Trickster Discussion [HTB] [HINTS]

vmateev · September 22, 2024, 2:36pm

i dont get it, any hint more?

kronik · September 22, 2024, 3:08pm

How i can escape the final docker and be root in the machine some hints

lenadi3642 · September 22, 2024, 4:07pm

No need to “escape”, just look around. There’s 2 ways to priv esc, 1 is intended and the other isnt
(From Docker container)

priest_7 · September 22, 2024, 6:29pm

I think I have looked everywhere except at the right thing! xD
Can you correct my course a little?

lenadi3642 · September 22, 2024, 7:16pm

For intended path there’s a very noticable folder in root (/) directory in docker, you’ll need to look into it. (Specifically *.br files)
For unintended it’s a very common file for users (also in docker)

m1ller · September 23, 2024, 9:47am

Hello please I have a problem. The malicious zip is uploaded successfully but I always receive this error.
GET request to http://shop.trickster.htb/themes/next/reverse_shell.php: 403

Hex · September 23, 2024, 9:54am

Ensure the zip file contains reverse_shell.php

m1ller · September 23, 2024, 10:10am

Yeah, it contains. I will like to know if the requested link is correct

doctorhou · September 23, 2024, 11:03am

try not to unzip , modify then zip , zip does ignore .htaccess i guess , instead double click on the zip file and modify the reverse_shell.php with your ip port and the PoC will work

xcod3 · September 23, 2024, 11:59am

I am in the docker container but I can’t find a way to root
does the datastore directory have something that will help me or should I look somewhere else

lenadi3642 · September 23, 2024, 12:11pm

Yes, datastore contains the intended path

xcod3 · September 23, 2024, 12:22pm

any hints of what should I do

msada6254 · September 23, 2024, 3:49pm

check history = root@ae5c137aa8ef:/app# history
then you can come back to james@trickster:~$ su root
Password: (you will find it)
root@trickster:/home/james# ls -la

macavitysworld · September 23, 2024, 4:54pm

datastore has backups files compressed with brotli, decompress and you’ll get the passwd for adam, get shell as adam and exploit prusaslicer for root.

telkit · September 23, 2024, 10:52pm

is there any point for dumping the .git directory? I can’t find a use for it…

esther · September 23, 2024, 10:54pm

You need to dump the git directory in order to find the admin path.

telkit · September 23, 2024, 10:55pm

I cant find a hash in any of the files in these directories.

telkit · September 23, 2024, 10:57pm

I have the admin path, but others are saying that they found a hash from the dumped .git files. I cant find anything like that. I was able to navigate to the admin dashboard login page, but I am stuck here.

esther · September 23, 2024, 11:44pm

you have to consider others may have no idea what they’re talking about

ladeh · September 24, 2024, 11:04am

Any hints for PrusaSlicer?
Is it the CVE-2023-47268? And is there an existing config file i can edit or should create a new directory for the Metadata?