Trickster Discussion [HTB] [HINTS]

ladeh · September 21, 2024, 10:18pm

Does this POC requires you to have access to admin panel? or can you create a random email and sent the attachment to it?

Hex · September 21, 2024, 10:19pm

Then check this file for mysql credentials

/var/www/prestashop/app/config/parameters.php

Hex · September 21, 2024, 10:20pm

No, the challenge itself simulates admin login. it’s just enough to run the poc

david · September 21, 2024, 10:20pm

thanks a lot you saved me

ladeh · September 21, 2024, 10:28pm

The user i created never receives the email in my alerts (assuming i will get it there).
i have done the following:
in the php reverse shell file: i changed to my ip
in exploit.html: i changed to url to shop.trickster.htb/admin (the admin path i found at the directory in .git)
when i run the exploit.py i submit the info as follow:
http://shop.trickster.htb
email: the one i created for the shop
message: blah blah
html file: ./exploit.html

What am i doing wrong? There must be something i am missing

Hex · September 21, 2024, 10:33pm

Add reverse_shell.php inside the malicious theme zip.

Hex · September 21, 2024, 10:41pm

Root Hints

Scan the internal Docker network and locate the changedetection web application.
Notice that it’s vulnerable to CVE-2024-32651, but you need to disable the password first.
If you’ve made it this far, you already know the password!

github.com

zcrosman/cve-2024-32651/blob/main/cve-2024-32651.py

# Exploit Title: changedetection <= 0.45.20 Remote Code Execution (RCE)
# Date: 5-26-2024
# Exploit Author: Zach Crosman (zcrosman)
# Vendor Homepage: changedetection.io
# Software Link: https://github.com/dgtlmoon/changedetection.io
# Version: <= 0.45.20
# Tested on: Linux
# CVE : CVE-2024-32651

from pwn import *
import requests
from bs4 import BeautifulSoup
import argparse

def start_listener(port):
    listener = listen(port)
    print(f"Listening on port {port}...")
    conn = listener.wait_for_connection()
    print("Connection received!")
    context.newline = b'\r\n'

This file has been truncated. show original

After obtaining a Docker shell, inspect all the files to gain root access on the host machine.

david · September 21, 2024, 11:05pm

Just another question, this step from james or from adam user ? thanks

esther · September 21, 2024, 11:06pm

I disabled the password but not getting a docker connection back. Was there an extra step you did?

Hex · September 21, 2024, 11:07pm

we are directly rooting from james.

david · September 21, 2024, 11:08pm

got it thanks, i will check again

Hunterino · September 21, 2024, 11:13pm

Which notification url are you using? Local web server on attack machine?

Hex · September 21, 2024, 11:17pm

Check the documentation and create a valid notification URL. That’s enough.

david · September 21, 2024, 11:31pm

sorry can i get hint i got shell but it colsed i got this error
[*] Got EOF while sending in interactive

david · September 21, 2024, 11:53pm

can anyone please help i am stuck with shell last part

Hex · September 21, 2024, 11:59pm

Log in to the web application yourself, identify the errors, review the logs carefully and then modify the exploit accordingly.

Hex · September 22, 2024, 12:00am

Exclusive content is now available for `Trickster`.

What is Exclusive Content?

You can still ask for help and specific hints in this thread.

SXBmaQqq · September 22, 2024, 7:57am

is the admin panel something related to the .git/refs/heads/admin_panel contents?

dannyk · September 22, 2024, 8:10am

@SXBmaQqq you should download the git folder with GitHub - arthaud/git-dumper: A tool to dump a git repository from a website so you can find the admin folder

SXBmaQqq · September 22, 2024, 8:13am

i’ve run
git-dumper http://shop.trickster.htb ./git but i can’t find the admin directory

Trickster Discussion [HTB] [HINTS]

Root Hints

Exclusive content is now available for Trickster.

What is Exclusive Content?

Exclusive content is now available for `Trickster`.