InfoSec LAB

Trickster_ChangeDetection

Created: 2 min read

ChangeDetection

The presence of a Docker container was initially identified during the basic system enumeration. It appears to have an IP address of 172.17.0.2 while the overhead host having 172.17.0.1

Additionally, the host system appears to have ChangeDetection installed and running via a root cronjob

According to the GitHub repository;

ChangeDetection is the best and simplest free open source web page change detection, website watcher, restock monitor and notification service. Restock Monitor, change detection. Designed for simplicity - Simply monitor which websites had a text change for free. Free Open source web page change detection, Website defacement monitoring, Price change notification

Referring to the installation guide, it would appear that the application runs on the port 5000 by default

james@trickster:~$ curl -I http://172.17.0.2:5000/
HTTP/1.1 302 FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 213
Location: /login?next=/
Vary: Accept-Encoding, Cookie
Access-Control-Allow-Origin: *
Set-Cookie: session=eyJfZmxhc2hlcyI6W3siIHQiOlsiZXJyb3IiLCJZb3UgbXVzdCBiZSBsb2dnZWQgaW4sIHBsZWFzZSBsb2cgaW4uIl19XX0.Zu_eTw.zpEmFN39k_LlODLs89ZUknQZWWw; HttpOnly; Path=/
Date: Sun, 22 Sep 2024 09:07:27 GMT

Confirmed.

SSH Tunnelling

Since the target ChangeDetection instance is running internally, I would need to tunnel the socket

┌──(kali㉿kali)-[~/archive/htb/labs/trickster]
└─$ sshpass -p 'alwaysandforever' ssh james@$IP -L 5000:172.17.0.2:5000 -N -f

Binding target’s 172.17.0.2:5000 to the Kali port 5000

┌──(kali㉿kali)-[~/archive/htb/labs/trickster]
└─$ curl -I http://localhost:5000/   
HTTP/1.1 302 FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 213
Location: /login?next=/
Vary: Accept-Encoding, Cookie
Access-Control-Allow-Origin: *
Set-Cookie: session=eyJfZmxhc2hlcyI6W3siIHQiOlsiZXJyb3IiLCJZb3UgbXVzdCBiZSBsb2dnZWQgaW4sIHBsZWFzZSBsb2cgaW4uIl19XX0.Zu_e7g.osym0l4-e7I8olKafiV0nMVSEEA; HttpOnly; Path=/
Date: Sun, 22 Sep 2024 09:10:06 GMT

SSH Tunnel established

Web Application

Webroot Redirected to the login page It requires a password

Testing the password of the james user

Successfully authenticated While those 2 entries are rather irrelevant, there is version information disclosure; 0.45.20

Vulnerability

┌──(kali㉿kali)-[~/archive/htb/labs/trickster]
└─$ searchsploit changedetection
-------------------------------------------------------- ---------------------------------
 Exploit Title                                          |  Path
-------------------------------------------------------- ---------------------------------
changedetection < 0.45.20 - Remote Code Execution (RCE) | multiple/webapps/52027.py
-------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

The target ChangeDetection instance is suffering from a RCE vulnerability Moving on to the Lateral Movement phase

Interactive Graph View

Backlinks