New machine from 2022-07-23

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

strange 5 minuts and i cant ping or access machine ><

There is checkout.shared.htb
https://www.ambionics.io/blog/prestashop-privilege-escalation

Presta has a recent CVE, not not sure if that's the version though.
https://www.cvedetails.com/cve/CVE-2022-21686/
PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds.

https://shared.htb/robots.txt

Some of the hidden controllers show additional forms, i.e.
https://shared.htb/index.php?controller=guest-tracking

And from Presta docs:

PrestaShop will rename the admin folder by adding a randomly generated number to the end of it, for example “admin8153“. From this point on, your admin URL will now include that number. Using the example given, you would now need to use URL “example.com/admin8153” to gain access to the admin dashboard.

, seeing 4 and 5 digits numbers in examples.

(July 23, 2022, 07:48 PM)emilykaldwin Wrote: Presta has a recent CVE, not not sure if that's the version though.
https://www.cvedetails.com/cve/CVE-2022-21686/
PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds.

https://shared.htb/robots.txt

Some of the hidden controllers show additional forms, i.e.
https://shared.htb/index.php?controller=guest-tracking

And from Presta docs:

PrestaShop will rename the admin folder by adding a randomly generated number to the end of it, for example “admin8153“. From this point on, your admin URL will now include that number. Using the example given, you would now need to use URL “example.com/admin8153” to gain access to the admin dashboard.

, seeing 4 and 5 digits numbers in examples.

Following the link I posted previously, I was wondering if we could decode the cookie, as it seems there are useful information encoded in it. Working on it.

If you put something in the cart and proceed to checkout you'll be redirected to checkout.shared.htb with the cart contents within a cookie.

That might be injectable.

(July 23, 2022, 08:11 PM)OldName2 Wrote: If you put something in the cart and proceed to checkout you'll be redirected to checkout.shared.htb with the cart contents within a cookie.

That might be injectable.

Changing the cookie from {"53GG2EF8":"1"} to {"53GG'+'2EF8":"1"} does not make a difference. This might be an SQL injection.

(July 23, 2022, 09:57 PM)Exa Wrote:

(July 23, 2022, 08:11 PM)OldName2 Wrote: If you put something in the cart and proceed to checkout you'll be redirected to checkout.shared.htb with the cart contents within a cookie.

That might be injectable.

Changing the cookie from {"53GG2EF8":"1"} to {"53GG'+'2EF8":"1"} does not make a difference. This might be an SQL injection.

It has to be, but im not getting it to work. I've also tried SQLMAP
sqlmap -u "https://checkout.shared.htb/" --cookie "custom_cart={"*":"1*","*":"1"}" -batch --level=5

---

(July 23, 2022, 10:08 PM)OldName2 Wrote:

(July 23, 2022, 09:57 PM)Exa Wrote:

(July 23, 2022, 08:11 PM)OldName2 Wrote: If you put something in the cart and proceed to checkout you'll be redirected to checkout.shared.htb with the cart contents within a cookie.

That might be injectable.

Changing the cookie from {"53GG2EF8":"1"} to {"53GG'+'2EF8":"1"} does not make a difference. This might be an SQL injection.

It has to be, but im not getting it to work. I've also tried SQLMAP
sqlmap -u "https://checkout.shared.htb/" --cookie "custom_cart={"*":"1*","*":"1"}" -batch --level=5

Uh got it working
{"53G'+'G2EF8'UNION SELECT NULL,NULL,NULL-- -":"1"}

I just come across something interesting.. Fuzzed a post request on /index.php?controller=get-fileResponse```HTTP/2 200 OKServer: nginx/1.18.0Date: Sat, 23 Jul 2022 22:15:41 GMTContent-Type: text/html; charset=utf-8 ```

[quote="CodeAssassin" pid="169828" dateline="1658614701"]I just come across something interesting.. Fuzzed a post request on /index.php?controller=get-fileResponse```HTTP/2 200 OKServer: nginx/1.18.0Date: Sat, 23 Jul 2022 22:15:41 GMTContent-Type: text/html; charset=utf-8 ```[/quote]Stared at this for an hour before dropping it, couldn't get anything out of it.