# Canape

## Canape - 10.10.10.70

### Target Enumeration:

OS: Linux

IP: 10.10.10.70

User: bce918696f293e62b2321703bb27288d

Root: 928c3df1a12d7f67d2e8c2937120976d

### Vulnerability Exploited:

Pickle Code Injection

### Privilege Escalation:

User allowed to run pip install as root user.

### Exploiting the host:

Nmap (used sparta as I was being lazy)

![](https://lh6.googleusercontent.com/2ez1SiQ29UBFdXQ--KyFbY7witATIIp2D-lQ0MQKwax9XJrlo4hQQbJ3XxtUmcwP8PaGqabkW6M_y3wzLiV4PuFigzAgZsatgINdYwkP06s9DQnG1v2z_re_5q5guDKZ41yv3Ybd)

There is a .git repo.

Lots of false positives with the application

.git repo gives us an address to download the source code.

<div align="left"><img src="https://lh4.googleusercontent.com/cSbVoGaglOBYbgXWDbg7OgAewZCpC57C_PJHLdGWU_uypjPYotFBYMjOKbYpZxSe8efVZo5zGSVlGHFf8IsPa8ZpZHbEY-5mLVHQ1XQjNhOiRwhHVCncmCtsmfYyVFXcPMff5zWE" alt=""></div>

Add git.canape.htb to our /etc/hosts file and clone the repo.

![](https://lh3.googleusercontent.com/MVZLve2tTC_872yIxsDO_oY00tgsaBBwKCfMr8cq8oZ8HUC-s44umShzJJF8semveTGIlIPMeETd4mqJQVWizhARaPx79N5PNq8Vp5Rqy8wtpD__eGQFpkRuHbh4hGMRNuNV3az9)

Now we have the source code we can see it is vulnerable to pickle code injection.

Researching the issue lead us to <https://lincolnloop.com/blog/playing-pickle-security/>

Although I had several issues with getting the reverse shell and had to look online for a working python exploit.

![](https://lh6.googleusercontent.com/j5Xa45qEKHt8PRM-mgV3XCIbouTPWtfVahWL7zo0vlnr67A-3d6E9GQW-vkgxGdM72cx5TgEvDgNxyF1_dKQoZJdcf_lVCzSaixlDpIffbdCoL5Od95sPo4YJNtpPu-a14TQB7ac)

<https://ironhackers.es/en/writeups/writeup-canape-hackthebox-2/>  :)

Execute the code to receive a reverse shell.

![](https://lh3.googleusercontent.com/xYhStTGqGkHUO5YPiN-8BWviC1jEPMHkpXHIj5jjff1vaSS63ZumVR-WxYG7rEROtFCToZ4x8adPvfQE91M8sy0NIrWof7xEaIVweYXif-RxpXp6TAqcu-hwEnGWMktTnocqIZyO)

Now we have a shell as www-data.

Enumerating the system and looking at the initial git code gave us a potential route

![](https://lh4.googleusercontent.com/aMwV2gt_KrTPVL6RjdQreAyDdp4GBZ_C6sTXCh5pVbBkMx7ri1maRqV26iuAwg6flPXyyKQAEJ7yJBf1nBe-RdMau51DT4m4p66OSXDwJieds1l7lbckbsZUBUdGkPFeqh9p-hx5)

We could see it was listening locally:

![](https://lh4.googleusercontent.com/-wrb7QNReZpT4BYfumSu1WVDuVmhXVYqZeMtOKctjviCxrnGdafrwN5hFPDohMaEBY3Zk76_KgK5MVOWB4t3GOVWlVPGaRup3MTnncxWA7nRPYoHpBufj9k2AgApxFR0l1q4vZm2)

Reviewing it gave us a version to check

![](https://lh5.googleusercontent.com/mUMhK57HjNe2SnU4rr_4fbGa1mPLE5g9jA5eiBzJiFNF-sA-kaLcj9OgeQnIs-CjsW4j52f5qdJPyGLaFnRDeeMl0bYs5CEHjf-f3Xyu7oAVZAcX1ir0m8LmXp8bEXCaOF5ymcqi)

And searchsploit gave us a potential exploit

![](https://lh5.googleusercontent.com/OvhFpwOb7IB3racRwX6cC62Jb6CFAt-saYesEEYWahBt1ndhyZk2YmGDNjOKVMZSRgvyO5_PHgjWzfFb_KJMuT1gKqlFJD6BLYTRNFIn5hX4PlGonyPmX_4YScw5V1i4-zFi4UA6)

This did not work so we kept looking online and found

<https://www.exploit-db.com/exploits/44498/>

Running the following creates a user for us.

![](https://lh5.googleusercontent.com/3mKJLBfWd2doDP16toF0F5EXz6C9vZWp5620aCqVaOtBc195wVf7G222dGcHw6kSWkRciD2MdfpDsqy01hoqgLNlO7MVMPjiBzSOXItyE0IOirygaU2Q-Tcp7fYzeKLHsFn7szI9)

We can now grab the passwords

![](https://lh6.googleusercontent.com/5E11_8Qg68h3yhlhdxMzAmhcm4hi3gZmFzMeie012pOu4NNcfHIzdvpmGJ6_P_Gw5CAb_yWagcZ1ByfWzBlpYL9LJoB2_1dtKKynnm_gwmN9sSCmM8dGjlZjTMY3XKg84W5EzfCF)

Upgrade to a full tty to su to the user homer (found via passwd file) or login via ssh

![](https://lh4.googleusercontent.com/RJdyHlslyauF_Ldq40y_dMZF4BzL14uARnuaeRvUFA-lZIhqhGJsPCImzQ8j7S3ZZGxPOiS6kvnrPK3p5X0CdhBYh7hDKxlfXPXu1tJ5C8T8Ql0aE2j7eLsLEiBItuzGRpVjrClk)

Upgrading current shell:

![](https://lh4.googleusercontent.com/80tPmBqeM7cZqOGFyp6Q_nZ1INXWrvkV-e6rCpdsicYoYmLS-WX3cpBA39mKMmtnpgsPzThHAn9Rj8rdPveQzWo6qrCa201FIK4X5c0W_Ngt8clN7D69-ON4iZ1tvcNMjZEx07HD)

Grab the user flag

<div align="left"><img src="https://lh3.googleusercontent.com/BDy63llTlHZ8aX6XvlVrM593pHwwQcI4BCmoqMz19Z3yCVPQPbWYcQ-C85GlFVneg2sIGYPPD_PMhJYVnKDnAmro0RdoYLvkuJry28R6q6Yvewn_CzzSAoh5GiRoi4a1tmx8fLX0" alt=""></div>

We can run pip install as root as the user homer

![](https://lh3.googleusercontent.com/2aCs9eMh1yP_AujfPYRhbQ0hyeE_5fi_AkgwSiog8cYIDHDsfwjOqbZT5993IK0BM9iNSaT4iSl4oUzYFPaSsLMYihpubFySHG9xttO0WfvyZ8R3Clu_valR8k8G5-gruPkurbdY)

Move to /dev/shm/ to stop any other files messing around with your shell.

Create the following basic python reverse shell

![](https://lh3.googleusercontent.com/1qGLTK5WBQMq1GMRkh9X9gSnDkrERjYltYrmMLcsWhKuwGshT4xirxpQy0oRQbjvGdKCUgcy7pyW17-Zb9svXv4T4ZgDVrbWf4Sve0WymnGkjIYLTaYkr9BFbLOyYlNHyEAFSIoN)

Copy to the webserver and rename setup,py to work with pip

Setup a nc listener on port 444

Install the file with sudo pip install .

![](https://lh4.googleusercontent.com/vFj_uXP5PGbs256y-YIPiwTuky4tSrKFUfOHaBfawWKkH-L5m93hw4BGRlEx0-35OumpbdSce8mVsrDdDIv16_ksVYWiMUPDAMBdlogn6g3Ha8r8rF93hURqtGKbHNCadaGdif4Y)

Now you receive a root shell.

![](https://lh3.googleusercontent.com/Y7F-BGHJMS-4klUEM6iaWDH_nFEyEZgl2_enkg5ftEXDXnzT4QgfVEDhQzlCgZN_kdoZP6e9X0gOu4UfhV25nvtWSo8Gmm_WQkZ8CwnC_6jfsfk76w6WKn4USgKKCTeRvypusknN)

Grab the root flag

<div align="left"><img src="https://lh5.googleusercontent.com/0Ed5m_arp1PcYlotjTOJd3qMwRWdOvudzIdedbOumT0uy8L1Ao4mqXnSe7wxjOrqoPPaXBzvybhXyrmGiJLDdnvFkPCPc8zL2-YO9kt8HR8PstKxf96EEMEVYY5meK8zRHYpPu6n" alt=""></div>