Hackthebox Walkthrough — Canape
Being taking the PWK courses and preparing for the OSCP exam recently. I got inspired a lot from many Hackthebox machines besides the pwk labs. So I decided to start writing some hackthebox retired machines walkthroughs (inspired from hackingarticles, infosec, ippsec’s youtube videos and etc, thanks for all of these amazing materials of Penetration Testing!)
Target: 10.10.10.70
Local IP: 10.10.14.13
Nmap Enumeration:
Run nmap to see what ports are open and what services are running behind them
/.git/ repository found! we will check this out later
Port 80 the web server is open. Let’s do more TCP ports enumeration
Run Zenmap for all TCP ports intense scan, we found the 65535 is also open running openssh services
Fuzz the web directories
Running dirsearch and we found that fuzzing the web directories seems bit challenging since all requests return 200
let’s try wfuzz to get rid of the false positive
We found those accessing directories open
browse the /.git directory and view the config file
we found a url “http://git.canape.htb/simpsons.git”
Seems like a domain name git.canape.htb
Let’s add the domain name to /etc/hosts
Run git clone to download the url
view the simpsons file we just downloaded.
Run git log to see the comments
this might have a vulnerability inside
Run command git diff and see what has been changed
we know there’s a vulnerability in cpickle
go deep further into that
we could write an exploit to abuse the function for storing submitted quotes\
Check the python script _init_.py we found that the program is vulnerable to insecure deserialization with a vulnerable function “cPickle.loads(data)”
Google the pickle exploit and let’s create a python script to exploit
set up our netcat listener on port 1234 and we got a reverse shell back
work on privilege escalation now
grep the process under homer user. we could see the log that we broke into
And we could also see the progname couchdb homer runs
we got confirmed when we run the netstat -antp
port 5984 is for the apache couchdb
we found the apache couchdb Database version
Let’s create a user with permissions to read the database
curl -X PUT ‘http://localhost:5984/_users/org.couchdb.user:chenny' — data-binary ‘{ “type”: “user”, “name”: “chenny”, “roles”: [“_admin”], “roles”: [], “password”: “password” }’
dump out the database
curl http://127.0.0.1:5984/passwords/_all_docs?include_docs=true -u chenny:-Xpassword
<ds/_all_docs?include_docs=true -u chenny:-Xpassword
we found the ssh credentials
Log in as homer through ssh on port 65535
Grab our user.txt flag!
run sudo -l and we see homer could run /usr/bin/pip install with sudo privilege
then let’s create a reverse shell in python and upload it to the target
run sudo pip install and we found if we want our reverse shell be executed, we have to name it setup.py
and besides , move setup.py to another writable directory
modify our python reverse shell
And we got a root privilege reverse shell back
grab our root.txt flag!
