This box starts with an SQL injection on the value of the unique PrestaShop custom cookie. The md5 hashed credentials of the user james_mason are saved in the database and I can login with SSH. Later I had to exploit, through a known CVE, IPython 8.0.0 to get code execution like dan_smith. Finally, it will be enough to sniff the unencrypted network traffic towards the local Redis server to obtain the credentials and exploit it (two methods proposed) to own the box.
25 November, 2022 00:00 CET