HackTheBox - Canape HD

00:43 - Start of Recon, nmap and poking around the website 04:00 - Dirbusting a site that always respond 200 09:43 - Switching to a different Wordlist (SecLists/Discovery/Web/Common) 10:48 - Discovery of .git - Poking around to clone it and download 15:10 - Downloaded .git, examining commit history 21:25 - Begin writing of the pickle exploit 28:45 - Return of Reverse Shell as www-data 32:30 - Begin looking into CouchDB 34:00 - Poking around at documents within CouchDB 36:15 - Examining first exploit with creating a CouchDB User 39:50 - Exploring the passwords database with our newly created admin user and finding Homers Password. 42:00 - Getting root with sudo pip install 45:55 - Box Done. Begin second unintended way to get to Homer User 47:03 - Playing with the public RCE Exploit for CouchDB 48:20 - Running the exploit 49:36 - Examining the exploit, doing each step manually to see where it fails 54:30 - Searching on how to create a new CouchDB Cluster, maybe it will allow this work? 55:55 - Digging into how erlang works 57:30 - Finding default CouchDB Cookie 59:10 - Connecting to the Erlang pool then searching for how to run commands. 01:01:54 - Exploring how to send long commands as distributed task 01:04:30 - Getting reverse shell Extra Links https://malicious.link/post/2018/erlang-arce/ Blackhat 2011 - Sour Pickles - https://www.youtube.com/watch?v=HsZWFMKsM08