user flag
We can run pip install as root as the user homer
Move to /dev/shm/ to stop any other files messing around with your shell.
Create the following basic python reverse shell
Copy to the webserver and rename setup,py to work with pip
Setup a nc listener on port 444
Install the file with sudo pip install .
Now you receive a root shell.
Grab the root flag
Hack The Box last updated - 2019 - Previous
Fluxcapacitor
Next - Hack The Box last updated - 2019
Rabbit
Last modified
3yr ago
Copy link
Outline
Canape - 10.10.10.70
Target Enumeration:
Vulnerability Exploited:
Privilege Escalation:
Exploiting the host: