CVE-2024-34716

┌──(kali㉿kali)-[~/…/htb/labs/trickster/CVE-2024-34716]
└─$ ll
total 7.2M
4.0K drwxrwxr-x 3 kali kali 4.0K Sep 21 23:59 .
8.0K -rw-rw-r-- 1 kali kali 5.4K Sep 21 23:59 reverse_shell.php
8.0K -rw-rw-r-- 1 kali kali 4.3K Sep 21 23:57 exploit.html
4.0K -rw-rw-r-- 1 kali kali 2.0K Sep 21 23:51 exploit.py
4.0K drwxrwxr-x 8 kali kali 4.0K Sep 21 23:49 .git
7.2M -rw-rw-r-- 1 kali kali 7.1M Sep 21 23:49 ps_next_8_theme_malicious.zip
4.0K -rw-rw-r-- 1 kali kali  170 Sep 21 23:49 README.md
4.0K drwxrwxr-x 5 kali kali 4.0K Sep 21 23:49 ..

The exploit PoC requires modifications to make it suitable for the target PrestaShop instance

`exploit.html`

Fixed the line 11 at the url variable in the exploit.html file

Fixed the line 39 at the csrfUrl variable in the exploit.html file

Fixed the line 79 at the formData variable in the exploit.html file

Fixed the line 82 at the postUrl variable in the exploit.html file

`reverse_shell.php`

Modifying the supplied reverse shell; reverse_shell.php

`exploit.py`

Fixed

The line 48 is a bit weird. It’s supposed to fetched the a.php file from ps_next_8_theme_malicious.zip , which is LOADED from the exploit.html file Changed it to a.php

`ps_next_8_theme_malicious.zip`

Something seems off with the exploit.py file above.

┌──(kali㉿kali)-[~/…/htb/labs/trickster/CVE-2024-34716]
└─$ 7z l ps_next_8_theme_malicious.zip 
 
7-Zip 24.08 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-08-11
 64-bit locale=C.UTF-8 Threads:128 OPEN_MAX:1024
 
Scanning the drive for archives:
1 file, 7444459 bytes (7270 KiB)
 
Listing archive: ps_next_8_theme_malicious.zip
 
--
Path = ps_next_8_theme_malicious.zip
Type = zip
Physical Size = 7444459
 
   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2023-03-09 12:12:12 D....            0            0  assets
2023-03-09 12:12:12 D....            0            0  config
2023-03-09 12:12:12 D....            0            0  dependencies
2023-03-09 12:12:15 D....            0            0  modules
2023-03-09 12:12:15 D....            0            0  templates
2023-03-09 07:57:33 ....A       905111       902013  preview.png
2023-03-09 12:12:12 D....            0            0  _dev
2024-04-08 13:08:01 .....           64           58  .htaccess
2024-04-08 13:13:07 .....         5491         2255  a.php
------------------- ----- ------------ ------------  ------------------------
2024-04-08 13:13:07           17269551      7230157  772 files, 288 folders

Inspecting the zip file There is the a.php file

┌──(kali㉿kali)-[~/…/htb/labs/trickster/CVE-2024-34716]
└─$ unzip ps_next_8_theme_malicious.zip a.php 
Archive:  ps_next_8_theme_malicious.zip
  inflating: a.php

Extracting only the a.php file

`a.php`

It was another PHP reverse shell

Changed

┌──(kali㉿kali)-[~/…/htb/labs/trickster/CVE-2024-34716]
└─$ zip ps_next_8_theme_malicious.zip a.php 
updating: a.php (deflated 59%)

Updated the ps_next_8_theme_malicious.zip file

InfoSec LAB

Explorer

Trickster_Payload

CVE-2024-34716

`exploit.html`

`reverse_shell.php`

`exploit.py`

`ps_next_8_theme_malicious.zip`

`a.php`

Interactive Graph View

Table of Contents

Backlinks