Pickle Code Injection
User allowed to run pip install as root user.
Nmap (used sparta as I was being lazy)
There is a .git repo.
Lots of false positives with the application
.git repo gives us an address to download the source code.
Add git.canape.htb to our /etc/hosts file and clone the repo.
Now we have the source code we can see it is vulnerable to pickle code injection.
Researching the issue lead us to https://lincolnloop.com/blog/playing-pickle-security/
Although I had several issues with getting the reverse shell and had to look online for a working python exploit.
Execute the code to receive a reverse shell.
Now we have a shell as www-data.
Enumerating the system and looking at the initial git code gave us a potential route
We could see it was listening locally:
Reviewing it gave us a version to check
And searchsploit gave us a potential exploit
This did not work so we kept looking online and found
Running the following creates a user for us.
We can now grab the passwords
Upgrade to a full tty to su to the user homer (found via passwd file) or login via ssh
Upgrading current shell:
Grab the user flag
We can run pip install as root as the user homer
Move to /dev/shm/ to stop any other files messing around with your shell.
Create the following basic python reverse shell
Copy to the webserver and rename setup,py to work with pip
Setup a nc listener on port 444
Install the file with sudo pip install .
Now you receive a root shell.
Grab the root flag