Hack The Box — SwagShop Writeup without Metasploit
HTB SwagShop is a challenging machine that requires out of the box thinking in order to get through. This machine teaches you on how to edit the exploit before attacking the target. This is a really good preparation for the exam in my opinion.
Let’s get started!
Enumeration
Nmap scan returned as below. Only 2 ports were open. Port 22 which was SSH and port 80 which was HTTP. Port 22 didn’t contain any banners, which left me with port 80 for further enumeration.
UDP scan as below.
Accessed the web page which was more like an E-Commerce website that was developed using Magento E-Commerce Platform.
I used a directory search python script to perform a directory scan which came back with the following results.
Local.xml file in the highlighted directory revealed the credentials for MySQL. Unfortunately, this wasn’t useful. This credentials could have been used if MySQL port had been open.
I discovered a few exploits for Magento using Searchsploit but i wasn’t aware of the version of Magento which was running on this website.
Luckily, there was a script on Github that reveals the version of Magento. This script wa somewhat similar to Wordpress.
So i managed to discover the version of Magento that i was dealing with. It was Magento 1.9.0.0, 1.9.0.1 community Edition.
Since i have found out the exact version of Magento, i was able to skip a few exploits and find the suitable one.
Copied over the exploit 37977 python script from the Searchsploit database, edited the exploit ( Target needs to be setup) and executed the script, which ended up failing.
Script got failed but didn’t provide any details as to why it wasn’t failing so in order to determine what is going behind the scene you have to send this script through Burpsuite.
Added a proxy listener as below.
What i have accomplished here? i have sent the script through brupsuite so i can have a better view of the response from the web browser.
We are getting “404 not found” which means the Web URL doesn’t exit. My target URL as below.
http://10.10.10.140/admin/Cms_Wysiwyg/directive/index
This above URL ddin’t seem to be working but i noticed something going to the website.
There was an additional part in the URL which was index.php hence the target url had to be rectified as below.
http://10.10.10.140/index.php/admin/Cms_Wysiwyg/directive/index
Sent another request after rectifying the changes and it worked.
Made the changes in the exploit and executed it.
This scrip created an admin account on Magento and the credentials as below.
Username: forme
Password : forme
I logged into the portal using above credentials and tried to find a way or a point to obtain a reverse shell. I found nothing !
There was another exploit on Searchsploit that matched the version of Magento. I was unable to use that exploit before as it required authentication. i could use this exploit since i have already managed to get the credentials.
Getting initial foothold
This exploit was a full of errors . There were few modifications that needed to be done.
Install date needed to be adjusted otherwise the exploit wouldn’t work. The path to retrieve the install data was mentioned in exploit.
The date on the exploit should be replaced with the data highlighted before running the exploit.
Once the changes were done, i ran the exploit, which threw me a bunch of errors. i found a few adjustments to the code after doing a Google search. Exploit should be rectified as below.
From 53 to 56 lines ( exiting lines ) should be marked as comment and from 57 to 60 should be added to the code.
Ran the exploit which threw me another error. which threw me another error.
Traceback (most recent call last):
File “37811.py”, line 73, in <module>
tunnel = tunnel.group(1)
AttributeError: ‘NoneType’ object has no attribute ‘group’
In order to determine this error, sent the request through Burpsuite. This exploit comes with porxy enabled.
Uncommenting the line 47 would enable proxy.
Having gone through the response in the Burpsuite, i got a no data found response. Having looked close what the exploit was doing. It was trying to do some sort of regex check for the period of 7 days. Since it was finding nothing within that period, it responded with no data found error.
I decided to access the web page for further enumeration.
Right click the response — Click request in browser — Click Original session ( Make sure that the proxy is enabled on the web browser)
Copied the link and browsed it on the web browser, which took me to below page.
There was a drop down list in which i was able to choose the period.
There were five different time periods.
Having selected the time period from the drop down list would give you nothing. It has to be adjusted from the website URL. The value should be adjusted as in the source code. For example 7 days in the drop down list goes as 7d. Therefore, URL has to be adjusted as 7d not 7 days.
Only period 2 years would give a result back.
So this has to be updated in the exploit. Exploit has 7d added, which didn’t work hence 7d has to be replaced with 2y as below.
Ran the exploit and it worked !
Privilege Escalation
First thing i did was to run Sudo-l and found out that Sudo can run VI on var/www/html.
There is an already predefined GTFObins Sudo command for this.
Small modification has to be done as it can be executed on the var/www/html directory.
I used a different one and executed as below.
Lessons learned
Broken access control and sensitive information disclosure. /app/etc/local.xml, MYSQL admin credentials and Magento installed date was publicly available. This information is sensitive hence proper security mechanism should be in place to protect them.
This Mangento version is vulnerable to SQL injection that allowed me to create an admin account. This version should have been updated once the patch was released.
Unauthenticated users were allowed to run arbitrary commands due to a known PHP object injection vulnerability on this version used. This version should have been updated to prevent this.
I managed to escalate privileges due to the fact that VI is capable of running shell with root. Administrator should consider these security misconfigurations and impose principle of
lease privileges.
9 boxes are down!
