SwagShop is an easy Linux box. In this machine, a very well known ecommerce platform called Magento had to be investigated. During the enumeration, we quickly realized that the software is rather outdated. Thus, several known exploits could be used to get access to the system. In this walkthrough we utilized two different RCE exploits to get initial access. Once having the access to the system, we found an entry in the sudoers file which allowed us to run vi as sudo on specific files. This is also a very well known vulerability in terms of privilege escalation and was very simple to exploit. After that, we had root access. Overall a great machine for beginners.
Enumeration
As always, we start by scanning the target machine’s open ports:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
rustscan --ulimit 5000 swagshop.htb -- sV -sC -oN nmap_scan
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgTCefp89MPJm2oaJqietdslSBur+eCMVQRW19iUL2DQSdZrIctssf/ws4HWN9DuXWB1p7OR9GWQhjeFv+xdb8OLy6EQ72zQOk+cNU9ANi72FZIkpD5A5vHUyhhUSUcnn6hwWMWW4dp6BFVxczAiutSWBVIm2YLmcqwOEOJhfXLVvsVqu8KUmybJQWFaJIeLVHzVgrF1623ekDXMwT7Ktq49RkmqGGE+e4pRy5pWlL2BPVcrSv9nMRDkJTXuoGQ53CRcp9VVi2V7flxTd6547oSPck1N+71Xj/x17sMBDNfwik/Wj3YLjHImAlHNZtSKVUT9Ifqwm973YRV9qtqtGT
| 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEG18M3bq7HSiI8XlKW9ptWiwOvrIlftuWzPEmynfU6LN26hP/qMJModcHS+idmLoRmZnC5Og9sj5THIf0ZtxPY=
| 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINmmpsnVsVEZ9KB16eRdxpe75vnX8B/AZMmhrN2i4ES7
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 88733EE53676A47FC354A61C32516E82
|_http-title: Did not follow redirect to http://swagshop.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelN
The output show that there are two open ports:
- Port 22: OpenSSH 7.2p2 Ubuntu
- Port 80: Apache httpd 2.4.18
Enumeration of Port 80 - Apache web server
The hosted website seems to be some kind of web shop. It’s also visible that Magento is used for the implementation of the website. Before we proceed, let’s do some quick research on this software.
Website hosted on port 80
“Magento is one of the best ecommerce platforms. Its creators built it using open-source technology. This gives its users the ability to control the look, functionality, and content on their online store without compromising the shopping experience. In addition, Magento gives its users a variety of useful tools and features. This includes marketing, search engine optimization, and catalog-management tools.” https://www.rapyd.net/blog/what-is-magento/
Looking at the footer of the website we can see the copyright information which is dated 2014. This is usually a strong indication that we are looking for some kind of CVE as it is very unlikely that this software has been bug-free for 8 years (currently 2022).
And in fact, a quick lookup on searchsploit reveals several unauthenticated and authenticated attacks some of which are even remote code executions (we have identified two specific exploits which are suitable for our approach.)
Searchsploit results for Magento.
Initial Foothold
For the initial foothold, we use the two exploits we found.
Step 1: Use 37977.py aka “shoplift bug” - code injection (unauthenticated)
First, we modify the target URL to match our actual target machine. Next, we adjust the username and the password.
And finally we execute the exploit. If everything works currently, the exploit creates an admin user for us, which we can then use for the authenticated remote code exeuction exploit.
To verify that everything was successful, we use the credentials babbadeckl:123456 to log in to the admin panel.
And we got access! Perfect! We now have valid admin credentials.
Step 2: Use 37811.py - Post Auth RCE (authenticated)
Now that we have admin credentials, we can use the other exploit we found to exploit an authenticated RCE. For that, we first have to adjust the exploit code as following (I also had to fix a bug in the 2nd highlighted code area):
37811.py: modifications in the config section
Now, we can use the exploit script to actually trigger the RCE.
Authenticated RCE: Proof of concept using id.
It works! Now that we have confirmed that we can execute simple commands, we can proceed to craft our reverse shell payload to obtain a reverse shell to the system.
Once the reverse shell is established, we can collect the user flag (the apache user has read permissions in haris’ home directory).
Privilege Escalation
After going through the basic enumeration steps like checking for SUID, databases, outdated software etc, we found a very interesting entry in the sudoers list. Apparently we are able to execute vi on all files in the /var/www/html folder with root privileges.
This is a very well known vulnerability (same as vim) and can be exploited very easily:
Great! We have root access to the system. Last step is to obtain the root flag.
