HTB Bamboo

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/02/03/htb-bamboo.html
• Blog Title: HTB: Bamboo
• Suggested Section: Network Services Pentesting -> 3128 Pentesting Squid (pivoting/internal port discovery with Spose, proxychains/Burp chaining); Pentesting Web -> (add/update) PaperCut NG/MF section for CVE-2023-27350 auth bypass -> RCE via print scripting; Linux Privilege Escalation -> Writable script executed by root / script hijacking (pspy detection + replacement)

🎯 Content Summary

The post walks an end-to-end exploitation of an HTB Linux host where the only externally reachable services are SSH (22) and an unauthenticated Squid HTTP proxy (3128). The proxy is then used to enumerate and access an internal PaperCut NG web app (ports 9191/9192/9195), exploit PaperCut’s auth bypass (CVE-2023-27350) to gain an admin session, and then abuse PaperCut’s print scripting feature (after disabling sandboxing) to execute OS commands and obtain a reverse shell as the papercut</co...

🔧 Technical Details

Scanning “behind” an unauthenticated Squid proxy (service discovery pivot): When a target exposes Squid (TCP/3128) without authentication, you can treat it as a pivot point and scan internal addresses/loopback from the proxy’s network perspective. Use Spose with --proxy http://IP:3128 and --target localhost (or another internal IP) plus --allports to enumerate open TCP ports reachable by the proxy. Then use proxychains (configured with an http proxy entry) to interact with internal HTTP services (e.g., proxychains curl http://127.0.0.1:9191 -v) and/or chain Burp to Squid via an upstream proxy setting for full browser testing.

PaperCut NG CVE-2023-27350: auth bypass via SetupCompleted → RCE via print scripting feature abuse: In vulnerable PaperCut NG/MF builds (e.g., NG 22.0.5 Build 63914 per NVD), requesting /app?service=page/SetupCompl...

🤖 Agent Actions

Updated three key areas:

• Squid pivoting: Enhanced 3128-pentesting-squid.md with practical pivot workflow using SPOSE via uv, proxychains/Burp upstream chaining, and added references.
• Web RCE: Added a detailed PaperCut NG/MF auth-bypass→print-scripting RCE section to command-injection.md, including payload placement, sandbox bypass, and automation via the public PoC, plus cleaned references.
• Linux privesc: Documented hijacking root-executed user-writable scripts (pspy detection, payload swap, SUID shell drop) with references in write-to-root.md.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/02/03/htb-bamboo.html

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> 3128 Pentesting Squid (pivoting/internal port discovery with Spose, proxychains/Burp chaining); Pentesting Web -> (add/update) PaperCut NG/MF section for CVE-2023-27350 auth bypass -> RCE via print scripting; Linux Privilege Escalation -> Writable script executed by root / script hijacking (pspy detection + replacement)".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0