HackTheBox - Trickster

00:00 - Introduction 01:00 - Start of nmap 03:00 - Showing the Shop Subdomain via ffuf 04:45 - Performing a gobuster attack, need to update the user agent because everything returns 403 at first (WAF) 07:30 - Discover .git, then running git-dumper to download the .git directory and discover the unique admin directory 09:47 - Discovering Prestashop 8.1.5 which is vulnerable to CVE-2024-34716, downloading and running the XSS/CSRF Exploit 16:00 - Finding the Prestashop configuration file, dumping password hashes, use information_schema table to identify tables that contain the column password 22:30 - Cracked James password, ssh into the box, forward a port and discover a new web application ChangeDetection 28:10 - Building a SSTI Payload for CVE-2024-32651 in ChangeDetection to get a shell on docke 36:36 - Discovering the Datastore directory in the docker container, it has backup files compressed with Brotli, downloading and decompressing 39:50 - Discovering Adam's password, who can sudo with PrusaSlicer, finding a RCE in it 46:25 - Changing the filename of PrusaSlicer, then getting a root shell