HackTheBox - Canape

rs75y2qPonc/default.jpg

00:43 - Start of Recon, nmap and poking around the website
04:00 - Dirbusting a site that always respond 200
09:43 - Switching to a different Wordlist (SecLists/Discovery/Web/Common)
10:48 - Discovery of .git - Poking around to clone it and download
15:10 - Downloaded .git, examining commit history
21:25 - Begin writing of the pickle exploit
28:45 - Return of Reverse Shell as www-data
32:30 - Begin looking into CouchDB
34:00 - Poking around at documents within CouchDB
36:15 - Examining first exploit with creating a CouchDB User
39:50 - Exploring the passwords database with our newly created admin user and finding Homers Password.
42:00 - Getting root with sudo pip install
45:55 - Box Done. Begin second unintended way to get to Homer User
47:03 - Playing with the public RCE Exploit for CouchDB
48:20 - Running the exploit
49:36 - Examining the exploit, doing each step manually to see where it fails
54:30 - Searching on how to create a new CouchDB Cluster, maybe it will allow this work?
55:55 - Digging into how erlang works
57:30 - Finding default CouchDB Cookie
59:10 - Connecting to the Erlang pool then searching for how to run commands.
01:01:54 - Exploring how to send long commands as distributed task
01:04:30 - Getting reverse shell

Extra Links
https://malicious.link/post/2018/erla...
Blackhat 2011 - Sour Pickles - https://www.youtube.com/watch?v=HsZWF...

rs75y2qPonc/default.jpg
HackTheBox - Canape HackTheBox - Canape Reviewed by Unknown on September 15, 2018 Rating: 5